My Stripe Account Was Hacked and Stripe Said I Have To Repay $70K

Shannon Mattern: Welcome to the Profitable Web Designer, a podcast for web designers who want to work less and make more money. I'm your host Shannon Mattern, founder of the Web Designer Academy, where we've helped hundreds of web designers stop under charging, overworking, and create profitable, sustainable web design businesses.

Shannon Mattern: Hey there, welcome back to the Profitable Web Designer Podcast. And this week I have a little bit of a different episode for you. I had something pretty serious happen in my business that I wanted to share with you just as a, I don't know, a cautionary tale. I guess some of you ha may have heard on my last episode that I published here with Josh Hall back in episode 41, overcoming Business Obstacles where I talked about this situation where my Stripe account was hacked. And I said that I'll probably do a podcast episode detailing the whole entire story for you because one, I had no idea that this was even like the level of risk that it is to my business, that it was to my business as it is. I had no idea something like this could happen to me as a customer of Stripe, the third party payments processor.

Shannon Mattern: But also for all of you that are listening to this, that not only operate your own online business, probably using some kind of connection to Stripe as a payment processor, but also all of your clients, like Stripe is one of those tools that is like integral to running your business online. It's ubiquitous, it's everywhere, every tool out there integrates with it, you know, all of those things. And so I bet that like 90% of not only my listeners, the people in our audience, but like your clients as a web designer probably are using Stripe to collect payments. And so I just wanted to like put this out there and let you all know that this happened to me and so that you can try to protect yourself and just be aware that if you choose to use Stripe, this can happen to you and what is going on and like where we're at in the process.

Shannon Mattern: So let me just take you back in time to the Monday after the Easter holiday. I'm just like sitting on my couch quietly scrolling my phone, sipping my coffee, snuggling with my dog. I'm going through my normal morning entrepreneurial routine of like sipping coffee, checking my emails and dms on my business accounts. And for those of you who might be new to me in this podcast, because , you heard this story and someone's like, oh my God, you gotta go listen to this podcast. My name is Shannon, mad . I started my business back in mid 2014 as a freelance web designer, you know, set up fresh books, connected it with Stripe to be able to collect payments from my clients. And I started working as a freelance web designer and you know, I was making, I probably made less than like $6,000 that first six months in business and not the subject of this podcast episode specifically my business was a hot mess.

Shannon Mattern: I did not know how to like run it. I was working all the time. It was crazy. I was like, oh my gosh, I don't know how to do this. But what I can do is teach any entrepreneur how to build their own website, right? So that they could create freedom, flexibility, and financial independence. So I started a like a, a tutorial, right? So I, I created this thing called the Free Five Day Website Challenge. We don't keep that updated anymore, but we did that from 2015 all the way through 2022. And we taught people how to build websites with WordPress and off the back end, like we earned affiliate commissions, we gave that training away for free. We earned affiliate commissions. My business evolved to sell courses and trainings and digital products and templates and all kinds of things related to building your website and your marketing systems and everything online.

Shannon Mattern: And not only did I use Stripe to process all of those payments, a lot of the tools and tech that I recommended, all of those tools integrated with Stripe. So I, you know, I'm like, oh yeah, so super easy to like get your payments set up. You just use this company and you just set up an account and they take 2.9% plus 30 cents per transaction and boom, you're in business, right? So I was like, this is brilliant. It like levels the playing field and just lets everybody like get online, run their business. So I was using Stripe, my clients were using Stripe, my custom, the people I was teaching were using Stripe. And my company has since grown from me teaching people how to build their own websites to me teaching freelance web designers how to run a web design business through the Web Designer Academy.

Shannon Mattern: It's gone from just me solopreneur side hustler to me and two employees. We've helped probably tens of thousands of women get their businesses online. We've helped thousands of women web designers run profitable, sustainable web design businesses. And not only have we generated over a million dollars in revenue in our lifetime, we have collectively helped so many women create freedom, flexibility, and financial independence and generate millions and millions of dollars and spend more time with their family and do what they love, right? And so I'm so proud of all of the work that we have done. And so like I said, a company like Stripe has been absolutely integral to like my business since its inception and I've been using them for for eight years, right? So chilling on my couch the Monday morning after the Easter holiday, we had spent the day before with friends and family just hanging out.

Shannon Mattern: And then in the morning I'm just checking through everything like I normally do and I'm like, I scroll through my email and I see subject line action required closure of your Stripe account. And I'm like, what is this? So I oh, and I'm like, this seems like a scam. , right? I'm like, ah-huh, sure. Like send me an alarming email, get me to click on something, steal all of my information. So I open it and it reads, we recently identified payments on your Stripe account that don't appear to have been authorized by the customer, meaning that the owner of the card or bank account didn't consent to these payments as a precautionary measure, we will no longer accept payments for your company. We will also begin issuing refunds on card payments on April 15th, 2023. Although they may take longer to appear on the card holder's statement, please refer to your dashboard for a list of the charges that will be refunded.

Shannon Mattern: If there are insufficient funds on your account to cover any refunds, those refunds won't be processed and any outstanding funds will remain in your account. If you believe that we've misunderstood or miscategorized your business and would like us to conduct another review of your account, please complete the form on your Stripe dashboard to provide more information about your business. If you have any questions, you can contact us anytime from our support site. So I'm like, okay, this sounds like a phishing scam. So I check out the from address, you know of the email and I click into it to see that it's actually coming from like accounts stripe.com. You know how like you get random emails and if you actually look at who it's from, it'll be like from a fake address, right? That looked legit. Then I open up my laptop and I log into Stripe from a separate browser because I'm not clicking on any link in that email , right?

