This is a cautionary tale about a small business getting hacked. We tell this to show that it can happen to anyone and to give you a few tips that may prove helpful.
When you start a business, it’s not like playing house: it’s the real world and you are suddenly exposed to everything that comes along with it – especially when you have a web presence. If you’re like most new businesses, you’ll take on just about any job in the beginning to stay alive and say yes to a lot of things you shouldn’t.
When JFG first started, we were only doing advertising work but one of our clients wanted us to develop an online incentive program for their sales force. This was completely out of our wheelhouse but we agreed to it because it was a paying project.
Outside the Comfort Zone
We won’t bore you with the stories of trying to get that end of the business going but there were more than a few hiccups. We eventually got the program under way and started adding some pretty big clients to the list. However, we never tipped the scales where we could really have it take off as an independent business. We were outside of our comfort zone in terms of the business – but we kept going, slowly getting the hang of it. We were also noticing some deficiencies in the industry that we felt we could address with our program.
We decided to make the program quick and seamless to set ourselves apart from competitors; that way you could recognize someone in your company, give them points to spend, then they could spend them immediately on e-gift cards. The theory was the whole process would only take minutes instead of weeks. It worked well – too well as it turns out.
Along Came a Russian Spider…
All it took was some Russian hackers – yes, Russian hackers – one morning to bring it all crashing down. They figured out our system better than we could explain it to prospects. Over Columbus Day weekend, when they assumed we’d be closed, they attacked our program and made off with all the money we had in the account.
The first we learned of it was when a woman from Mississippi left an angry voicemail asking why we had charged her credit card. We called her back and discovered the Russians had used stolen credit cards to buy points on our program and trade them in for e-gift cards immediately. So what do you do when you get hacked – lose tens of thousands of dollars – and have no clue what’s going on?
Well, the first thing we did was call PayPal and tell them someone had used stolen credit cards on our system and that we wanted to reverse all the transactions immediately. The next call was to the FBI and they sent out three agents to interview us.
The next call was to our insurance carrier to put in a claim. There’s much more to the story – but the bottom line is we were pushed out of the incentive business in under 24 hours.
They Hacked What?
The second hacking – just five months later – was different. In fact, we had never heard of anything like this: one day all our phone lines were busy and inaccessible to us. In fact, all the lines had been lit up, busy, all day and couldn’t be used.
We called our phone carrier and learned that phone hackers from Cuba had dialed into our phone system at night, found the one line that didn’t have a passcode on it, then infiltrated our lines. They sold the number for dial up internet which people used for about 25 hours.
We were transferred to a “division” that actually dealt with this kind of theft. We were told it happened an average of 30-40 times per day to companies. They racked up almost $25,000 in phone charges in one day (thankfully, we didn’t have to pay this).
So we called our old friends at the FBI and let them know about this one too. There was really nothing they could do – but we wanted to report it anyway.
What Can You Do About It?
So, there’s a lot there – but here’s some important tips for you – because if you’ve decided to start your own business, you are going to be exposed:
First off, you have to face reality: you will get hacked someday. It’s just a fact of the world we live in now. So don’t pretend you’re too small, too unimportant, too hidden – you are vulnerable. In fact, one of the FBI agents said he was so nervous about hacking that he refused to do online banking – to which we replied, “Does your bank do online banking?” If you think you’re safe, you’re not – your information is out there.
Second, it’s basic but make sure you have strong passwords for everything – your phones, computers, all online interactions. It’s best to use a password service that will analyze your passwords so they’re not too simple or repeated. Again, this is not foolproof – but it will make things a bit more difficult for hackers.
Third, look at the insurance coverages your company offers carefully. They will try to sell you everything, but there’s no way they can provide coverage for something they haven’t thought of yet – or that hackers haven’t done, I should say.
Fourth, back up all of your files and preferably have the backup stored someplace other than your office or house. While we didn’t get hit with ransomware attacks, you don’t want to have that happen and have nowhere to go.
And finally, don’t give up. You went into business to live your dream; don’t let thieves deter you from that. It will never make sense to us how some people’s idea of going to work is to steal from others; we just have to acknowledge they’re out there. This is the 21st century version of making sure your doors are locked – even though you know thieves can still break in if they want. So, good luck – lock your internet doors as best as you can and go do your thing.
