How Getting Hacked Showcased Our Core Values

by | Feb 26, 2019 | JFG News

I’ve always been a fan of roller coasters. The anticipation as you near the top, the fear as you look around and realize how high you are, the cresting at the top of the hill as you watch those in front of you disappear, and then the stomach-churning drop followed by neck snaps, violent ups and downs and the slamming of the brakes just before you enter the station. What’s not to love, right? That’s why I suppose it was only natural that I would co-found a business one day so I could relive all those moments – every day, for the rest of my life. But here’s the funny thing about riding a roller coaster every day: you eventually get tired of it. And you begin to long for some days where there aren’t as many drops, turns and sudden stops. In my case, it was a search for some way to offset the wild ups and downs of cash flow that seemed to plague our advertising business.

I had a good friend who told me – as I was already on the coaster and approaching the first hill – to keep a close eye on cash flow, payables, receivables, profit margins and other things I never paid attention to as a copywriter. “Sure thing,” I said. And everything seemed fine. Until about two months in. That’s when the first drop came. And then every other month after that. We were up, then we were down, then we were really up, then we were really down. You get the picture. I would go from elation to despair – believing we were going to conquer the world and go bankrupt soon after. I suspect most startups and small businesses are similar – but I wouldn’t know because I only started this one business (lemonade stands not included). All I know for sure is that our business was destined to give me motion sickness if I didn’t do something about it.

What’s the Big Idea?

The thing I learned quickly about a service business like advertising is that to keep profitable, you had to find more work – duh. Finding more work meant finding more qualified people to do that work. But then, if you didn’t have enough work, you had qualified people sitting around with not enough to do. And to grow as an agency, you had to keep chasing both new business and new talent. It seemed endless. Many people dream of owning their own business someday. And everyone I know who owns a service business dreams of owning an online product company someday. Why? Because the thought of making sales while you’re sound asleep on a Saturday night seems like nirvana.

Such was my mindset during a meeting one summer in 2004. Our client was getting ready to cancel their internal sales incentive program because of a lack of participation (under 10 percent). Ordinarily, I wouldn’t have cared since we weren’t in that business. But I did care, because we were doing all the promotions for that program. So, I did what most entrepreneurs do: I bent the truth and told them we had an online program that would solve all their problems. When they bit, I frantically searched for programmers to create what we supposedly already had.

It took about six months, but we finally delivered and the participation jumped to over 90 percent within weeks of launch. I was happy as we had saved the promotional part of the campaign. The client was happy because they finally had something that would drive sales. Everything seemed fine and, honestly, I looked at this as just another project – not a new business venture. But I soon realized that other companies could benefit from this same program – and it was the closest thing I would get to being an online product company. While it was an online service – it still had the potential to grow without being tied to billable hours and personnel.

Business Ready to Launch

Cleared for Takeoff

It took a while to convince other companies to use the program, but it slowly began to take hold and we started getting clients from all over the place, with prospects ranging from small local to huge multinational companies. The turning point was when I noticed a major airline kept visiting our website. I can’t say who they are without running this past their legal team, but let’s just say the name begins with one of the first few letters of the alphabet. At first, I didn’t even believe they would be interested in our program – but they were. And that’s when things really started taking off. We picked up several other accounts and were building a good name for ourselves in the industry. We were a small player, to be sure, but we had a solid program with solid technology.

After several iterations of the program, we settled on a very simple system for both sales incentives and employee recognition. You could literally be recognized by a fellow employee or manager – or enter a sale that would get verified by the system – and then receive “points” which you could then turn into e-gift cards and then go shopping immediately. The whole point was increasing the speed from action to reward – and it really worked well. For a while …

The financial model for our incentive program – Payback Incentives – was not to charge a lot (in fact, we charged very little at all). Instead it was designed to make money in the aggregate – we were getting a small percentage off all the e-gift redemptions, so the more awards granted, the greater our profit. And it didn’t really require a huge staff – another benefit over the traditional service industry model. But it was a painfully slow process. We were profitable – but it wasn’t huge by a long stretch. Still, the incentive program was billing over $1 million per year and growing and the model seemed to be working. There were some “problem children” who required way more hand-holding than an online platform should require – but little by little, they weeded themselves out and we were left with clients who simply used the program as intended.