Shannon Mattern: You know, just in case. And after like I get my authenticator app open because I have two factor authentications set up on my Stripe account and I see the notice at the top of my account asking me to provide proof that I'm the owner of the business. They're asking for bank statements with my address on it and they're asking me, I think for like maybe my e i n letter and maybe my articles of incorporation. They asked me for like several legit pieces of documentation. So I'm like, okay, let me get all and it's like six o'clock in the morning at this point. So I'm like, okay, let me get all that stuff together. Like I keep it handy as a business owner, I need to be able to have that stuff ready. So I submit all that and then I'm just like looking at the balance tab, right?

Shannon Mattern: Like the successful payments and I'm like nothing is out of the ordinary here. All of the successful payments listed are from students in the Web Designer Academy who have been making their monthly membership payments like clockwork. I'm looking at, I'm like how are these unauthorized? Then I'm looking at failed payments and I'm like, okay, so like failed payments, like nothing in here out of the ordinary. And I'm like, this just must be a mistake. Like I've been a customer of Stripe for eight years. I'll submit all the documentation they requested. I'm sure that'll take care of it. So I submit the documentation, get right back to like snuggling scrolling. You know, part of my morning routine is like I check my, I use, you need a budget for like monitoring my finances. And so that's one of the things I typically like open in the morning.

Shannon Mattern: I'm like, okay, what transactions came through? Like categorize those. Like I just rubbed my dog's ears and drink my coffee and do that stuff, right? So I open up Winab and I see a withdrawal from my business checking account from Stripe for like over $600 and I'm like, why are they taking money out of my bank account? And then I see another pending transaction for a withdrawal of over $2,000 and I don't see any like money going in from the payments that were made by students like that Friday before and over the weekend, like those renewal payments. I'm like why are they taking money out of my bank account? Like what is happening? So like I go back and I read the email again and I read the part where it's like, oh we'll begin issuing refunds on card payments starting April, whatever. And if you have insufficient funds, any outstanding funds will remain in your account.

Shannon Mattern: But like they're starting to pull money outta my bank account, my business bank account. And I'm like, okay, I start to feel like the anxiety bubbling up. I can feel it again right now as I'm like telling you this, but I tell myself, just be patient once they review all the documents I submitted and I prove that I am who I say I am, this will all get resolved. , I'm so naive. So a few hours later I receive another email, the subject line is additional review completed for Stripe Shop. And I'm like, awesome. Okay cool, I'm glad they took care of this so quickly. So I click into the email and my heart just starts pounding like I couldn't even believe what I was reading. And it said thank you for providing additional information about your business after reviewing your account again, we've confirmed that your business represents a higher risk than we can currently support.

Shannon Mattern: We are unable to accept payments for your company moving forward. Payouts to your bank account have been paused and we will issue refunds on any card payments by May 10th, 2023. Although they may take longer to appear on the cardholder statement. If there are insufficient funds on your account to cover any refunds, these refunds will not be processed and any outstanding funds will remain on your account. Please refer to your dashboard for a list of charges to be refunded. If you'd like to further appeal our decision, please contact us. So I can just feel the panic rising in my body and I'm like, what is happening? So I tap on the Stripe app on my phone and I see that there's like a negative payout balance of multiple thousands of dollars, but all of the transactions listed in the app are legit transactions from students that I know who I see every single week.

Shannon Mattern: Like I they're it's my customers are not strangers, right? So I lock back into my Stripe account on my computer and I'm like trying to figure out like what in the world are they talking about? What are all these charges that they're saying are unauthorized? And I'm looking for a phone number that I can just like call to talk to someone to further appeal the decision. So I just start scouring my Stripe account, I start clicking through every link in my Stripe dashboard, like from the top to the bottom, from the left to the right. I click on every single link. So I get to this menu item that's called Connect, and I click on that and that's when I see it. I see like six different accounts listed there and I'm like, what is this? Four of them are just like the normal like randomized stripe account id and they are all like inactive, but there's two of 'em under the name Albert Dawkins.

Shannon Mattern: And those two had a list of like successful charges of over $35,000 each. And I'm like, what is this? So I click into these accounts under the connect tab or click into like this list of, I didn't realize they were even accounts at that point under this connect tab. And I see that the person's name is Albert Dawkins, the company name is netflix.com. There's an address I wanna say it was like in Connecticut or Rhode Island. There's a Hotmail email address on there and there is a list of a bunch of failed charges for like a few pennies each. And then when the charges start to be successful at a few pennies each, then they increase. So it's like a 35 cent charge and then a $5 charge and then a $50 charge and then a $5,000 charge all under the name of netflix.com under these two accounts.

Shannon Mattern: And I'm like, what is going on? Like where did this money go? I didn't receive $70,000 over the Easter holiday weekend and all of these charges all happened over the three days of the Easter holiday weekend. And I'm like, so where did this money go? Like is it still sitting in Stripe? Like why are they pulling out of my bank account? Why don't they just return it out of these? Like this is clearly obviously fraudulent, none of this is real, but like why are they trying to take the money out of my bank account? So I'm like clicking through more cause I don't even really know what I'm looking for. And I see that payouts were set up to be paid out instantly to a prepaid debit card versus like via Stripes, instant payout features. And they were paid out like the moment the transactions were successful to a Visa debit card that is not mine.

Shannon Mattern: And I'm just like, holy crap, my account somehow someone got access to my account and set up these connected accounts, stole a bunch of money from whoever, not even my students because it wasn't any of like, none of these transactions were from my students or like any of my customers from who knows how they got these credit card numbers and paid it out to an instant debit card. And Stripe didn't stop any of it. Like not only did they, like I got no email that these connected accounts were created. I got no notifications of successful transactions, which if you have a Stripe account, like you know, you'll get an email saying like payment successful, payment successful and you can set up payment failed notifications also. So, so I know, I know when my students are paying, I get email notifications. I got no email notifications of any of these successful transactions, any of these unsuccessful transactions that any, any accounts like instant payout notifications being set up, cards being added, nothing.

