Site icon Easy Prey Podcast

Scams Targeting Website Owners with Liz Eisworth

Easy Prey
“Any business that has a website can be targeted by scammers.” - Liz Eisworth Click To Tweet

When you own a business, your website represents you. Scammers can prey on your emotions for their gain by sending false claims of copyright infringement or even other lucrative opportunities that are fake. Knowing what to look out for prevents their negative impact on you and your business. 

Today’s guest is Liz Eisworth. Liz is the founder of SangFroid Web Design specializing in web design, custom WordPress themes, SEO, and digital marketing. She works with businesses to understand all aspects of their website.

“The common thread in all these scams is that they are always preying on your emotions.” - Liz Eisworth Click To Tweet

Show Notes:

“Always take a pause. If somebody sends you something that makes you feel panicked and worried about your business’s reputation, pause and think about it.” - Liz Eisworth Click To Tweet

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Links and Resources:

Transcript:

Can you give myself and my audience a little bit of background about who you are and what you do?

Sure. I am the partner and lead web developer at a web agency in Atlanta called SangFroid Web. It's actually my husband and I, and we've been doing it for about 14 years. Working primarily with small- to medium-sized businesses is who we've dealt with for over a decade. We do mostly web design, online presence, social media, and search engine optimization. That type of thing.

Awesome. Let's talk about some of the common scams that you've run across, either that you've experienced or with your clients that are targeting that small business. I think we have different things target the Fortune 500, but let's talk about what people are doing against the small businesses.

For sure. Any business that has a website, especially if it's the owner themselves and they have a lot invested in it—it's their business and their website, it's basically them on the Internet—there are a lot of scams that target the emotions of the business owner and make them feel defensive and worried that they've done something wrong. We've seen so many of these that target small- to medium-sized businesses, perhaps because they don't have a lot of experience beyond running their business. The biggest ones that come to mind—and we can just go over each one of them one at a time—are the domain-slamming scam. I don't know if you want to talk about that first.

Yes, let’s just jump right on it. What is domain-slamming? I think I know what it is.

OK, what do you think it is?

Either people trying to take over your account at your registrar?

Yeah, that's basically it. These will come in the snail mail. It used to be exclusively snail mail that you would get these, but now you get them online through email and sometimes through your contact form on your website. Years and years ago, it was mailed to you, and it comes from different domain registrars, and it's not really illegal what the things are.

Essentially, it just comes to you and it's a solicitation, but it doesn't appear to be a solicitation right off the bat. It looks like it's an invoice or something telling you to hurry up and renew your domain name or it's going to expire and all these bad things will happen—you’ll lose your website. Somewhere on the document it says, “This is a solicitation. This isn't an invoice.” It's sort of scammy, it's not really a scam and outright an illegal thing.

That should be.

Yeah, but I won't say some of the popular company names that send these. They'll come in the paper mail looking like an invoice or they'll come to you in your email. The reason why they are able to get to you and send you the email saying, “It's going to expire. Please renew with us before it expires,” is that for the most part, when you register a domain, your information is public, unless you choose to register with privacy proxy obfuscating your email address. That's probably 90% of small business owners when they register their domain name.

The information is out there and basically the scam is that they're trying to scare you into renewing your domain with them when they are not your current registrar. They're trying to get to you before your domain renews as it normally should at your real registrar. They try to get you to enter into a contract with them, where they will take your money. It's usually more expensive than just renewing with your normal registrar. That's one part of it.

When they take over the domain and move the DNS and, essentially, the registration moves to their registrar, sometimes it can cause problems with your email. Depending on how your domain and DNS is set up, it could cause your website to go down. It could cause your email to stop working, just depending on what settings get changed when they take over your registration. It's not like an outright crime, but it's kindof unethical. We certainly refer to it as a scam.

I haven't gotten one of those physical mails in quite a long time. I own a couple of hundred domain names, so I constantly get those in the mail. I think one of the variations I've seen of it is, “Hey, someone has registered the same business name in China and <insert your name of country>, and to protect it, you need to register .cc or .cn.”

Exactly. I haven't seen that one in a while. It's not exactly the same, but it is similar. I'm not really sure in that case what they're trying to do is just get some money from you to register this other thing or scare you.

I think what every business person fears is that your business is in jeopardy. Someone's pretending to be you. If you don't do this, you're going to lose business.

That's a good one.

So you register a .cn that no one's going to be interested in…

Exactly. I forgot about that one. I haven't seen that in a while. But yeah, that is a common thread, I think, with all the scams, and the ones we'll get to in a minute is that they're always preying on your emotion, and that it's your business's reputation. You panic and it's just a human nature thing.