Hacker on Line One

One Sunday morning in October 2017, I woke up to a mound of emails showing an extraordinary amount of redemptions. In the incentives business, there are certain times of the year where redemptions are more frequent – but this wasn’t one of those times. Still, it seemed somewhat logical that about $55K in e-gift cards could be purchased in a four-hour period. By 11 a.m., the redemptions had stopped and all seemed normal once again – until the following morning.Hacker Alert on Phone

I started getting some angry emails from people who were not signed up to use the system asking why we were charging their credit cards. Our head of development came in and said he thought someone had hacked our online payment processor and was somehow trying to use stolen funds to purchase points from our system. I called the payment processor and they confirmed that there were about $55K worth of transactions showing, but since they didn’t verify if the credit cards were legit or not, they couldn’t tell exactly where the funds were coming from. Then it got worse.

Our developer discovered that some Russian hackers (yes, Virginia, there are some rather nefarious people over there – and we did confirm they were from Russia) had compromised our system and basically stolen all the funds we had in the account that weekend. While $55K is not a lot to many companies – and it was not enough to shut us down either – it was the thought of losing everything so rapidly that truly scared me.

It took a few hours to unravel, but basically it went something like this:

  1. The hackers got into our program and set up three fake companies. This wasn’t supposed to happen, obviously. Our system required that any new company that wanted to sign up needed to be verified, and then given an approval and access into the system. They were able to bypass this and approve themselves.
  2. They then used stolen credit card numbers to purchase points on our program via our redemption processing account.
  3. They then set up fake email addresses that expired after just 30 minutes. These fake emails were then used to “grant” points from our system and then immediately redeem them for our catalog of e-gift cards. The redemptions started out as most credit card thefts do: for $1, then $10 and then they started redeeming in $500 and then $1,000 increments.
  4. Our e-gift provider held a balance for us for immediate redemptions. So even though they had stolen the $55K via compromised credit cards, they still needed to access our account because we had not transferred the new money over yet. That meant they were using other people’s stolen money to steal the money we were holding for our clients. Confused yet?
  5. Once they drained the account they had to stop with the redemptions. But the damage was already done: they had granted themselves the points, traded them in for e-gift cards to several large online retailers, and had them sent to email addresses that evaporated right after they ordered their prizes.

What Next?

One of the major benefits of owning your own business is that you get to make the decisions. That’s also the worst thing about owning your own business – because there is no one else to blame or turn to when faced with really difficult circumstances. You can’t just hide out in a cubicle and think, “Glad I don’t have to deal with that one.” The buck cannot be passed.

Once we had pieced together what happened, the decision tree was lit up and ready. But the question was what should we do first? And how do we determine the chain reaction of each decision? I’ve always been a fan of playing chess because I like to think in terms of multiple moves – not just one. But this was a new game for me. So I decided to deal with the payment refunding first.

While I was angry about losing the money, I also couldn’t hold anyone else hostage, so I called and had them reverse all the charges back to the credit cards. Thinking back on that later I realized that I may have unwittingly left some people’s cards vulnerable: if they received a charge from us on Sunday and it was reversed on Monday, there was a good possibility they may never realize their card was compromised. Not everyone scrutinizes their credit card statements as they should. Regardless, that was my first choice and it was done – the money was refunded.

Next, I needed to shut the program down. This was a little more difficult as we had a number of clients who were regularly using it – but I would deal with that later. In essence, we closed the barn door once the animals were safely in the hands of thieves – but it was turned off nevertheless. We also shut off the marketing website; the last thing I wanted was more people signing up or asking for a demo.

The next step was more of a formality, but I reached out to the local office of the FBI and arranged to have them come out that afternoon so I could describe what happened. More on that in a minute.

The next was the hardest part – calling up and resigning all the accounts we had. It wasn’t hard because of the money – on the contrary, we weren’t making a fortune to begin with. But I felt bad because each of the clients had trusted us. They were the early adopters that everyone always hopes to attract. They were willing to wait through some of the hiccups of the early days because they believed in the program. And they really liked it. The funny thing is, with a service business you tend to meet and get to know your customers in person. You have to because they need to know what you’re all about and if you can help solve their problems – and they want to know you’re for real. But with an online product/service business, you hardly ever meet your customers. Oh sure, I met some of the larger customers and the local ones. But the ones signing up from St. Louis, LA, Miami, Salt Lake City and more I never would meet.

The clients were all very understanding and sympathetic – but the conversation always ended the same: when will I get my money back? I promised them a full accounting and a refund – but first I had to tell the story to the men in black.

