Well it happened. Someone actually robbed me.
Several times actually.
I felt like I was in a western on a good ol' train robbery, surrounded by outlaws.
Apparently, I'm not alone either.
There has been others too from our great GHL community that also got robbed too. If you sell SAAS... you are probably a prime target too. You should probably read this article to prevent you from having a terrible, horrible, no good, very bad day like I did.
It didn't happen in the way you would think either. I wasn't held up at gunpoint.
(Although I wish they had, so I could have given them a piece of me.)
So how did I get robbed?
Fake Account Signups.
Here's how it works:
Step 1: Jerkwad Jimmy Conman heads over to your SAAS sign up page and sets up a free trial using a stolen credit card and fake details. Mine was a guy by the name Peter So.
Thing is... Peter So... was just a clever disguise and not this fella's real name.
Step 2: Once they are in, they upload a big honking list of cell phones and emails and spam the heck out of people on your dime. I'm talking tens of thousands of people at once.
But David, we've got Twilio rebilling! You sure do, young grasshopper! But it can still leave you with a problem. What if the stolen card goes through, then you get charged back?
Guess who wins that battle? It's certainly not you.
In my case, I got pretty dang lucky on timing because I had just turned off auto charge in Twilio and my account and only had around $500 in there at the time they deployed. Although it drained the account, atleast it wasn't too much.
Others haven't been so lucky and had it far worse. They actually had auto charge on. A few folks got hit with 6K bills from this very thing!
So to prevent your fate being the same as mine... I decided to get humbled at my robbery fiasco and start a new series to share with my fellow agencies on the ol' blog called Protect Yo' SAAS. It's like protect your ass... but with SAAS instead. A clever play on words for you...
I think it's important to not only learn winning strategies... but also ones where folks made mistakes too. This way you don't have to make them too!
We are going to talk about all things that can hurt your SAAS in this little series and how to prevent them. We will discuss things like fake account robbery, your emails going to spam, spam calling etc.
You know... all the stuff the gurus and thought leaders are scared to talk about.
So, onward!
Here are a few tips to prevent this twilio robbery thingy from happening to you...
1. Vet signups.
Set up a workflow and notify yourself of new signups. If you get a random signup you can look at their contact record and see how they came in. Did they click your ad? Or randomly find your page and sign up? If you are running ads in one area but getting signup in others unrelated.... kinda SUSPECT. Does the name match the niche? You can see their history in the contact record with their path to purchase. Does anything look off? These spammers aren't too brilliant, nor creative. Had I taken a closer look sooner, I'd probably have figured it out early on.
What we discovered is that the spammers would immediately upload a big list and deploy a text campaign. New users don't know how to upload lists right out of the gate.
Are they immediately uploading a huge list, or building funnels and other things too? Should be a red flag.
Are they SUS?
2. Talk to each signup.
Now as part of my process do a bit of a welcome call with my saas customers. I call them and make sure they are a real person and welcome them. You can have your team do this too. If you call / email and neither goes through or you can't get a hold of a live coherant person... that is a big fat red flag, somethings not right. I just remove any account I don't get through.
3. Charge a $1 credit card authorization/ validation at signup.
The reality is... we can't prevent crappy people from doing this entirely, but we can make it more difficult. Scammers are lazy people. They want easy street. Don't give it to them.
So the man himself Mr. Shaun Clark taught me this strategy. You can do a card authorization to check the card during a free trial. It basically charges a $1 charge to verify the card goes through. If the card declines... and they sign up for a free trial, it won't let them in. It fails. Stolen cards get cancelled. That small fee can help cut fake accounts from getting created.
It doesn't help you with chargebacks... if the card is stolen, but it can cut down dramatically on the fraud through your SAAS.
4. Don't auto enable Twilio to recharge even if you have a lot of accounts.
You know the only the way they can take from you, is what you offer them. If you only have so much... kinda stops em' dead in the tracks. That's why you can manually recharge your Twilio account. I know it's a bit annoying, but you can get an idea of what you're spending and what you need every week. Manually make that part of your process to recharge every so often. If ol' jimmy conman somehow passes all of those checks... he will only be able to take so much and won't let him keep coming to the pie without you knowing somethings off.
5. Enable Twilio Rebilling. Pretty no brainer. Clients should pay for their usage. Won't help much with fraud, but it can keep rogue clients from going wild on your dime. Checking usage from clients is another good idea.
6. Watch Your VA's. Anyone with access to your account... can use it like their own. If you don't want them selling, stealing etc... might want to limit their access. Speaking of which, don't give them GOD mode access to your stuff. Like they don't need full access to all accounts. Taking snapshots of your creations, using your resources etc all things they can easily do with access. Back in my days of using a different builder, I found a VA once deploying campaigns through my accounts for folks I had no idea who they were. I was basically paying for their access, domains, hosting, emails etc. Yeah.... not cool.
7. Be aware. If somethings fishy with an account... might be worth looking into.
As with anything good, there's always some scammer jerkwad that is a pathetic person and so uncreative they have to resort to theft in order to make a profit.
8. Enable Stripe Radar. Stripe has some protections that will allow you to set up parameters for accepting new transactions. For example, if the user doesn’t match the card’s location, it can decline the transaction. Stripe radar costs a little bit more per transaction, but well worth it.
9. Use our cool Script.
What we discovered was that most of the lovely individuals doing this were coming from the same countries. We were only marketing here in the US. We got hit from both India and South Africa. I had a dev team write a script that can detect where they are accessing us from to sign up, and if they come in from a country that is on our exclusions list, it will redirect them to only let them set up a demo rather than letting them set up a trial or purchase. This way we can check them out. It’s not perfect, there are ways to defeat it, but like I said it’s about adding layers of protections and making it more and more difficult on them. In our case they didn't hide their locations and this could have prevented the times they hit us.
I'm giving this out free to the community. Hope it helps protect you! ; )
Setup video:
Here is the code:
Copy code here: https://codepen.io/david-bustle/pen/xxpqyya
See the Pen Ip Protect by David Bustle (@david-bustle) on CodePen.
Directions:
1. Set up two sign up pages on your site. One for free trials or direct signup and another geared towards a demo. (Idea here is to redirect countries that you aren't advertising in to only be able to set up a demo).
2. Add script to page that is your core signup page (Where they can set up an account).
3. Customize script:
- Get script API KEY from www.ipregistry.co
- Add country codes from countrycodes.org
- Add in link to your demo page.
Now when users visit the site, if they are from one of the countries you specify, it should automatically redirect them to the demo page only and prevent them from accessing the direct signup page.
It won't go away no matter what industry you are in. But.... that doesn't mean you have to take it blindly or not move forward because of that. You can take a few steps to keep it from happening. You just need to Protect Yo' SAAS!
- DB
1 comment
Hey man, i used the script on my GHL site to redirect from India. Hopefully it works. the country codes site you linked to doesn’t work anymore, so I used them from here: https://support.cloudflare.com/hc/en-us/articles/217074967-Configuring-IP-Access-Rules?fbclid=IwAR0B7LMJeciXFmtY64NLW9I8LOxGzWPhn61gj7TGRjzw_zR5_QfoFmh9-KA
You should update that step. Fingers crossed it works!