You talked about the domain privacy settings. It's interesting because one of the things that I used to do, and I would tell people to do it—I've started to rethink this or it's not as useful as it used to be—is that if someone was going to approach me, “Hey, I want to do business with you.” The first thing I would do is, “How long have they owned the domain name? Where are they located?” It used to be that I would tell people, “Well, if it's a proxy domain, if it's hidden behind privacy, that's a red flag.” Nowadays, it's almost like if you don't do it, then you start getting all these spam emails, all these snail mail letters.

I think that it can't stand alone as a red flag but in combination with some other things—like the domain is only three months old or it's only been registered for three months—that might be an indication that it's not legit. I've certainly seen that. Somebody reaches out to us to do something, sometimes a project or one of these scam type things. I will do exactly that.

Usually, it has to have something else like it hasn't been registered for very long. You can't find any information about this business on the Internet except for this domain. It’s usually in combination with other factors that could certainly be an indicator.

We actually recommend that most businesses register with privacy for that reason. Just because you get inundated with these types of scams just from scraping public data from the registrars, the ICANN, or wherever.

You also run the risk of social engineering against your registrar. I had this happen. I wanted to buy domain names where the person was able to call into the registrar, use my name, and provide fake government documentation. They got fairly far into my account enough that I got an alert. I was like, “What's this alert about?” I called in and they're like, “Oh, you're in the process of changing your account email address.” I'm like, “No, no, no, this is a scam.”

I was surprised that they put enough effort into social engineering the registrar and part of it was bought by the information that they had available from the domain name registration. They were able to use that as the starting point for social engineering.

Right, and cross reference and find other information. Yeah, for sure. We definitely recommend people to use privacy nowadays. It's not a red flag on its own anymore.

Someone today asked me about a business—“a company that helps you recover funds lost to scams.”

Oh, gosh.

That's a big red flag in and of itself. I looked at the website, and it's all really generic. It doesn't say who the owners are. There's no address listed. The domain is a proxy domain. They say they've been in business for 10 years, but the domain name was about a year old. Their Facebook account was two months old. Here's our Twitter, here's our YouTube. It just links to Twitter, it just links to YouTube. I’m like, run away.

Exactly. That's the kind of thin and flimsy online presence. It's really easy to set up quickly. This is a little bit different, but the calls that you get sometimes from Microsoft—I shouldn’t say that name—it's fake support, calling you and telling you they need to do something on your computer. If a lot of time you search for those types of businesses, you'll see that same flimsy presence online. If you don't know what you're looking for, it's very easy to be, well, they look legit.

That's definitely something that I see targeting small businesses. People who don't know how to do the research. What's our next scam that's targeting small businesses?

The next scam is one that's been going crazy over the last year or so. It is a phishing scam and it sometimes comes in directly as an email. Most often, it's submitted through a business' contact form on their website. It comes in that way and it is always a copyright infringement sort of threat. It started out probably over a year ago. We started seeing it from an illustrator, or photographer, and saying that you're using their illustrations or their photography on your website without their permission, and that they're going to sue you.

They say, “For proof, click here,” and there's a link. I never clicked on it, but you assume you're going to be taken somewhere where they're going to be trying to either install something on your computer or get you to enter details so that they can get some login information. It’s just your basic phishing scam. We've had probably dozens of clients. Our own clients have had this happen to them over the past year-and-a-half.

It has evolved, where now they're using more sophisticated language and quoting the DMARC copyright laws in the US and using all this legalese to make it really intimidating. The level of panic that it causes in a business owner is beyond. We've had dozens of clients it’s happened to and probably 20% of them clicked on the link because they panic and think, “What images am I using?” They click on the link to see what it is. In most cases, they know it's not true, but they want to prove it so they click on the link just without thinking.

What we always advise clients is whenever you get anything that is trying to elicit an emotion from you, they're trying to get you to act really quickly without thinking.  The first thing you do is just stop, then look at it with more objective logical eyes when you're not freaking out.

Whenever you get anything that’s trying to elicit an emotion, they’re trying to get you to act really quickly without thinking.-Liz Eisworth Click To Tweet

That one has been going crazy. The reason I say that is because we have an article written about it on our blog posts and the traffic you can just see that it's been through the roof in the past year. That's a bad one. I haven't had anybody click on the link and tell me. Most people when they click on it, they get there and it's already been taken down, whatever it was. I don't really know what the end goal of that scam is, if it's a form you get to when they're trying to get login details out of you or if it's actually just straight-up malware where they're trying to install something.