Shannon Mattern: I got nothing, no notifications about any of that. Not only that, these credit cards were able to be processed with nothing but a credit card number and an expiration date. No three digit code, no identifying billing information, no, nothing. I don't allow that stuff on my own account. Like my account is set up that if you don't enter an email address when you check out the payment's not getting processed, you don't have a, the three digit code payment's not getting processed, you don't have a billing address that matches the billing address on your bank account. Payment's not getting processed. I thought that was like standard practice. Apparently it is not. Apparently Stripe settings allow you to literally process credit cards with just a card number and an expiration date. And so apparently this is a practice called card testing. I had no idea what this even meant.

Shannon Mattern: Stripe knows it, what it means, as you'll see as I read to you, like what happens next. But what's happening is that these connected accounts were created on my account somehow. And I'm like how I have two factor authentication. I have all of the security requirements, I have complex password, like even if someone got my password, there's still two factor authentication that has to happen. How did this happen? How did they get, like how was someone able to create fake accounts called netflix.com in my Stripe account and then rack up $70,000 in charges on other people's credit cards, not even my students and pay it out to a debit card all while I got zero notifications and then Stripe starts taking the money out of my bank account, my Stripe balance of legitimate transactions and my bank account to pay back those victims of the fraud and Albert Dawkins gets away Scott free.

Shannon Mattern: Like it is mind blowing. And if you're like, no, that couldn't possibly happen, let me tell you what happened after I realized what was happening. So I'm like, okay, I understand that this is not a attack on me personally. Like peop, it's just like someone just like trying car doors and they're gonna steal whatever they can steal, right? But I was racking my brain trying to figure out how in the world these connected accounts were set up in the first place. And I'm like, okay, now it makes sense that Stripe thought that it needed to close my account for all these unauthorized charges. And again, I'm like, okay, I, they should have gone in and looked at my account and like figured this out but they didn't. So I'm just gonna let Stripe know that this wasn't me. They'll take care of it. They'll stop trying to take this money from my bank account that they never paid to me in the first place.

Shannon Mattern: They will understand that I have also been a victim of this fraud and will get this all straightened out again. I laugh at myself, I'm so naive. So I send this email to Stripe support with the subject line, someone is fraudulently using my Stripe account and here's what I shared with them. I said I received an email today notifying me that my account was being shut down due to unauthorized charges. C attached screenshot. When I looked at my account, I discovered several accounts that are not mine in the connect section of Stripe. It appears that somehow my account has been hacked. I'm not sure how these accounts were even able to be connected to my Stripe account. Why I never received a single email notification of these payments, why those successful payments connected to Albert Dawkins aren't showing up in my list of successful payments.

Shannon Mattern: And now why my account is at risk of being shut down and I'm getting emails that these payments are being refunded from my funds and funds are being taken out of my bank account. Please help me fix this. These fraudulent charges are happening outside of my business through my Stripe account somehow. And if you can hear the like panic in my voice, I was like please help me, please help me, please help me. So my anxiety is like through the roof and my husband is like, what is going on? And I'm like telling him and he's like, that can't possibly be right. You just need to get on the phone with them and like talk to someone and I'm sure that they'll like get this all cleared up for you. They're not gonna try to take the money from you. And I was like, I feel like the same thing too.

Shannon Mattern: Like I just feel like this shouldn't be how this is. Like if someone stole my credit card number and went shopping with it, like that's, I'm not liable for that. Why am I liable for someone running fraudulent payments through my account that I had nothing to do with? So I'm like of course like once I get to the right person they will help me figure it out. So I'm starting to like panic too because I'm like there's $70,000 in fraudulent charges here that they are clawing out of my bank account and saying that I have to pay back it. I don't have $70,000, I don't have $70,000 sitting in my bank account. Not only that, I have two employees that have paychecks that need to get paid and if you claw back all my money, how am I supposed to pay my team? I pay myself a paycheck too.

Shannon Mattern: I need that. But like I'm thinking about my team, I'm thinking about my business, I'm thinking about my students. I'm like, you are going to like take every last dime that I have and then tell me I owe you even more money because of Albert dawkins at netflix.com. Like it just didn't seem right and I'm panicking and I'm like oh my god I do not have the money to pay for this. So several hours later I received the following response. I re says Hi there, thank you for taking the time to write in. I understand the importance of getting some information on your account situation. I'll do my best to shield some light on this matter. As it turns out, my records indicate that we found identified payments on your Stripe account that don't appear to have been authorized by the customer, meaning that the owner of the Carter Bank account didn't consent to these payments.

Shannon Mattern: For this reason, we will no longer accept payments for your account. If you believe that we have misinterpreted or incorrectly classified your business and you would like us to further review your account, please fill out the corresponding form on your management platform to supplement your business information, which I already did. By the way, once you complete this form we will review it and contact you in two business days. In the meantime, if you have any questions or need anything else, please don't hesitate to let me know. Best wishes Lori. And I was like okay. She just like, she just doesn't understand . This is like when it's so funny like I have to laugh at myself because like when I'm like oh they're just not understanding what I'm trying to mean. I'll just say it again in a different way. Like it didn't even click in my mind that they understood exactly what I was saying and that they didn't care, right?

