My Startup was Laundering Money from Stolen Credit Cards
It's the realisation that every startup entrepreneur looks forward to: We've been scammed. Or perhaps not.
On the evening of Saturday 27 July, just as I was settling down to unwind for the weekend. We realised that one of our new customers had been using Get Invited to set up fake events and process thousands of pounds from stolen credit cards.
With this obviously unknown to us at the time, we'd been laundering the money and sending it to this fraudster via bank transfers.
This is the full story of everything that happened, including all of the emails that were sent. I'm sharing these so that you're aware of the risks of cybercrime for any online business and so you can spot warning signs early.
This could happen to any business that's processing payments on behalf of someone else, or even if you're simply selling goods online.
We, admittedly, had a flaw in our payment process and had made some mistakes that cost us a total of £2,844. We were also only a few days away from wiring another £3,820. It was painful, but it could have been a lot worse.
If we hadn't of caught this guy when we did, a few weeks later and we would have been looking at a loss in the tens of thousands.
Here's what happened
Wed 8 Jul 20:24
A new customer registered on Get Invited and three minutes later, he sent me the following email:
Asides from the poor spelling, there wasn't anything odd about this so I sent a courtesy email helping 'Akin' to get his first event set up.
Thur Jul 09:48
In hindsight, these next emails should have caused some alarm. We don't typically issue payments by bank transfer but we have done in the past for people we know. We're a customer focused business and we do everything we can to ensure they get their money as quickly as possible.
This was our first mistake. We should never have been doing this.
He then asks if we have our own payment gateway. Again, in hindsight, it's obvious why this was important to him.
Thur Jul 10:47
He sends over his bank account details to me in an email.
Thur Jul 11:07
The first credit card transaction goes through his account 20 minutes later. Sometimes new customers will purchase a test ticket to get a feel for the checkout process, so again nothing seemed too unusual about the immediate sale.
Wed 15 Jul 07:53
Akin emails me asking when he will be paid, I kindly let him know that he will receive his money in the next few days.
Thur 16 Jul 15:07
I wired the first payment of £502.60 to his bank account and sent a courtesy email to let him know that his money will be arriving imminently.
Thur 16 Jul 19:53
This is where things start to go wrong. He emails back stating that he didn't receive the full amount and demands that this be sent immediately.
I kindly explained to him that he hold money in escrow for 7 days and that an additional £2,280 would be paid to him next week.
Fri 17 Jul 07:48
A rare day off for me, to attend my friends 30th birthday party, begins with a series of angry emails from Akin demanding his money.
Fri 17 Jul 10:02
At this point, he was just an angry customer, and I continued to reassure him by email and do whatever I could to try and turn his experience into a positive one.
Fri 17 Jul 10:47
He responds, quoting an earlier email and demanding that 70% of his money is transferred immediately.
Fri 17 Jul 11:07
I responded, re-iterating the situation and explaining that unfortunately there was nothing we could about paying him early.
Fri 17 Jul 11:20
He may not know that i should be capitalised, but at least he can count days (and stolen credit card numbers).
Fri 17 Jul 12:14
I had to leave the house, so my co-founder David, sent Akin a lengthy email, again reiterating everything I said in more detail.
Mon 20 Jul 20:12
We received a chargeback request for one of the ticket purchases for his event. These are rare for us, but they do happen from time to time so we thought nothing of it.
Wed 22 Jul 14:11
He responds, this time with a more friendly tone but again requesting his payment.
Thru 23 Jul 10:43
I wired an additional £2,266.78 into his bank account and sent him an email to let him know.
By way of an apology (and to add insult to our own injury, I waived our commission on this transfer).
I also mentioned the chargeback to him, and asked him to confirm if the person named on the card was at his event.
Sometimes people buy tickets and try and get a refund via a chargeback. So if the person was there, it provided us with adequate evidence to dispute the chargeback.
Sat 25 Jul 20:13
We received a further two chargeback requests and a notification from our payment processor that one of the cards used was suspected to have been stolen.
At this point, alarm bells started ringing. We reviewed all 40 credit card transactions on his account and they were all made using credit cards in Brazil and Guatemala.
For an event in London? At 20:46 we suspended his account, froze the remaining money in escrow and sent him an email to let him know.
We later noticed that all the emails used to buy tickets were garbage.
Sun 26 Jul 12:00
I notified our bank about what had happened, at this stage I'd wired £2,769.38 without knowing the money was from stolen cards.
Unfortunately there was nothing the bank could do, they advised me to call the police to avoid being implicated in fraud. The police then invited me to make a formal statement the following day.
Mon 27 Jul 09:01
We received another notification from our payment processor of another potentially stolen credit card. More chargeback requests started rolling in.
Every chargeback costs us £15 + the processing fee. For some single transactions this was over £30, totalling in excess of £800 of potential chargeback fees.
At 09:15 we made the decision to pre-emptively start refunding all of money to the credit card holders. This saved us from incurring additional chargeback costs.
Fortunately we still had £3,820.51 of the money held in escrow, so we were able to use this to refund the bulk of the transactions.
The £2,769.38 I wired via bank transfer? Gone. We had to fund those repayments out of our own pocket.
Mon 27 Jul 10:00am
During our research on this person, we discovered that he was running the same events on other ticketing platforms, so I sent each of them a courtesy email to warm them.
Mon 27 Jul 14:30
We met with the police to give an official statement. We went armed with Akin's IP address, bank account details, phone number – every piece of information that we had, even though it's all probably fake.
This whole experience cost us £2,844 (including the chargeback fees) but we were EXTREMELY lucky.
We uncovered this after 2 weeks, but it could have easily went on for months, and in that timeframe, we would have transferred tens of thousands of pounds and been in serious trouble.
So what have we learnt?
We had a flaw in our business that left us vulnerable to this kind of attack. We have since had to cease all payments via bank transfer. We still offer a competitive 7 day payout window but customers have to use Stripe Connect. (Stripe protects us from fraud, which is why Akin was so keen to avoid connecting a Stripe account).
We're now working closely with Stripe and the police, and all of the credit card owners have had the money refunded to their cards. Unfortunately we have no contact details for any of them, so we can't warn them that their card details have been stolen.
Before this happened, we never even considered this kind of thing would happen to us. We assumed that these kinds of people would only attack big companies, but we were very wrong.
And finally, to our surprise, Akin responded to our last email notifying him that his account had been suspended.