Tristan Huntington vividly remembers when he and the rest of his team at TextNow realized their free calling-and-texting app was being abused. It was 2011 and their Waterloo, Ont.-based startup was still small, with fewer than 10 employees.
TextNow had been started two years earlier by Derek Ting and Jon Lerner, two computer engineering students at the University of Waterloo, as a way to get around what they saw as usurious Canadian wireless rates. Their app let users make calls and send texts for free while connected to WiFi.
It was becoming something of a viral hit, attracting thousands of legitimate users. But then the fake accounts came flooding in. Encouraged by the easy sign-up process, scammers were piling in to grab the free phone number supplied by the app, which they then used for all manner of online schemes.
“It definitely wasn’t a positive reaction,” Mr. Huntington says, referring to internal sentiment at the company at the time. He has been with the company since 2011 and is currently its core product director.
“The first time you realize someone is using a product you built for some purpose that you never intended, it’s very disappointing. And then there’s an immediate realization that you have to do something about it.”
The predicament highlights the often inevitable reality that many technology startups face at some point in their evolution – that eventually, some people somewhere are going to figure out how to use their creations for unintended purposes.
In some cases, such developments turn out to be fatal for a business. In other cases – as in TextNow’s – they result in additional costs and a necessary pivot in mentality.
For his part, the flood of fake accounts meant Mr. Huntington effectively began working two jobs. By day, he would deal with TextNow’s regular operations. When he went home in the evening, he’d try to identify and manually delete fraudulent sign-ups.
“That was my night job – scam prevention,” he says. “It was a daily task.”
A good example of one of these scams is highlighted by The New York Times writer Mike Isaac in his 2019 book Super Pumped: The Battle for Uber, which details the history of the now-ubiquitous ride-hailing app.
In 2015, as part of its expansion into China, Uber was handing out free ride credits to users who referred the app to others who weren’t yet signed up. Some enterprising individuals figured out a two-step scheme to take advantage, which inadvertently drew in TextNow and other similar internet calling services.
First, the users created multiple fake names and e-mail addresses. Then they referred themselves through those addresses and made multiple, numerous Uber accounts using stolen credit card numbers. By doing so, they racked up ride credits for the referrals.
The key to creating those multiple accounts was unique phone numbers, which Uber requires – then and now – for a new sign-up. To get those, scammers used apps such as Burner and TextNow.
At the time, TextNow employees were still manually sorting though sign-ups. The company was also growing, having secured a wholesale deal with Sprint in 2013, which allowed it to offer paid services over the carrier’s wireless network in the United States alongside its regular free calling-and-texting option.
The company currently has 117 employees, with offices in Waterloo, San Francisco and Seattle, and says it had 14 million active monthly users in January.
Along the way, the waves of fake accounts forced the company to take fraud prevention seriously. TextNow brought on dedicated staff and now has four to five engineers working on fraud at any given time.
The company also subscribed to a number of third-party tools designed to fight abuse. Artificial intelligence and machine learning offered by the likes of Google, Amazon and Apple have become vital in helping to analyze account data, including IP address, time of day, location and the type of device being used. They help save manpower hours by automatically detecting many fraud attempts.
Industry observers say many technology companies – from the Ubers and Twitters of the world to the likes of TextNow – inevitably go through similar cycles, where they first pursue the rapid addition of new users before fraud and security concerns force them to alter course.
“These great ideas are always great ideas until they scale,” says Aimée Morrison, an associate professor at the University of Waterloo who specializes in digital media. “Companies inadvertently drag themselves into messes because they’re not actually really thinking what is the trade-off between fast sign-ups and verified users.”
Samer Bishay, president and chief executive of Toronto-based wholesale telecom services provider Iristel, recalls similar fraud attempts when he launched Sugar Mobile in 2016. That service worked much like TextNow, in that it offered free calling and texting over WiFi.
“The minute we provide a free service, then absolutely we’re going to run into the same issue,” he says.
As a wholesaler, Iristel provides about 6.5 million phone numbers to a host of customers and companies operating in Canada, including many internet apps that incorporate calling features.
The best way for many of these apps to avoid fraud, Mr. Bishay says, is to incorporate a billable component that requires new users to input home addresses or credit card numbers.
Some tech companies, however, choose to forgo that process in favour of making it easier for people to sign up, even if that invites abuse.
“It helps them go viral faster,” he says. “It’s crazy, but that’s the world we live in.”