Shannon Mattern: I'm just like, oh, if I just explain it again they'll get it. So, so I was like, let me like make a video. Let me open up loom.com, let me like give her a tour of what's going on in my Stripe account and just show and tell, right? If I could just show and tell and explain verbally, then they'll get it. They'll understand that I'm also a victim of this fraud and that they can just help me fix the fraud. They're a billion dollar company, I'm sure they have insurance for a $70,000 fraud. It's like pennies on the dollar to them. We'll get my account reinstated and everything will be fine . So I still had hope at this point but I was still panicking on the inside too cuz I'm like oh my god, what if, what if it doesn't? So I write back, good morning Lori.

Shannon Mattern: Thank you for your email. I understand that you found payments on my account that don't appear to have been authorized the customer. And what I am trying to explain to Stripe is that my account has been hacked. I did not authorize these connections and there's un illicit activity going on on my account. So explain everything that I've like shared with you. already on this podcast. I keep saying the same thing over and over and later that day I hear back from Lori and she's like, thanks for keeping in touch with us. I'd like to apologize in advance for the inconvenience. I know that you are requesting information about why your account is still rejected. I was not requesting information about why my account was still rejected. I wanted them to stop taking my money and like handle this situation. But she goes, let me review this for you.

Shannon Mattern: Unfortunately after conducting a further review of your account, we've determined that we still won't be able to accept payments for your business moving forward. I'm like, I'm not even asking you to do that. I'm asking you to stop taking my money outta my bank account. But anyway, she Stripe can only support businesses with a low risk of customer disputes. After reviewing your account, it does seem like your business presents a higher level of risk than we can currently support payouts to your bank account have been paused and we will issue refunds on the effective card payments five business days from the account closing day. Although it may take longer to appear on the cardholder statement. If there are insufficient funds on your account to cover any refund, these will not be processed and any outstanding funds will remain on your account. Nowhere in any of these emails by the way do they say we're going to start pulling it out of your bank account.

Shannon Mattern: But that's exactly what they did. We're sorry that we can no longer offer our services to you and we wish you the best of luck with your business. So I'm just like, what in the world? Like they are not understanding what I'm trying to tell them. They were literally intentionally ignoring what I was telling them. I understand that now. So I asked if there was anyone that c I could speak to regarding this matter and I said, I have a huge concern that you are refunding money from my bank account that I never received in the first place. These payments were fraudulently charged through my Stripe account by a fraudulent third party, paid out via instant transfers to debit cards that are not mine, that don't have even have any emails or names or email addresses attached to them. And now refunds for these fraudulent payments are being taken out of my legit bank account.

Shannon Mattern: Please like connect me, escalate me to someone who can help. So meanwhile, more of my student payments are like being charged on my website and I see that they're being held in reserve in Stripe to pay back the fraudulent charges. And now I'm starting to completely panic and I'm like, oh my gosh, I have to, I'm going into my website and I'm deactivating stripe for my payments. I can't accept any payments now, but at least they're not gonna actually be taken from my students and held by Stripe and not remitted to me while I figure this out. So I shut down my connection to Stripe from my website. I reach out to the plugin that I use for Stripe and I was like, Hey, like just fyi, this is happening to me. Do you know of anybody that this has happened to? And they're like, do you have any contacts at Stripe since you integrate with them that can help me?

Shannon Mattern: And they're like, yeah, no, sorry we've you know, no. And so I'm like freaking out and my husband's like, isn't there a support number you can call? Like you're just sending all these emails back and forth. You need to just talk to someone. And I'm like, there isn't a phone number , there's a support page. So he starts googling cuz he is just like , it's cute now and I love this about him but he's just like, oh she's just being ridiculous. Like I can fix this, this, there's a simple explanation so let me just like save her some mental health and I'll just like jump in. Right? So he starts googling and he finds some posts on Reddit talking about this exact same thing happening to a bunch of other people. And the only way they got someone at Stripe to actually like look at their account was to post a review on Trustpilot.

Shannon Mattern: So I like wrote this whole long post, posted it on Trustpilot, I was just like, they are stealing money from me, like someone stole from everybody else and they're stealing from me. And within 10 minutes I received a response with a different support email address, like different than the one from all these other ones. And I'm like, okay, now we're getting somewhere. So I share all that same information that I shared with Lori with this email address and I just got a confirmation that they were investigating and that they'd be in touch. So I'm like, okay, someone might actually be listening to what I'm saying instead of just saying like, we've shut your account down and if this all sounds tedious, oh my gosh, like it is. So a friend, my friend Alicia St. Jermaine reached out to me later that day and I shared with her what was going on and after her initial reaction of like they can't possibly try to hold you liable for this, it must just be a misunderstanding.

Shannon Mattern: I actually called her and I cried my face off so hard. I don't cry but like I cry when I'm anxious. And the level of anxiety and panic had built in me to the point where like I could not like not sob. So I was just like, I'm gonna lose everything. Like the fear that was in me was just like this is gonna be the thing that's gonna like ruin my business. And I have like I have no control over this. I had no idea this could happen to me. Like they're gonna take every last dime, I won't be able to pay for anything. This is where my mind's going. And so she like helps me through it. She was like, listen, I think you need to close your bank account because those pending transactions, they're gonna just keep clawing that money back. And she's like, you need to disconnect your bank account from Stripe.

Shannon Mattern: And I'm like, you can't. Like there's no way to do that. So she's like, you need to go call your bank and close that account and file a police report and and here and I'm again, I'm so silly, I'm like, no that feels like overkill right now. They're investigating. I don't wanna do anything that would jeopardize them helping me resolve this. I think now that I've gotten through to like these people, like this will get resolved. And I started to think, but like I can't trust this platform for my payments going forward. I have to figure something else out but I'm not gonna be rash, I'm not gonna make any rash decisions . So one of the lessons that I've learned is like I don't know better when people are trying to give me advice, take it and I always have to learn it the hard way.