Or it could be they're just trying to get money out of you. “Just pay me $500 and I will go away.”

One hundred percent, yes. Could be that too.

The important thing is to distinguish this. If you don't have permission to use photos, that you just, “I just went onto the Internet and grabbed a photo”—you can't do that. I think generally there's a perception that if it's on the Internet, then it's public domain. “If it's on the Internet, of course I can use it.” Well, no. You don't specifically have permission to use an illustration, a photo, or some text.

Right. That's interesting that you bring that up because there are a lot of royalty-free stock photo sites. This is a little off-topic, but this past week we participated in this nonprofit weekend called 48in48. It's a bunch of teams getting together and building websites for nonprofits in 48 hours. They provide you with a lot of resources, which include links to these free stock photo sites. When we went there, they were trying to drive home the fact that, “No, don't just go to Google and get images, use these websites.”

When you go there, some of those websites had on them ads across the bottom that were ads for other stock photo sites, but it looks like it's part of the website. We had people on our team who were clicking on those and downloading those images. It wasn't clear that those were actually an ad and weren't part of the stock photo site. You have to be really careful that what you're using is royalty-free or in the public domain, or that you license it.

And there are lots of resources for both royalty-free and licensable images at a very reasonable price.

Yes.

It's not crazy.

Right.

I think associated with those copyright notices, I have a few trademarks so I will get the, “Hey, your trademark is not registered.” It was funny. The day my lawyer told me, “Hey, the trademark has been filed. You got approval.” The next day, I started getting letters of, “Oh, you need to spend $1300 to renew your trademark.” This can’t come from my lawyer. “Oh, hey, your trademark isn't valid in England until you give us $1000.” Oh my gosh.

That's the hazard of data and information that's out there. Obviously, your information went into the trademark database that's visible to lots of people somewhere, and they obviously took that. That's extremely common. I think that's how domain-slamming works. Usually, it's right after they register or before it's about to renew, somebody is querying a database somewhere and finding everybody who fits this description. “Just finished my trademark, and let me send them a message saying they need to give me money.” That sounds similar to how the domain-slamming thing works, where the data is there so people take advantage of it.

Historically, I have just been a suspicious person to begin with. I can't imagine if you're a small company, you might be a little bit more suspicious of these things just because, “Well, I'm the owner. I was the one who filed for this. What is this?” If you get to the point where you have accounting people and stuff like that, they might just, “Oh, it's an invoice and all these things look exactly like invoices.” […] three point font at the bottom, it does say, “This is not an invoice. This is an advertisement.” It sure looks like an invoice and it says “Invoice” on it.

Exactly. That's a really great point. Even just a small company where you have a couple of people. It doesn't even have to be a huge company. But like you said, if you have somebody who's in charge of the accounting, they could very easily pay that invoice and say goodbye to your domain,

Or your money and your domain and your business. What do we have up next?

The third-party payout scam. It's also known as a payment reversal scam. Actually, a client just got one of these today. This scam targets anybody—at least in my experience—who's a professional service provider. Not really somebody who sells products but somebody who offers a service, like web designers, video production company, accountants. Anybody who's just a professional services-type of business could be vulnerable to this.

The way this one works is that someone will reach out and contact you about a new project. It seems to be about a new project. Often, the email—I’ve mostly seen it come in almost exclusively via email or a contact form on a website. They sort of pepper you with a lot of details about the project, which I've seen so many of them now. These have a lot of the same phrasings and turn of phrase. The thing that I noticed is that they're providing a lot of detail without saying anything really meaningful. I feel like it's a distraction. Let me distract you with all these details in this request for a project.

I haven't seen this in a while, but for a while they would come from somebody who said they were hearing-impaired. They basically are providing a reason why they couldn't talk to you on the phone. That used to be a very telltale detail of this type of scam. Now we see them in all kinds of ways.

Essentially, the way this scam works is that they're trying to contract with you to do a project. This initial email is just that. They fill it up with lots of details, and they're just trying to see if they can get you to contact them back. When you contact them back and engage, then you get more details about the project.

They want an invoice. They want to know if you're the owner of the company. They want your cell phone number. They want you to send them an invoice then they're going to pay you. What happens when they pay you is they either overpay you on accident is one thing that happens, or they will ask you at that time if they can overpay you on purpose and have you pay their subcontractors on their behalf. Usually, there's a logistical reason that they give that this needs to happen. It would help them out because they're having some issues, et cetera.

