Those that know me, know I've been a freelance web developer off & on for the majority of the last 13 years. Over that time, I thought I had learned the appropriate steps to take to prevent myself from getting ripped off. Well, it would seem I wasn't as prepared as I thought I was.
I take great interest in helping small & family owned businesses to create an effective web presence. In the past I've even offered to do the work for free, at extremely low hourly rates or for a small percent of future sales, as was the case in this lesson I recently learned.
In this case, I was asked to resurrect a website that appeared to be originally authored around 2003, using WYSIWYG editors such as Netscape Composer, and later M$ Frontpage. There was no rhyme or reason to the site's navigation, directory/file structure etc. Image files were not at all optimized and the site was just riddled with mistakes both visible and in the underlying code. Clearly a novice web master had gotten in over their head, created a site that was impossible to maintain, and doing very poorly in terms of search engine performance. I thought, great ! I can fix this !
Once I had the bulk of their "content" ported over to a bright and shiny installation of Wordpress, I put it up on their web server and started to address my many marketing concerns. So I asked the client to confirm himself as owner of the business on the Yelp page that already had the bulk of their business information. The phone number and location were no longer current, but in my mind, the most important part, the URL to the website was correct. I also asked the client for a PSD Photoshop file of their logo, since they had mentioned it was "done professionally", I would expect them to retain the PSD file for later use.
That was when the red flags started waving vigorously in the winds of deceit that I started to sense. They didn't have a PSD file of their logo, only PNG, JPG and BMP versions of the same logo making the touch-ups they were requesting impossible. They also said they couldn't claim the Yelp entry as their own, they weren't at that address any more, and the phone number had since changed. I suggested a new phone number to Yelp, and asked the client to try the "Claim my business" process again. Their response "it didn't work". So, I requested they create a new Yelp account. They blatantly refused and asked "Why is that such a big deal?". Clearly any legitimate business owner is not going to respond this way when offered free marketing. So I responded with something similar to "verify yourself as the legitimate business owner or I'm not going to continue the work" They responded by changing the FTP password to their server, and changing the "author" password for the Wordpress account I had created for them.
I contacted them shortly after, asking why the FTP password was changed, pointing out it made it difficult to get to the unoptimized images, optimize them and re-upload them.. when in fact I really didn't need it. No response. I waited a day, still no response.
So, after nearly 48 hours of silence I logged into Wordpress as admin, and went about deleting all the pages and posts I had made, and then emptied the trash. Then I edited the child theme I had tailored to execute some PHP which deleted the optimized images I had created, and then tweaked it to become inoperable. As a final step, I switched the Wordpress theme to ugliest I could find and made a single post, a series of links I had found when investigating the company and clients name.
Turns out this outfit has been involved in something called a Phoenix scam since 2003. In 2006 they were convicted of fraud. The Phoenix scam falls into the "Long Con" realm of cons and is named such because the company rises, does some legitimate work offering extremely generous warranties then claims bankruptcy, making the warranties and future contracts void. The "owner" then sells the company to a co-conspirator who raises the company from the ashes, and does the same thing again.
Apparently I was the unfortunate web developer tasked with helping with the third rising of this Phoenix. Once I realized what was happening, I swiftly clipped it's wings. I lost a lot of time for which I will never be paid, but at least I didn't become an unknowing accomplish to these scammers. As a result, I've amended my rule book.
- If the client does not have a "confirmed" Yelp page , require them to claim their business before doing ANY work at all.
- Do some basic Google searches to ensure that client provided content is not copied from a "competing" website. Copy a few long sentences from their text and see if you can find it identically on other sites by wrapping it with quotes.
- Look at the headers of their emails and glean the originating IP address of the sender. Use a free service like IP2Location.com to ensure they are at least near the region they claim to be in. If the originating IP address is in a private range like 10.0.0.0, or 192.168.0.0, be very suspicious and act accordingly.
- Do the bulk of the work on your own server and do not place it on the clients server until you have been paid at least 50% of the agreed price.
- Have a backup plan to cripple the site, but leave it in a restore-able state, in the event the client doesn't pay in full. In the case above, keeping the Wordpress Admin password to myself served that purpose. To ensure I could restore the content in the event my suspicions were wrong, I should have used the Wordpresses built in "export" widget, but by that point I was 100% certain I had called it correctly.
It's embarrassing to admit I almost fell for this, but if it saves a community from getting scammed again, and/or another freelancer from the turmoil I went through.. It's worth it.
Posts
No comments:
Post a Comment