Shannon Mattern: But the next day I woke up to another email subject important, your Stripe account for company is for your company is re-enabled. I'm like, oh so . So I get it's like, hi Shannon, we're writing to you regarding your Stripe account. It looks like some transactions on your account were misidentified as unauthorized, which led us to close your account. That was a mistake on our end and we just re-enabled your account. We're very sorry for any disruption this may have caused for your business. If you have any questions you can contact us anytime from our support site. And I was like, oh my god, what a huge relief. I open up my bank account and I'm like why are they still trying to take money? There's the $600 charge that like processed. There's the pending $2,000 charge, there's another pending like $1,400 charge. I'm like why are they still trying to take my money?

Shannon Mattern: So I then I see another email come through and it's like it's from my, someone is fraudulently using my account back and forth thread and it says Hi there, I hope this email meets you well the live secret a p i key for your Stripe account has been rolled and the card testing attack has ceased. So this is the first time that I'm hearing what is going on, how it could have happened and whatever. So I'm, I keep reading it says your old a p i keys are no longer valid, which means that your account cannot currently accept payments. In order to resume accepting payments. You or your engineering team will need to replace any instances of the old keys with the new ones in your integration. If you use a third party platform that connects using an API key, you'll need to follow their instructions for replacing the keys.

Shannon Mattern: You can find your new keys on the API keys page in your dashboard. Side note, I use AccessAlly for my membership plugin and my payments, well I did for my payments. I don't need to copy and paste an p i key for that connection. It's an instant connection. Just like when you log into like Google from, you know, you log into like a store from your Google account, right? The way that I connect Access Ally to Stripe is to click a button log into my Stripe account, boom, their talking. I have never needed to copy and paste my a p I key to connect with Stripe, right? So anyway, this email gets to be fired up and you'll see why in a second. So it says, although your secret keys cannot be used to log into Stripe, they can be used to charge cards on your account's behalf.

Shannon Mattern: As such they should be considered as a sensitive Azure password and protected in an equally secure manner. If you or your developers use GitHub paceman or other publicly available services to post code snippets, please reevaluate how you use them as such. Generally how compromise happens. It's also good to check whether your secret key is inadvertently being displayed in your source code. Which again, like I said, I don't connect with my A P I key, I connect with the with whatever. And I also reached out to Access Ally and I shared this email with them and they were like, yeah, no that's not how we connect. Kindly ensure this is what it says next. Kindly ensure that you keep your secret APIs secure using the same methods you would any other privileged financial data. And what I wanted to add in my mind when I was reading that was Silly girl cuz like it fired me up while we do our best to be vigilant about security on your behalf , which I'm like mm-hmm , you are ultimately responsible for any disputes resulting from unauthorized payments.

Shannon Mattern: I'm like tell me how you're vigilant. This is where I get angsty . I could not believe what I was reading. I was like tell me how you are vigilant when one API key can allow someone to do all the things that they did in my account that seems like a gaping security hole on Stripes side. And who would know that with one a p i key? They could do all the things that they did undetected. Who would know that? I'm just asking the question like hmm, maybe someone that worked for Stripe. Just a theory no proof. Way more likely than someone scouring GitHub for my ap. Like come on, really Like if anyway, so I couldn't believe it. I was just like okay, not only did they allege that I exposed my A p I key, which I didn't, but let's say for the sake of argument that I left my a p I key just lying around Stripe literally said in that email to me that with only an a p I key, someone can set up fake accounts on your Stripe account you'll get zero notifications of the account being set up, zero notifications of successful or failed payments.

Shannon Mattern: Those won't show up in the app. So don't try to go look in your app to find it or on your main account. So if you're integrated with something that shows you all your transactions, you're not gonna see that either. And enough charges will go through until stripes algorithms catches the fraud and shuts down the account. Like you won't know any of it. Stripe will know eventually and then they will take all of the money that the thieves stole, they'll pay it out to a debit card for them neatly and then they'll pay back the customers using your bank account. Like what a perfect crime for someone who's aware of the gaping hole and stripes security and business practices. And if that sounds insane, like you couldn't possibly be understanding what I'm saying correctly or that I must be misunderstanding . That's what I thought too.

Shannon Mattern: Again, I see now that I was just like banging my head against the wall. This is like cognitive dissonance when like your brain is just like this can't be happening. Like they must just not be understanding. How do they not understand that I'm a victim of this too? Because that last sentence that said, you are ultimately responsible for any disputes resulting from unauthorized payments. And I'm like, but how when I did not authorize the accounts that the unauthorized payments were made on and they, they just said the same thing over and over again. I understand that this is something that you're not expecting. As mentioned earlier, platforms are the one who's responsible for the activity on your accounts in regards. So this is an email they sent back to me after I said no, help me, I'm a victim in regards to notifications for the activity of your connected accounts.

Shannon Mattern: Webhooks are the way that Stripe will relay information about your connected accounts to your platform. It's important to set up a connect endpoint to listen to these. They're still acting as if I set up these connected accounts. like they're just like your connected in order for notifications for the activity of your connected accounts. Like, like I just set up a account called netflix.com under the name of Albert Dawkins by myself. That doesn't match any of the business documentation that I set up. Can you see that I get fired up because this makes no sense.

Shannon Mattern: Oh my gosh. So at this point after this email I was like, oh they understand exactly what I'm saying and they are not going to acknowledge at all that I am also a victim of this fraud. That nothing in any of these emails are they gonna be like, oh yeah, like we get it. You've been victimized also, we're gonna help you. They fully understood and their position is that they don't care. You are fully responsible for the activity on your account even if you're the victim of fraud. And I think about this and I'm like, oh my gosh, like other victims of different types of frauds, like your credit card gets stolen, your debit card gets stolen or your number gets stolen, you have a way to dispute those charges, right? But what I didn't know is if those fraudulent charges happen through Stripes, stripes gonna pay them back out of another victim's bank account.

