In today’s episode of The Startup Chat, Steli and Hiten talk about how founders can deal with fraud in their startups.
Running a startup difficult enough when everything is going smoothly. But when you’re a founder, sometimes things happen that if not managed properly can disrupt the flow of your business or worse. One of these situations is fraud.
In this episode, Steli and Hiten share their thoughts on what fraud is, things that every founder should know about it, preventative measures you can take, what to do when fraud happens and much more.
Time Stamped Show Notes:
00:45 Why this topic was chosen.
01:01 How Close dealt with fraud at the early stages of the business.
02:20 Why taking preventative measures are important.
03:45 How to identify potential problems that you could run into with your product.
04:00 An example of a fraudulent situation at Close.
05:27 Measures and tools you could use to prevent fraud.
06:46 Why fraud is not exclusive to big companies.
07:43 Why you should always take an alert seriously.
08:13 Why you should invest continuously in fraud prevention.
08:19 Why you shouldn’t stop when you detect one fraudulent user.
3 Key Points:
- Know where your risk is in your business.
- When an alert comes up, take it seriously.
- If there’s one fraudulent user, there are going to be more.
Steli Efti: Hey everybody this is Steli Efti.
Hiten Shah: And this is Hiten Shah.
Steli Efti: And in today’s episode of the Startup Chat we wanna tackle a little challenging topic and that is the topic of how do you deal with fraud, how do you handle fraud in your startup, right, and this is you know obviously a tough subject and it depends on what the situation is but the reason I wanted to talk to you about this Hiten is that you know the history of course we’ve always had to deal with some level of fraud, people trying now using some credit cards to sign up propriate accounts or even worse people doing some really with our software and so from a very early time we always had to like invest in fraud prevention and protection and had to like deal with this and just recently last few weeks we had some really big attacks going on, some really crazy shit and thankfully we have an amazing team and we are like tackling these things and stopping them further on, you know but it’s a huge pain in the ass and it has caused us probably over the years a lot of money to deal with this. So I thought because it’s a top of mind for me, I thought it might make sense for the two of us to talk about this from a very fundamental point of view because I think most Startup founders they don’t think about fraud, what could be done with their app, how somebody could take advantage of their app to cost them money, to make money to do some suspicious or just illegal stuff with it and so they might catch this when it’s way too late and it might cause some real trouble down the line so I thought we just cover some like basics, things that every founder should know, think through, how to deal with it preventitively in the beginning but also what do you do once shit happens, you get a DDoS attack or some other crazy shit is happening to your app, you are totally surprised, how do you deal with this, maybe cover some of the basics and hopefully help some founders prevent getting into trouble at some point.
Hiten Shah: Yeah I think the first step preventitively real quick is like, know where your risk is in your business, so if you are collecting credit cards, one risk is that people will try to run fake credit cards through your system. If you are using a service like Stride, there are a lot of protection built in, right, but it’s very similar to like, well you better make sure you have SSL certificate on your site, on those pages inside, you need that now for every site as per what Grooval says. So you know back then it’s like, you wouldn’t have, not every site would have a secure certificate back then means back in the day and they collect credit cards and no users would really trust it or they would be like insecurity there, right, so to me a lot of this has to do with knowing what business you are in and where the risk actually is, of fraud. A lot of people don’t think about that early, like in your case, like you guys are powering a whole bunch of stuff for your customers and if a customer is malicious they could use that and spam people, simple put right?
Steli Efti: Yeah.
Hiten Shah: Well, that’s a risk, you should know of that risk and you should be able to monitor it and understand whether that’s gonna happen at least to some basic level in the beginning.
