It may be the holiday season, but the surprise our team woke up to last week was not exactly the stuff of Christmas spirit. We discovered that a bad actor was spamming our emails in a rather malicious manner.
And while we’ve managed to put a stop to it before any real damage was done, the whole thing put a worse taste in our mouths than a cup of spoiled eggnog.
I say “spamming,” but really, what this person did is worse than that. Since it involved someone else impersonating us through our own emails, you could also consider it a form of identity theft.
As we all know, identity theft is not a joke.
In all seriousness, it sucks. It’s been a negative experience for us at Smart Marketer, and I feel especially bad for the people who have been affected.
Speaking of which: if you received a rude email from us recently, we sincerely apologize for your experience. You’ll be receiving an apology email from us soon, if you haven’t already.
But at the same time, this kind of stuff happens — especially as your company grows and attracts more attention. You have to be able to deal with these situations without getting thrown off your game.
With that in mind, we wrote this post to explain what happened, along with what we’re doing to fix it. So if you ever find yourself in a similar situation (and I truly hope you never do), you’ll be prepared.
Here’s What Happened
It was, fittingly enough, Friday the 13th when one of our teammates noticed that someone had been signing up for our email list multiple times, taking advantage of the first name field and email personalization to send rude emails to others.
In other words, this bad actor was signing up other people for our email list and entering inappropriate first names like “Bitch,” so that these people received emails like this:
We know we weren’t the only victims, because we got similar emails from several of the marketing agencies that we’re subscribed to.
But that’s not all.
A little later — after we got the email spam issue under control (see below) — this same person started using bots to spam our customer service channel.
To show you what that looks like, all these conversations were opened within minutes of each other, and all from the same location:
One question you may be wondering is: Why? What’s the point in going to all this trouble just to possibly offend some people?
I wish I knew. Maybe they were planning on somehow turning it into a ransom payment; maybe they just wanted to cause a storm on social media.
Either way, they won’t be doing either. We caught the problem quickly and were fortunately able to nip it in the bud.
How We Dealt with the Problem
At the time of this writing, this is still somewhat of an ongoing situation. But here’s what we’ve done so far to limit the damage:
Step 1: Stare in confusion.
I’ll admit it took a minute to wrap my head around the fact that someone went to this length to send inappropriate emails for what seemed like no particularly good reason. But we couldn’t afford to waste time, so we took action immediately.
Step 2: Connect with the team.
The teammate who first noticed this was happening reached out via Slack to make sure everyone was aware and to get aligned on a solution. This is also a good time to make sure everyone is aware of what’s happening, so that they can all be on the lookout for ramifications across other channels (email, social media, etc.).
Step 3: Remove email personalizations.
We considered a few different ways to stop this from happening. Should we remove the “Name” field from our email opt-in forms? Set up a Klaviyo filter to block signups with certain flagged words? In the end, removing personalizations from all our automated emails was the fastest way to stop the damage for now — so that’s what we’ve done.
Step 4: Draft an apology to those affected.
Finally, we’re working on a follow-up email for anyone who received one of these rude emails. We want to make sure they know the email was a result of a spammer, and apologize for the negative experience.
Step 5: Turn on CAPTCHA for all our forms.
This prevented scripts and bots from running on forms, which successfully put a stop to the spamming on our customer service channels. (This was done later because the form spam came after the email spam.)
Step 6: Plan for the future.
When you’re in the middle of a situation like this, your first priority is to limit the damage as fast as possible — which might not necessarily be the best long-term solution. Once we were confident that the issue had been resolved, we then started to think about how (and if) we wanted to start reintroducing email personalization safely.
What Should You Take Away From This?
Thankfully, the odds of you ever being a victim of this exact same type of scheme are rare. But it’s certainly possible that someday you could be targeted with another type of hack. If that happens, here are a few considerations you should keep in mind:
- Do a security audit. Our accounts weren’t hacked per se, but attacks are common. Fortunately, most of them are easy to prevent with the right precautions. For starters, make sure you use strong passwords and 2-factor authentication on all your accounts.
- Turn on CAPTCHA. It’s an easy way to help prevent spam and bots from submitting forms on your website.
- Monitor your communication channels. If something like this does happen to you on email or social media, you want to spot it quickly and be able to get ahead of it before it starts to spiral.
- Consider removing personalization tokens from your emails if this story makes you especially nervous.
- Set up filters in your email service provider to block certain flagged words, if you’re able to.
- Be honest and upfront with your customers (like we’re doing with this blog post). Most people will sympathize with you in these cases, especially when it’s not your fault.
Unfortunately, there’s no way to absolutely, positively prevent 100% of things like this from ever happening.
But if you’re smart about your security, you pay attention to what you’re hearing from customers, and you learn from others’ experiences (like you are right now), then you’ll be in a good place to handle whatever surprises life throws at your business.