Shannon Mattern: So if you are listening to this and you use Stripe, you need to log into your Stripe account, check that connect tab and make sure there's nothing in there and also reconsider your use of Stripe. I know that not everyone's gonna be able to like go find something different. There are a lot of services out there that offer payments collection that only integrate with Stripe. I get it. But just know that they are not going to help you if something goes wrong. So I called my bank account to put stop payments on the pending money that Stripe was trying to take from me. I went into the branch to close my account and open up a new one. I got set up with a merchant account, which I'm like, okay cool, like they, my bank can help me take payments. I'm like, tell me how you're different than Stripe.

Shannon Mattern: And they're like, well they're a third party payments processor. And I said, I don't understand how they're any different than you. And they're like, oh well they, I still don't understand the full difference but what I can tell you is that I had to like fill out an application to get this merchant account and I had to be approved I think like based on like the length of time that I've been in business and just different things. And then once I was approved, like I have to use like they only use like Clover and maybe they offer something else like authorized.net or something, but to process payments and I'm just like, okay, but does this integrate with WordPress? And I had to like figure all of that out. So I got my bank to help me put in place, they call it ACH positive pay, that's what they call it at my bank.

Shannon Mattern: But what it does is that if there's a transaction, a withdrawal outta my bank account, that's like through a ACH H transaction, like a bank account draft, I have to go in and approve it. So now I can prevent anyone from like drafting money outta my bank account. I had to issue a dispute on the money that Stripe already took back from me. I filed a re police report that was a fun two hours of having the my local county sheriff come out, take a report from me, call the phone number and send an email to quote unquote Albert Dawkins and do his little investigation to be like, yeah that was obviously a fake phone number. And the email bounced and basically say to me, I'm happy to take, which of course I knew he wasn't gonna be able to do anything at all, but I'm like, I'm just like doing the things that I know to do.

Shannon Mattern: And he's like with financial crimes you can report them to the, I live in Columbus, Ohio, so he's like the Columbus field office of the F B I. They're not going to do anything. It's not like they're gonna be able to like help you specifically but the information that you provide them might be helpful to a larger investigation. Which I'm like cool, like I'll whatever I can do, I'm not trying to get you to like go find this guy cuz I know you know that's not even a, I'm not, I'm more mad at Stripe for not helping me than I'm, I should be mad at Albert Dawkins but people like him are out there in the world, right? So I'm like I will only file a police re or a, I will only share this with the F B I if it's not like a drain on their resources. And he is like, no, these are things that they would want to have information on in case it's part helpful to a larger investigation of LAR broader financial crimes and things like that. And I'm like, okay cool.

Shannon Mattern: I already had stopped all of our current payment plans on Stripe so that they didn't hold all that money that I needed to pay my team and their and like their paychecks. But I had to ask, I had to like get my whole back end of my WordPress site set up with new merchant account, new products, new automations when people purchase the pro. Like I had to swap out all of the plumbing. So I got that all of all done. And thankfully I love doing that stuff, not under these circumstances but like that's my jam. And I was able to get that done pretty quickly And I can only imagine, I'm like what if this happened to someone who wasn't able to do that for themselves? It could have been months for them to find the right person, get on their calendar, get it all done, get it all tested, like it could have been a grind to a halt of someone else's business for way longer than it was for mine.

Shannon Mattern: And that's just insane to me. I mean I'm just grateful that I have the skill to do that stuff. But like if someone else didn't, this could devastate them even more. So not only that, I had to ask all my students, Hey I know your payment plan was you already paid for your payment plan but can you come over here and re-up your payment plan? And thankfully they're all amazing and they did. But I like had about one month with no revenue that I was expecting, right? So no payments coming in Stripe holding money that they took from me. I had to hire an attorney. So I contacted my first attorney and while they have been an amazing attorney for me, they do in the lecture of property trademarks, contracts, like they don't do stuff like this. And I was in such a panic at the time that I was like, yes, I authorized your time for research and I got a $1,500 bill from them for them researching and not really being able to help me ultimately.

Shannon Mattern: And so that was like, okay, there's more money that I don't have coming in that's going out. And then I shared this like in the midst of all of this, I think the day this happened I was supposed to talk to Josh Hall on his podcast. In the midst of all of this we rescheduled our podcast. I talked to Josh and I told him about everything that was happening and you guys may have heard that episode and at the end he was like, listen, I know this person, she's an attorney but she's also a web designer and I wanna connect you with her. Maybe she can help. So after that podcast, cuz Josh is just an amazing human, he connected me with Anne Kappuzha from Powerhouse Strategy and Powerhouse Legal. And she like I scheduled a call with her right away. We jumped on the call and I'll put her name and contact information in the show notes in case you're somebody that is dealing with this.

Shannon Mattern: She put together a plan, she like everything and I saved all of my documentation by the way. Like I made a Dropbox folder, I had to, when I filed the police report of all of my correspondence, all the screenshots, all the videos, everything about the fraud, I sent that over to her and she was like, okay, here's our first step. We write a cease and desist letter and we send that to them and we tell them that to cease and desist clawing money out of your bank account to pay back the money that they owe to release you from liability from the 70,000 and I'm not using Stripe anymore, I don't care that my account is reinstated. Like that was never a concern to me. I mean it was, but now I'm just like, no I will never use you again. But like stop trying to say that I owe $70,000 because this stuff happened on my account.