Federal Investigators

The FBI Comes to Town

Most people go their entire lives without ever having to call the FBI. I mean, seriously, what happens in your average day where you think you’ll need to get them involved? I had no idea if the FBI was the appropriate choice – but I gave them a call anyway. The agent who answered sounded as if I just told him we found Jimmy Hoffa in the basement – he couldn’t wait to help. Later that day, three agents showed up and I relayed what we knew at the time – and what we had done thus far. I told them I knew there was nothing that could be done – to which one of them responded, “We’ve got extradition procedures with a lot of countries – so you never know.” “With Russia?” I asked. “Well, no. Not with them.” So while they were very nice, and thorough and patient – I knew this was a lost cause.

We then talked for a while about the state of things – how a small business in Lockport, N.Y., could become the target of some well-orchestrated attack from hackers over 4,500 miles away, and how frustrating it was to try and run a legitimate business when someone could just shut it down in a few hours. I then said, “These guys made about $14,000 per hour. I guess crime does pay.” They nodded, and then collectively said, “Until you get caught.” True indeed.

For some people, the fear of getting caught is enough of a deterrent from taking part in criminal activities. For others, it’s just not the right thing to do and the thought of cheating someone simply does not cross their minds. I like to think I’m firmly in the latter camp. But for a select group, neither of those camps hold sway. Stealing is what they do. While I get up each day and try to figure out how to bring in more work to keep people employed, pay bills and raise families, others are looking at the quickest way to make a buck – legal or not. If that means shutting you down, so be it. After all, what difference does a company in Lockport mean to hackers from St. Petersburg? Nothing.

While the FBI agents gave me status updates every few months, there was ultimately no resolution from their side. But if we ever get hacked from someone in St. Louis or Albuquerque – or bump into Mr. Hoffa – I’ll know who to call.

Dance with the One that Brung Ya

Being an entrepreneur means you have to take risks. It’s a risk just starting a business, and you can’t expect the risks to end there. The difference is that in the early days it’s usually just a few people – in my case it was my partner and I – and you accept the fact that you may go out of business when you do something risky. As you grow, however, you find that others are depending on you to not put the company in peril – employees, clients and the families of both that rely on our work. I had a number of people tell me we should have stuck it out – that the program could have survived, and that we may have been able to really grow the company. And while that may have been true, I just didn’t have the stomach for it anymore.

Instead, we put our focus on growing our digital capabilities – from online ads, Facebook campaigns, website development and more – along with our traditional agency offerings. It seemed like a safer bet to stick with what we know (advertising and branding) rather than growing into a new business area. Some company owners like to refer to themselves as “serial entrepreneurs.” Personally, I hate that term. Because anytime you put “serial” in front of something, all I can think of is “killer.” My goal as a small business owner is not to keep moving from one idea to the next – selling companies and tossing people aside. It’s to focus on what we’re good at and bring value to clients while providing a stable work environment so good people have a home for their talents.

Lessons Learned

I got caught up in the frenzy of today’s internet-infused world and thought we could get things done the easy way. The truth is, there is no easy way. Even when it seems like someone just stumbled into a great business idea, there is so much happening behind the scenes to make that happen – and keep it going. What I realized is that we have skills and capabilities that people need and we need to stay within that wheelhouse to serve them. Just as we have a responsibility to the people who work with us, we have a responsibility to the clients we serve to stay on top of the latest trends in the advertising industry – and do right by them so they can achieve their goals.

We got lucky in that we strayed from our comfort zone to chase something that seemed shiny. It could have put us out of business, but we survived, and we came out with our integrity intact. Even in the midst of that whirlwind week, we put the customers first and did right by them. A client from Utah told me how amazed she was that we fulfilled our promise to refund their money – even though we could have just told them we weren’t liable. But that’s simply not something that would ever cross our mind because it’s not in our DNA.

So, my Russian rollercoaster ride ended up being a true test of how we would react under pressure. While it still amazes me that people wake up each day and think of ways to screw people over – I actually owe these trolls a bit of gratitude. Without them, I’m not sure we would have been able to take our ideals out for a spin and prove that they would hold up.

You can post pictures in your conference room or on your website of what your core values are and what you stand for in your business. But nothing can beat having a chance to live those values and stay standing. And that’s something the hackers and others like them will never be able to steal from us.

Need Marketing Help?

Our job is to make your businness grow. Find out the difference JFG has made for our clients for 20+ years.

jfg logo

About J. Fitzgerald Group

JFG is an advertising and marketing agency located in Lockport, NY. JFG has helped businesses and organizations create and execute effective marketing strategies for 20+ years.