Eighteen cents. Amanda Stevenson couldn’t believe it when she saw that number on her screen.
The co-owner of Southwest Statements, an online seller of silver and turquoise jewelry, had been gearing up for a business trip. She opened her Shopify account, which she thought contained thousands of dollars. Instead, it contained eighteen cents, next to nothing.
“I thought, Am I seeing things? Am I going crazy?” Stevenson says.
Examining further, she saw that her account had been drained over the past few weeks by a series of small charges. They ranged from pennies to around $8. There were sometimes hundreds of micro-payments a day.
“They were for such a small amount, I wasn’t alerted to them,” says Stevenson, who founded her company in 2022. “They all said ‘Facebook.’ We did run a Facebook ad, but hadn’t done any in the past few months.”
Shopify lets business owners dispute charges to their account, but filing claims on hundreds of payments would have taken forever.
She quickly shut down the website and broadcast her plight on Instagram. “I have some crazy news,” she said. “Somehow someone’s been getting into our account and stole all our money. We’re kind of freaking out.”
Stevenson reached out to Shopify customer service and was eventually referred to its fraud department. The people there have been helpful, she says, though it’s still not clear where the charges came from.
Shopify told her it had opened four credit cards for her company. Stevenson only knew of one, which she believed had been canceled.
The online platform has since wiped out all the suspect payments, which was a big help for Stevenson, as she didn’t have to dispute them one by one. They also sent her a message recommending that she check her bank account regularly and use standard security precautions, like two-factor authentication (which she does).
Resolving the issue took about a week and a half, Anderson says. Since then, she’s restored her site and got some nice publicity when local news broadcast a story about it.
“As stressful as this was, we were able to get it fixed very quickly,” Anderson says. “Shopify was very responsive.”
Company co-owner Cassandra Rose Cooper says the two consider themselves lucky.
“We have heard from a lot of people with similar issues, and some of them say they never got it resolved,” Cooper says. “It’s super sad, and it affects a lot of small businesses with all different outcomes.
“We both have tech backgrounds, and the spammers are getting very sophisticated. Sometimes even I question the things I get.”
Jennifer Mulvihill, the president of the Jewelers’ Security Alliance and also a professor of cybersecurity, says what happened “sounds like a bot attack.”
She says that, in addition to setting up multifactor authentication (MFA), users should change their passwords every 60 days. Passwords should be unique and never reused.
She agrees businesses should check their bank balances regularly and configure their settings so they receive notifications for transactions, including the small ones that siphoned money from Southwest Statements’ account.
When these events happen, Mulvihill advises victims to file a crime report with their local police, which can help them get their money back.
To minimize risk, she recommends looking at CISA, the U.S. Cybersecurity & Infrastructure Security Agency, which has a page of resources for small and medium-sized businesses.
And, if all else fails, Mulvihill says jewelers should have cyber insurance—just in case.
(Photo: Getty Images)