What happens is that they're actually paying you with a stolen credit card, I think, almost exclusively, they're paying you with a stolen credit card. After they pay you there, they'll say, “Oh, can you pay my photographer and send this guy $2000? I'll pay you extra.” If you do it, then you send this person $2000. Basically, you just never hear from anybody again.

The owner of the stolen credit card will reverse all charges so all that initial money is yanked out of your account. You sent $2000 to a contractor and you'll never get it back because it was essentially probably the same person that contacted you the first time.

The other variation on that is they will just say, “Oh, I accidentally overpaid you. Can you refund me $2000” or whatever—some amount. When you refund them, same deal, they disappear. The person who owns the credit card—the one that was stolen—eventually the payments will get reversed and you're out all of that original money. It gets taken out of your account and then anything you paid or refunded to the person is gone.

I've been running a business in one form or another for 20-some-odd years. I have never accidentally overpaid anybody. I've accidentally underpaid people because sometimes you have a contract and it's $1000 a month, but on an annual basis, the contract resets. They up their rates and instead of $1000, it’s $1050. I just had it on autopay and it went out $1000, so I definitely underpaid. I've never accidentally overpaid. I did have one vendor accidentally double pay me.

I've had that happen before, too.

It was very clear that that had happened. I was like, “Feel free to reverse the charge on your end or just take it out of my next payment.”

If they ask you to “reverse the charge” – it should be a red flag.

I know you have to be very careful. In most cases, you know who your customers are. That type of scenario where you work with somebody on a project, you know who they are and you've spoken to them. But it can happen very easily in the world of Zoom and everything online that you don't know the person that you're working with, so you have to be super careful. We've had lots of clients contact us about this and say, “Does this seem right to you?”

We've gotten this scam attempt many, many, many times. We've even got a lot of clients, accountants, and other professional service–type people who have received this type of request. A couple of times, we will have gone back and forth, but then something always just doesn't seem quite right. Hopefully, people are suspicious enough to not really fall for it.

I can see how if you are just starting out and you're excited about getting a new project, especially on something like a web designer starting out. You can do your entire job virtually online. You don't really have to meet with people to build websites and do all those things. I could see how some people may fall for it because they're just eager and don't have the experience yet to know what sounds fishy.

I have a friend who is a web designer. He had that happen to him where the company approached him. “We want you to pay our subcontractors for us because the company only allows us to have so many subcontractors work on a particular project. We've maxed out these….” Very, very weird reasons. Like, “We can't pay two people for the same project,” for some weird reason. He was initially like, “OK, that sounds weird.”

Like what you were saying, they had so much detail. That is actually what caught his attention, because he's been doing web development for four decades. He's like, “No prospective client is ever that clear about what they want. They're like, ‘Well, I want it to look nice.” You start asking questions, and they don't know. It’s a company that has never had a website built before. They're like, ‘Well, we don't really know what we want, what should we have?’” But this client” has all this incredible detail. He's like, “This seems almost too good to be true. No client is that prepared when they're coming to a vendor.”

That was the thing that was funny to me. That was a bigger red flag than the subcontract. If it were just the subcontractor, I still wouldn't have done it. But because they had so much detail, they sounded so enthusiastic, and the rate they were paying me wasn't crazy above market. It was a little bit above market but not unrealistically above market. Sometimes, I have people who are like, “Oh, hey, I normally do this job for $50 an hour and I got someone who said without me trying to negotiate pay you $500 an hour to do it.”

It sounds great.

Yeah. If someone is willing to pay you 10 times your normal rate without you even negotiating, there's something strange going on.

Right. I found that one of the common threads is that they will always have a name for their company and it's always really close to a real business' name, but never exactly the same. If you were to google it, some other business comes up. It's not exactly the right name, but if you weren't paying attention, you’ll be like, “Oh, that must be them.”

That seems to be a common thread in that type of scam when we get it. They always provide an example. They'll say, “I want it to look like this website, or I want the video to look like this one.” I guess that just goes to them providing a lot of details. I think trying to distract and, “Oh, like, look at all this stuff over here I’m talking about.”

Look at this bright, shiny stuff. Don't look at the man behind the curtain that was […] reference.

Exactly. That's what it feels like to me when they do that.

Have you had many of your clients run across—they call them BEC scams or Business Email Compromise scams? In most cases, it's not a compromised email but where the accountant gets an email that looks like it comes from the CEO that says, “Hey, set up this new vendor, and send them $5000.”