Steli Efti: Yeah I think that this is really key is like just sitting down and just making a list and thinking through, what are potential problems that we could run into or what are ways that somebody creative could use the app or the product we built to cause harm or issues right so in our case the people using fake credit cards and use the service, that was something we thought about was not a massive concern. One thing that we didn’t think of although it seems so obvious in hindsight, right, today I would think about this stuff but back then we were so inexperienced that we didn’t think about this was that our app offered you telephony so you could make calls and receive calls in the app and for trial users we offered free telephony. Some hackers found our app and they would use the app to call pay lines that they owned to incur costs on our end, it’s crazy so and the first time that we picked up on that was very lucky because we didn’t have an alert system in place to prevent this from happening, we just had one human being which is one of my co-founders being especially paranoid at all times which is something you could share with him, but he is especially paranoid to always checking you know the IP’s of people that would sign up and always checking kind of the telephony stuff people were doing with the App and he just picked or found this. I think at that point they had created like an insane amount of cost I don’t even wanna say within like 24 hours and then we kicked them off the platform but then we started really. That was the real kick off for us that was going Holy Shit! We offered telephony, people could do all kinds of shenanigans with that to create a lot of costs on our end and for others. We need to really invest in this and there is obviously internal tools that you can build, alert systems, things that you can do to prevent people from using your software in some way that causes problems for you and others, but there is also tools you can use, right, there’s applications and software out there that is really good at you know having a massive database and having a lot of data to flag the likelihood of a new sign up or account being fraudulent or being an account that could get you in trouble. So there is software that you can use to help you identify a potential fraudulent accounts, but there’s also just internal tools that you can build. But I think the most important exercise is just the basic exercise of sitting down and thinking through creatively. A bunch of hackers saw our product and they wanted to do each evil things with this or make money with this, what could they do, what could they possibly come up with, right and then just thinking through some ways to prevent these from happening. It’s so surprising and I remember when it happened I thought we’re such a tiny … And this was like four, five months into launching the product, I’m like, how do people even know we exist, we are such a tiny, tiny little startup somewhere and all of a sudden there is these hacker attacks and all these fraudulent accounts being created and all these telephony shenanigans, like how the fuck does everybody even know we exist? I thought that these problems would only happen to really massive companies like the Facebooks, the Twitters, the Googles, would have to deal with hackers and fraudulent accounts. But in today’s world, even if you are small you could run into that trouble so it’s really good to just before you launch think through some of the basic things you need to keep in mind and in the beginning obviously you could … Security itself is such a massive topic, you could have a massive team work on it every day for years and never be done with it but its important to just keep your eye on obvious things or at least put in some signaling things so you get alerted when weird behavior is happening on your app because if you found out too late it could be really a problem. We were lucky if my co-founder didn’t randomly look into an account and see this, and if it had gone on for like a week versus just 24 hours, it could have bankrupted us easily, right, so this shit is … We have to take this serious and come up with a list and put some things in place to make sure that you are on top of stuff, that you don’t get into real, real trouble.
Hiten Shah: That’s really where it’s at and I think another thing is just when it comes up take it seriously which is what you guys basically did. I see a lot of people just assuming, it’s fine like you know it will go away. Fraud doesn’t go away unless you do something about it, stop it, have preventive measures, it just never goes away.
Steli Efti: Yeah, it’s one of those things that in the beginning you gonna probably spend little time, little effort, little money on. As your business grows you gonna have to continue investing in it and once that one fraudulent, weird user… If there is one fraudulent user, they are going to be more so just by kicking off that one fraudulent user, your work is not done, you are not like we got rid of this weird entity of person, now we can go back to doing growth and PR like do the cool shit that’s fun and not worry about this. The moment that one person has found a loophole in your system or has found a way to abuse your system in some malicious way, there’s gonna be another person, there’s gonna be many more, it’s not gonna stop. So once it’s happening you have to take it really seriously, you have to address it appropriately. Don’t overreact in a way that, now we are not gonna let any user sign up for app unless they call us in a video call with their passport next to their face, right, ‘coz sending us their home address, like you can go crazy over board obviously, that’s probably not a good idea but you have to take appropriate measures and the worst thing that you can do is to ignore it or take it lightly and think it was just an outlier, it was just one weird user, we fixed it, we kicked this person off, we don’t have to think or worry at all about this. This is not the fancy, shiny cool stuff about running a business or growing a tech company, but it’s the stuff that really matters as you grow, as you succeed so you gonna have to start small but probably continuously invest in the security of your platform and in preventing fraud from happening on your system.
Hiten Shah: Yap, I can’t agree more.
Steli Efti: All right, that’s it. It’s very basic stuff but even like I don’t remember ever reading any blog posts, any piece of or listening to any podcast episode that I was consuming. It’s insane amount of this stuff but like what it takes to run a SaaS business, how to start and all that and never heard any word, anything about fraud so I thought-
Hiten Shah: It’s all right.
Steli Efti: … Will be the change we wanna see in the world and I just wanna bring this up not to scare people but just to put it in their minds so people are more consciously aware of it, more cautious and do the few little things that can really put them in a strong and safe position with their business instead of just you know being too thoughtless when it comes to security and safety and all that and then running into massive problems down the line.
Hiten Shah: Yap quick note we had people checking credit cards using our system, so they get through and basically putting credit card numbers to see if they were real or not, because we are one of the few SaaS products that has a credit card upfront.
Steli Efti: I mean, it’s insane people will find all kinds if ways to abuse your system.
Hiten Shah: Yeah so all of a sudden we were getting like hundreds of more sign ups unusual everyday, sometimes thousands and we’re like what the heck is going on, so we had to deal with that. So anyways we dealt with the similar kind of issue, like just similar in the sense of fraud, that we just didn’t see coming so basically if you are watching your metrics and something is just wild, go look into that because usually that’s a key indicator so I wanted to add that last tip there.
Steli Efti: I love it, now that’s it from us, if you have any questions, if you ever run into any problems we are not like the world’s experts when it comes to fraud and security but we experience founders and we’d like to be able to point you to some other people that are smarter. If there is anything we could ever do to help practically just let us know, hopefully you will never need us or anybody else on this but just be careful, mindful and thoughtful when it comes to fraud and security on your platform, that’s it from us for this episode until next time
Hiten Shah: See yah.