Shannon Mattern: So, so she crafted that and at the time of this recording of this podcast, we had sent the cease and desist, we gave them 15 days, they requested a 15 day extension, we granted it and they still haven't respond. Their 15 days is over, they still haven't responded. So I have no idea what is going to happen at this point. But what I do know is that like I wanted to tell people what was happening and I wanted to like wait until I had the full story cuz I didn't wanna just like sound the alarm and be like alarm and not give you any steps to follow or prevention steps. But at this point I'm like I can't wait anymore because this is probably happening. I have already heard from students in my Web Designer Academy community that they're seeing posts from their colleagues that like this has happened to them and they don't know what to do.

Shannon Mattern: And I've said, if this has happened, anybody reach out to me. I am happy to like connect you with the right resources, tell you what I have done. But if this happens to you, disconnect your bank account right away. , I know it's a pain in the butt, but like they're not gonna stop trying to take your money. Like there were pending transactions until that account closed and then we actually put something to like block even their pending transactions and we just shut down the account, file a police report just in case. I don't know what it's gonna do. The prior attorney prior Ann advised me to send an email to Stripes data protection officer. I did that. They said the same thing as everybody else. You were ultimately per terms and conditions, you were responsible for anything that happens on your account. So Ann took it to the legal department with a cease and desist letter, no idea what is gonna happen to this.

Shannon Mattern: But I needed everybody who listens to this podcast, who owns a small business, who uses Stripe, who has clients that use Stripe to know that this is happening because it is a huge, huge risk to your business. So not only has this been like a financial burden to me, like a huge financial burden, it's cost me about $10,000 and missed student payments, legal fees, bank fees costs to switching over my e-commerce website from Stripe to a merchant account. I had to buy a whole new suite of plugins, not including the money that Stripes holding from me. I think they're holding like over $3,500, maybe between 3030 500 and the 70,000 that they're trying to collect from me that they say that I owe that Albert Dawkins stole from people that they paid to him and are trying to take outta my bank account. Someone there has got to understand that that's not okay, but I'm not holding up hope for that.

Shannon Mattern: So if this happens to disconnect your bank account, protect yourself, hire an attorney, I can connect you with with mine. Because here's what happened. I had that first conversation with Anne and she's like, I've got this for you. You don't have to worry about this anymore. And I cannot tell you like the level of panic and anxiety that I had been living with up until that point. Most of it melted away. Not all of it. Most of it melted away. And so it's not just about the money though, like this affected my mental health significantly. I was just operating under such massive anxiety. I had to run a launch through doing this. I had just come off of a launch and thank goodness, and I'll talk about this in the next podcast episode, we didn't meet our launch goals and I think everything happens for a reason because I had way less students to reach out to to be like, oh hey, I know we just met but can you re-up your payment plan because this whole thing happened and I was so distracted I could not have onboarded all of those students.

Shannon Mattern: Like it felt like my world was crumbling. And I know if you think that sounds dramatic, I get it. But my psychological safety was ruptured, my trust was completely rocked. And what I thought I knew to like be true, I don't wanna say true, but what like what I thought would just be like common sense and common decency was like not true. And I know people experience this in their life all the time where it's just like this thing is happening, it doesn't make sense. I didn't do anything to deserve it and I have no control over it and it's way more serious than what I'm going through. Please hear me when I say that like I understand, but I'm also not gonna minimize like how this experience was for me and it affected my whole life and my whole business to the point where my friends and my family were saying, you're just not yourself.

Shannon Mattern: You haven't been yourself. And I'm like, I know I am under so much pressure right now to get this fixed that it even affected my next launch. So I had the one that didn't go as planned and I'll talk about this in the next episode. Then I had to deal with all of this and then I went into my next launch thinking, oh my gosh, like this has to go well otherwise I'm not gonna be able to like pay my bills. I've had so many unexpected expenses, so many delays like this has to work, this has to work. Like so much pressure. What do you think happens when you go into something with so much pressure? So it's been a huge deal. And I guess what I would say out of all of this, like besides the lesson of like third party payment processors are not on your side, there are other ones out there.

Shannon Mattern: I'm not gonna like drag their names into this because I haven't used them, but I researched them as alternatives when I realized I couldn't use Stripe anymore. And the same exact cha like problems that people were say that I experienced with Stripe that other people experience with Stripe, same exact behavior for the other third party payment processing companies. I don't know if my merchant account is safer , but my deposits are F D I C insured with my merchant account before they get to me. I guess I didn't realize that any money sitting in my Stripe account, I mean I guess I'd never, it's just you don't know what you don't know. It's not insured. Like if something were to happen to stripe, that money is gone. The money in my merchant account before it comes to my bank account, F D I C insured at the merchant level, insured at the bank account level.

Shannon Mattern: So just all these things that I, I didn't know. But what I learned from this is that these situations, you have a choice. You can either let them knock you down and just keep you there. Which there was a moment during all of this where I, where I literally had the thought, I don't know if running my business is worth all this. And I've never thought that since 2015, since I started my business ever, no matter what hard thing was happening, I always had the wherewithal in me to be like, I'm willing to figure this out because we help so many people and it is my mission to figure it out to help those people. And when this happened in the midst of it when I felt like no one was like I had nowhere to turn, that's what I felt like. I was like, I don't know if this is worth it.

Shannon Mattern: I called my sister and I was like, Hey, you've always told me you'd hire me in a heartbeat if I needed it. Do you guys have anything? I was literally planning to like get a job cuz I'm like, I don't know how I'm gonna pay all this back. I, they're gonna take all my money and I won't be able to survive it. So I felt that way and I was just like, oh my gosh. Like that was a low for me. So you can either let it like tear you down or you can fight it and you can learn the lesson from it, which is like not fight it in a way. Like I needed to build emotional resilience. Like after it was hard. Not only did I have to like, I had to ask for help. Like I'm not an ask for helper. If you have listened to this podcast or my last podcast for any amount of time, I am like a lone wolf and it is my Achilles heel.

