Liz Carlson created, owns, and operates Southern Fried Chics, a women-run, online-only clothing boutique based in South Carolina. They sell floral dresses, ruffled tops, cowboy boots, "Glitter Bomb" sneakers, and brightly colored graphic tees sporting positive declarations like "Giving Is the New Thanks" and "Love One Another." The company caters to shoppers of all sizes who are looking for clothing that mixes Southern femininity with messages of patriotism and Christian values. Ordinarily their Facebook page exudes an earnest cheerfulness, but in the week leading up to 2016's Black Friday and Cyber Monday, hackers transformed it into a gallery for hardcore pornography.
For a few days, Carlson was locked out of her own page, while hackers posted a litany of sexual images—some of which included children—to generate advertising revenue from anyone who was curious enough to click. During those first 48 hours, Southern Fried Chics lost over 50,000 of its 1.5 million Facebook followers and over $100,000 in potential sales. "It almost put me out of business," says Carlson, explaining that her entire marketing budget goes toward advertising on social media, and that she considered deleting her account just to make the problem go away. "We have nothing but young girls and women following us. My customers thought that I was doing it. They said, 'We thought this was clothing. We can't believe you would even do this. We thought you were for women.'" Over the course of the following year, sales continued to drop, totaling a $1 million loss along with a massive decline in client trust.
As Cyber Monday drew near, Carlson's calls and messages to her page's designated support representative at Facebook went unanswered. Meanwhile, her phone was ringing non-stop with people offering unsolicited advice and rudimentary tech support. But there was nothing she could do. "It was over for me," she says. "I just wanted to die. We had to watch this play out."
Losing her site would've been an enormous blow to the progress Carlson has fought for her entire life. Born to an abusive mother who kicked her out of the house at 14, Carlson struggled with periods of drug and alcohol addiction, getting by on just an eighth-grade education. Eventually, she taught herself to sew to escape a life of homelessness. After having a daughter at 24, she began making clothing to sell on eBay. Even though she was unable to read patterns, she began creating children's outfits that were going for $300 to $400 each and landing in high-end boutiques. In 2012, she launched her own womenswear company, and, since then, Southern Fried Chics has grown into a team of 21 women who, like Carlson, also don't have college degrees.
What happened to Southern Fried Chics during those several days is distressingly common: According to the 2016 Internet Crime Report published in 2017 by the Federal Bureau of Investigation's Internet Crime Complaint Center (IC3), it received nearly 300,000 cybercrime complaints that year alone—more than 800 per day. A 2017 national survey from Pew Research Center found that 41 percent of Americans (135 million) have experienced online harassment in some capacity and 18 percent of Americans (59 million) have been victims of what Pew considers to be "particularly severe forms" of behavior "such as physical threats, harassment over a sustained period, sexual harassment or stalking." Considering there are 287 million Internet users in the United States alone, it's unlikely that any single entity—whether it be a government agency, a social media platform, a non-profit, or a private firm—could respond to every individual complaint or monitor every forum.
With no stolen goods to report or physical harm done—not to mention no sense of who was behind it all—it was futile for Carlson to call on law enforcement. While cybercrimes such as financial payment information theft, identity theft, and Web-based child exploitation violate pre-existing laws, situations like Carlson's, as well as those involving cyberstalking and cyber harassment, have no federal court precedent to reference and may fall under the umbrella term of "cyber abuse." According to Candice Blain, attorney and founder of Blain LLC, a law firm devoted to helping victims of cyber abuse, "Cyber abuse laws are still evolving and vary from jurisdiction to jurisdiction, and what is illegal in one state may not be in another; and, so, abuse that may feel disturbing—crippling even—to its victim may nonetheless still not violate the criminal laws in the jurisdiction."
It's these types of murky situations that inspired Theresa Payton, the first female chief information officer for the White House, to make it her mission to tackle cybercrimes and abuses one case a time. Following two and a half years working for the George W. Bush administration and over a decade in the financial services industry as a senior vice president and divisional chief information officer, Payton decided to open a private cybersecurity and intelligence operations firm "that would take care of people, businesses, the government, and our allies," she said. Along with Vince Crisler, who had previously worked in the Pentagon, Payton launched Fortalice Solutions, and quickly discovered that her clients were often individual victims, primarily women, who felt that they had nowhere else to turn for any number of reasons: They didn't have the means to hire a private investigator, law enforcement couldn't help, representatives from the technology companies refused to act, or simply no one believed them. Over the years, Payton's team has handled cases—both for profit and pro bono—including cyberstalking, cyber bullying, data breaches, missing persons, revenge porn, insider threat, and sextortion.