No, most of our clients are smaller. I feel like they wouldn't fall for that. They're not a big-enough operation yet for that to be possible. Actually, we did have one client—they were a bigger company—and that was going on. It was exactly what you said, that somebody submitted invoices that just were illegitimate, but I don't really know the details if it was completely fake or if somebody within the company was trying to commit fraud. Either way, it's a scam, even if it's an inside job.  That is another one that I've heard of.

It's easier for businesses that have a little bit of infrastructure, some distance between the people at the top and the people who are paying the bills for that to be possible to happen. I have heard of it. Luckily, we've not had anybody had to deal with that one.

It does impact some significantly large entity or some bigger, well-known companies. I know it was Barbara Corcoran, I think, on Shark Tank.

Oh, yeah. I remember hearing about that.

Someone created an email address that looked almost exactly like hers, used her signature. The person who's committing the scam was very familiar with her business. It was, “Hey, we have this new real estate transaction, and I need you to wire half a million dollars,” which was totally normal for real estate, and the accountant went off and sent off the half a million dollars.

I remember hearing about it. Insane.

The thing that surprised me is, unlike most people, she was able to get the money back because she was high profile enough. There were just enough intermediary banks, and they acted quick enough that they were able to finally get ahead of the transaction and stop it. For most people, if it's a $5000 transaction, your bank is not going to jump on it. That's not going to be their top priority. You're probably not going to notice it.

They play with your emotions!

It's interesting. It really highlights the social engineering aspect of all of these scams in one way or the other. Either they're able to get enough information to impersonate at a level that's just convincing enough—that whole aspect of social engineering—and also just preying on emotion. It's interesting how that's always a common thread seems to be.

There are three key things that seem to happen on almost all scams. There's the emotion, urgency, and there's very often an appeal to an authority. “I'm a lawyer, I'm your power company, I'm the government, and if you don't do this right now, something really bad is going to happen to you.

Exactly. I think a proven psychological thing about humans is that we respect people in uniform, basically. If you have a clipboard, we're going to follow your instructions.

I probably have told the story on the podcast before, but there's a company I was working for. The company that owned the building emailed all the other tenants and all their properties and basically said, “Watch out for people coming into your office with a clipboard who just walk in.” They see a conference at the end of the hallway, and they just walk like they own the place. As they're walking by, they grab some woman's purse, and then just walk out the next door. Just because they look confident, and they're walking away. “I've got an appointment in the conference room.” “Oh, OK.” Nobody asked questions. They just wander right through the company.

I think one of the other ones that had happened was someone claiming to be here with the fire inspection. “We're not from the fire department, but we need to inspect the sprinkler system for all the tenants in the building. We'll just do a walkthrough and we just need you to sign this form saying that we did the walkthrough.”

If you're not paying attention, it's an invoice for the service. They just walk through and they do a fake fire inspection. They send off the invoice. You're on the hook because you signed it. Then you have to fight that it was fraudulent. The building owner was like, “Look, we own the building. Sure, if someone needs to come to do the inspection, we will tell you that they're coming first. Do not pay them any money. Do not sign anything.”

That's amazing. That same thing translates on the Internet if somebody speaks to you in an email in an authoritative way. Like you said, it's a lawyer or your domain registrar, and they're telling you something urgent. It's very, very tricky.

I think one of the precautions that I tell small business people is to always, always have good business practices, processes like anytime you're going to create a new vendor in your accounting system, somebody has to fill out a form. Super annoying, super obnoxious, but someone has to sign the form. Somebody has to say, “Yes, that is my vendor. Yes, I have an agreement with that company.” You don't want your accountant just like, “Oh, here's a bill. Let me just pay it,” whether it's a real bill or not.

Exactly. It's very simple. It could stop a lot of fraud that happens that way, whether internal or external. That sounds like a great idea.

Just take a pause. If somebody sends you something that makes you feel panicked and worried about your business’ reputation.-Liz Eisworth Click To Tweet

Any other parting words of advice before we close out today?

Parting words of advice would be to always just take a pause. If somebody sends you something that makes you feel panicked and worried about your business' reputation.  I've certainly been there when we've gotten those types of communications. So just take a pause, then think about, “Is this really real? Is somebody trying to take advantage of me?” I really think if people can do that, it could stop a whole lot of this type of fraud—the kind that preys on your emotions. I'd definitely say that.

Absolutely. If people want to find you and your business online, where can they find you?

You can find us at www.sangfroidwebdesign.com. The various socials are all at SangFroid Web.

Awesome. We'll make sure to link all of that in the show notes. Thank you so much for coming on the podcast today.

Thank you so much for having me. It was fun.

Exit mobile version