Back on 3/1/12, I wrote a post on how ShopLAStyle.com was managing an attack from a malicious hacker. It turns out that this was an attack from a spammer. Here is an interview with Cynthia, the founder of ShopLAStyle.com, who will talk about her company, what happened on that day, how social media helped her to handle to inform people who received the spammy email, and what she has learned from this experience.
1) Could you tell me more about your company? How do you started? What’s your main market?
ShopLAStyle.com is an online store that I launched in 2003 out of a 1 bedroom apartment. Before launching ShopLAStyle.com I worked as a consultant, mainly in the dot com industry, developing e-commerce and custom software solutions for clients ranging from automotive companies to dot com startups. I am very proud to have survived what many people call the worst retail recession they have ever seen. I think one of the main reasons we survived when many others didn’t is because of how efficiently we run. Also, I tried to have a long term vision for ShopLAStyle.com (something that was not embraced in the dot com world). What I’ve said many times in the past few days is that we would not have been in business for almost 9 years if we participated in spam email scams such as the one that occurred 3/1/12.
2) Could you explain what happened with the event related to the email about order 20399282?
A spammer who had access to a number of emails used our brand to send out a fake email order confirmation. The point of the email was to confuse the recipients by implying their Visa card information had been stolen in order to get the recipients to click on a link that looked like a shoplastyle.com link. The link was actually to a domain shoplastyle-clot***.com, which was registered the same day according to the whois information. None of the whois contact information, which I believe is fake, matches any of our whois contact information. I attempted to contact the company that was hosting the site in the UK but I never received a response. The items listed in the email confirmation are items that we sell and there is some text that makes me think the spammers got a hold of one of our real order confirmation emails. I have no idea why they picked us.
3) What was the reaction of your team? Could you describe that day?
Around 10am on March 1st I noticed that we were receiving multiple voice mail messages every few minutes. That kind of volume is not normal so I knew something was wrong. Because we had a similar incident 6 months earlier, right away I thought the spammers had targeted us again. The first thing I did was to change our voice mail message to address the issue. I knew there was no way my small team could handle returning all of the phone calls. This helped right away. The second thing I did was update the contact us section of the website. I knew that was where people would be looking. But the site was down. So my first priority changed from communicating to the recipients to restoring the website. I posted a quick message on Facebook but by the time I logged in there were already a number of angry wall posts from recipients. To be fair there were also a number of understanding and informational posts but the angry ones seem to be the most memorable. We spent the rest of the day responding to emails, Facebook posts, writing a quick blog entry and restoring the web site. It was a difficult day.
4) On your Facebook Page you mentioned that something similar happened 6 months ago, what happened then?
In September 2011 the same thing happened except that the volume was less. It didn’t bring the site down. They sent out just about the exact same email except it pointed to a domain shoplastyle-pa***.com which was pretty easy to shut down because it was hosted in the US. The response from the recipients was very similar except we didn’t have all of the Facebook posts and twitter activity. I think we had only 1 or 2 Facebook posts that time and no Twitter activity.
5) There are some mentions on Twitter about a similar event happening with Lucky Brand. What are your thoughts on this?
It made me think that their attempt with our brand was successful enough to try with another brand. Sending email is cheap so even if they only have a few responses then it is probably enough for them to keep trying. My guess is that they will send more emails similar to this one.
6) What measures have you taken to improve security of your site? What is your strategy?
There were no security breaches on our end. However we are adding an spf record which would have really helped flag the email as spam because it was sent with a fake shoplastyle.com email address. But the Sept 2011 incident didn’t use a shoplastyle.com email address so this would not have helped in that case. We are also looking at some strategies to help keep the site available when there is a large surge of traffic. Of course, I could spend a lot of money buying new servers with more capacity just in case something like this happens again. But our current servers are able to handle many times more than our standard traffic and it wouldn’t be a good business decision to spend money that way.
7) People affected rushed to your Facebook page. Do you have people specifically assigned to social media management? Has this event affected your social media strategy?
We do not have specific people assigned to social media management right now. We did at one point when we had a larger staff. Because of the economy and overall slow down in retail we are now running with a smaller staff. Truthfully, I haven’t reassigned social media to anybody because I wasn’t seeing much of a return on the effort we were putting towards it in the past. After this incident I do see the importance of maintaining a presence, particularly with Twitter. It was pointed out by a number of people that we hadn’t been on Twitter since November 2011. I don’t believe that much of our demographic uses Twitter but probably one of the biggest lessons I learned from this incident is to not ignore Twitter. Really, it doesn’t take that much effort to post to Twitter and it is an easy way to communicate with people. Like I said, lesson learned.
8) Based on this experience, what are your recommendations to e-commerce sites?
I would say the best way to be prepared for something like this is to have pre-written Facebook, Twitter and blog posts which can be posted quickly. You really can’t respond fast enough. I didn’t receive the email so I didn’t know about it until we started receiving a lot of angry messages.