Fortalice Solutions is comprised of engineers and cybersecurity experts, many of whom worked for the federal government prior to joining Payton's firm. Once approached by a client, they begin by asking about their desired outcome (i.e., wiping something off the Internet, erasing their entire online presence, finding the perpetrator, obtaining a restraining order). Then an analyst creates a timeline of events, and maps the perpetrator's methodology—such as whether they were using throwaway phones, fake email addresses, virtual private networks, or malware—in part to ascertain whether the hackers' actions are in keeping with a known individual or group's style (what Payton calls "digital fingerprints"). Finally, they perform a forensic analysis of any data that can be collected, culling information from the contents of the client's and, if they have access to them, the perpetrator's emails, bank statements, social media profiles, and even things like an Apple Watch's fitness tracker, a smart speaker, or a Nest thermostat—anything to establish actions and reconstruct the circumstances surrounding the crime.
Using social media forensics and government-grade open-source digital network intelligence to analyze Carlson's account, Payton's team found that her hackers were located in Pristina, Kosovo, and had accessed her page through an employee's personal Samsung cell phone, which had been infected with malware containing a keystroke logger, making it possible for them to acquire the Southern Fried Chics' Facebook password. According to the Fortalice case report, the hackers created a new password and changed the recovery email address to one from an untraceable email service. Payton and her team were ultimately able to work with personal contacts at Facebook to remove the offensive imagery and reinstate Carlson as the page owner, but there were irreparable consequences nonetheless.
"When you get your company back, you just basically lick your wounds and try to move on from it," Carlson says. "You're damaged and you're damaged forever and you'll never recoup from that. Did we keep going? Yes, we did, but the only reason why we did was because [Payton] was able to get it back."
When questioned about their security measures, a spokesperson from Facebook responded with a boilerplate email to say they "work around the clock to help protect people's Facebook accounts." But Payton doesn't believe that the platform is capable of handling the deluge of individual complaints they receive, especially when ameliorating massive data breaches and privacy violations always takes precedence.
And that's the real crux of the issue—the scale. Although Payton would like to see tech companies and the government at both state and national levels, as well as new and pre-existing non-profits or even hotlines, devote more attention and resources to ending cyber abuse, she's skeptical whether any single entity can shoulder the burden. Dena Haritos Tsamitis, the director and Barbara Lazarus Professor of the Information Networking Institute at Carnegie Mellon University's College of Engineering says that, while legislation such as security-breach notification laws are slowly gaining traction (thanks in part to the headline-making breaches at Equifax, Uber, and Facebook), hackers, whether they are part of organized crime, foreign states, or just bored teenagers, will always be miles ahead, exploiting technologies' vulnerabilities before the companies themselves realize those weak spots exist.
In regards to Carlson's case, Haritos Tsamitis believes that, because the hackers in Kosovo got access to Southern Fried Chics' page through an employee's personal device, Facebook is less at fault than the employee herself for neglecting to use her business phone. She also said that it's unlikely that Carlson could have taken legal action against Samsung or the phone's Android operating system for its susceptibility to malware.
And if it seems like Carlson had little recourse despite the fact that a clear crime was committed and she lost a huge sum of money, consider all the cases Fortalice takes that exist in murkier waters.
The group recently worked a case in which a woman met a man online and carried on several months of conversation with him, including sharing pictures, and, later, agreeing to wire him several thousand dollars. Once she realized it was all a scam, she sought help from both federal and state law enforcement to no avail—they either refused to take action or didn't know how. Only then did she turn to Fortalice. "I am the victim of a romance scam," she told Fortalice. "I am heartbroken and devastated by the actions of my perpetrator." The case was closed, with the client, out of embarrassment, deciding not to press charges. Still, Payton tries to assure all victims that "they have nothing to be ashamed of." When a client is interested in prosecuting their harasser, Fortalice typically hands over any evidence to law enforcement in order to assist with their investigation and prosecution.
Fortalice's case-by-case model is still the only real match for highly individualized situations, especially ones where the abusers are careful to stay on the right side of the law—especially when both tech giants and law enforcement are likely to continue prioritizing the remediation and prevention of large-scale attacks rather than instances involving a sole victim. Although Payton's firm is for-profit (while offering some pro bono work), she hopes to one day open a non-profit or set aside dedicated funding exclusively for female victims without the financial means to afford Fortalice's services.
For now, she and her team may not be able to tackle every cybercrime and cyber abuse case out there, but when victims are otherwise helpless and are left to their own devices, Fortalice will do its best to hit refresh.