Shannon Mattern: I will diy, I will figure it out, I will do it on my own and it causes me to be blind to help, it causes me to be resistant to help. It causes me to not seek out help in this moment where I had no other options because I was trying to do it myself. I had to lean on the support of other people. I had to let Alicia St. Jermaine give me advice and ultimately take it. I had to let my banking company, my small town bank company, who were amazing, like give me advice and I had to actually like follow it. I had to let Josh haw connect me with Anne and take like say, yes, I'll do anything. And what that has opened up for me is I always am like, I am the one that's helping, but I won't take help.

Shannon Mattern: Taking help is a beautiful, beautiful saying. And since this happened, what I have learned from like I have accepted so much help since then. I told everybody, everybody I knew what was going on because I just couldn't keep it inside because I was suffering so much and everybody held me. They supported me, they connected me with people to help me, every single one. And it was so beautiful and I've never let myself be helped that way. And it has persisted like I'm open to receiving now in a way that I hadn't, hadn't really been before. So this whole situation, while it is one of the most challenging things I have ever gone through in my business, it really opened me up to being accepting of receiving help and support and just surrendering, just literally surrendering and being like, I don't know what to do. Like please help me.

Shannon Mattern: And also to realize that like what might seem to be right , what might seem to be like the righteous or right thing, people don't do the right thing. And especially big companies that ultimately really don't care about the customers using their platforms and wanna run e everything on AI in an algorithm. You know, like that's another thing that I learned in that like the relationship that I am building with my small regional bank here in Columbus, Ohio has been massively, massively valuable and important to me. And the other thing that I'm l I learned is like I was listening to a podcast today with Corinne Crabtree of her podcast is called Losing 100 Pounds. And she's like, sometimes things happen to check you to make sure that is this really what you say you want? You know, and in that moment where I was thinking like, I don't know if I want this anymore, this is too hard.

Shannon Mattern: You have a choice. You can either like double down on what you want or you can give up and I'm doubling down on, on what I want and my like, I keep saying like I want this level of business. What I realized is like my systems weren't my backend technical systems and the companies and tools I was using were like the biggest risk and a bigger business needed support from different systems. So this needed to like quote unquote break or be broken for me so that I could rebuild more secure systems as we recover from this because we are in a low, low spot . You know, just to be really transparent and I'll talk more about that on the podcast. Like, our business has been damaged and we're not going anywhere, we're gonna rebuild from here. But it was really challenging. And so yeah, the other thing that I would say is that like it affected my money mindset so badly.

Shannon Mattern: , I talk about money mindset with web designers specifically. Like that's a big thing about what we talk about when we talk about like pricing and value and all of those things. And we talk about pricing paradigms and we talk about investment mindset, hybrid mindset and expense mindset. Whereas investment mindset thinks that like money is abundant and always on the way and you can never run out. Expense mindset is like, oh you can run out. Like if I had this situation snapped me so hard into expense mindset and fear and anxiety that it has taken several weeks of an intentional money mindset work to just claw my BA way back into a hybrid mindset where I'm like, okay, there's more money on the way. You can calm down. There's more money on the way. I have not paid myself payroll to be able to pay legal fees.

Shannon Mattern: So I haven't taken my own paycheck to protect the health of the business. And that's messing with my money mindset . It's truly messing with my, with my money mindset. And so I have to do intentional work there to get my belief back. It has affected I'm, I'm clawing out of that. It's just affected a lot of my decisions. It's clouded when you feel anxiety and cortisol in your body. Your brain cannot think is clearly all it's thinking about is surviving. And so I'm making decisions from a really survivor, expensive place rather than like a abundant, calm, confident, like we got this place. And so I'm still integrating all of these lessons, but it's been a challenge and I say this to say I feel like another reason I can do this podcast now is cuz I'm coming out on the other side of it.

Shannon Mattern: I couldn't have done it when I was in the place of how I felt when I was telling Josh about it on his podcast. I hadn't, like the lessons from it hadn't gelled yet. I'm still learning some lessons from it. I'm still coming out on the other side of it. I'm still recovering mentally and emotionally from it. We're hopefully gonna recover financially from it. I hope to see that on the back half of the year. And we have some like plans in the works to do that. And I'll tell you all more about that in next week's episode. But if you have Stripe, I'll leave you with this log into that account, check that connect tab often, make sure that there's nothing there because you won't know until after Stripes paid out your thief and started taking money from you that had ever even happened.

Shannon Mattern: It's truly the perfect crime. So that is everything I have for you this week. Next week we'll be back with just basically my review of the first two quarters of 2023. All the things that happened, all the lessons I learned along the way. This part of Q two of 2023 really deserved its own episode. But I'll be back next week to share what the first six months of 2023 looked like and where we're going from here. So thank you so much for listening. You can reach out if you know someone or if you've experienced this yourself or you're going through it, reach out to me. You can just email me shannon@webdesigneracademy.com and I'll do whatever I can to point you in the right direction. Cause I know how helpless and hopeless I felt when I was trying to navigate it on my own.

Shannon Mattern: So, alright, I'll see you back here next week. Bye everyone. Hey, so if you're ready to stop undercharging and overworking, if you wanna take back control of your time, work only with the dreamiest of clients and make more money as a web designer than you ever thought possible, get started now by going to https://web designer academy.com and joining our wait list. We'll send you exclusive teachings from the current Web Designer Academy so you can start applying our concepts now. And you'll be first to know when enrollment opens up again, so that you can work with us to completely transform your web design business.

Speaker 2: This podcast is part of the sound advice FM network. Sound advice FM Women's Voices amplified.