Articles by Sean Murray

The Death of A Thousand Financial Companies

Unfortunately, Deleting Your Business May Not Be An Option One Can Risk.

In March 2021, deBanked revealed that 7.5% of DailyFunder’s user base that had existed in March 2020, was lost during the pandemic. DailyFunder, of course, is the most widely used forum for small business finance brokers and the statistic offered one of the most compelling insights into the damage inflicted on the industry.

A loss was defined as a user whose email address ceased to exist. It was either deleted or the domain name was not renewed. It was a startling revelation. And yet, in a sign of optimism, DailyFunder added more new users in that 12 month time frame than were lost.

And yet, is anything ever truly deleted in the digital age? And how did it come to pass that the owners of these companies believed deletion to be a preferable outcome to transference? Surely as a thousand brokerages closed, there would have been an eager buyer to scoop them up, even if the sales price was for pennies?

And so I arrived at a theory, that companies that simply wound up and disappeared rather than sold themselves off, probably left behind a digital footprint that still drew in prospective customers, a path that ultimately led nowhere. A competitor might rejoice at that outcome but it’s not exactly a net gain because that customer may have decided to go somewhere else or nowhere else instead. Someone else’s loss wasn’t their win. Even the customer was a net loser. That could be resolved, of course, if the competition simply acquired the expired domain names of their fallen competitors, something that could be reasonably achieved for the price of ten bucks through any domain name registrar.

Outside of the small business finance industry, such tactics are commonplace. One can simply go on Godaddy’s domain auctions to see the never-ending revolving door of expiring domains which are often ranked and priced on the basis of how much traffic they stand to generate, mainly because of the past owners’ efforts.

According to WhoIsHostingThis, 70% of all web domains fail to be renewed 1 year after they’re purchased. “[41% of these expired domains] go on to be snapped up and registered by other users to potentially benefit and profit from,” they say. And there is nothing controversial about this. This is simply a standard of the world wide web. Your fallen online business is recycled as someone else’s marketing tool.

Applying that math to the small business finance industry at hand, that would mean that of 1,000 brokerage failures, 41% of the expired domain names are going to be acquired by someone else or they already have been. And if the expired domain only costs $10 (and they’re not all this cheap), then theoretically one could acquire the web traffic of 410 failed brokers for roughly $4,000.

WHOA.

The realization led me to conduct a controlled experiment, one in which I would try to prove this theory for a deBanked story.

I bought roughly twenty expired domains, intentionally leaning toward older ones, domains that had been expired for 2-10 years rather than recent casualties of the pandemic. Once completed, I jotted down my hypothesis, that these domain names probably produced some level of prospective customer traffic.

When my experiment concluded, I became alarmed, even sick, over what the results taught me. Deletion, I learned, is an outcome that no business, let alone a financial services company, can afford to surrender themselves to.

Here’s why:

Among the first steps taken was to create a “catch-all” email account on each domain so that if a former owner of a domain came along and tried to contact me, I would get it no matter which address they tried and that I would be able to tell them that I had acquired it accordingly and even tell them my theory!

No marketing or anything was done for any of the domains. I simply acquired them and let them sit stagnant. I did not resurrect whatever their old websites were. And yet, I received thousands and thousands of emails, none from what I could tell were from former owners.

It’s important to state that I did not use these accounts to actually do anything, but that these vulnerabilities came to light by virtue of monitoring the inbound emails these domains accrued.

Some domain names still had control of social media accounts like business facebook pages and twitter accounts. Someone could not only acquire your old domain, but use it to resurrect and use dormant social media accounts, including being able to view all past private correspondence on them. Yikes.

Some domain names were still attached to active bank accounts, credit card accounts, or financial services. Correspondence regarding these accounts was still being transmitted to them. When you delete a domain, you need to make sure its access is revoked from every account you have, especially bank accounts. Some received NSF notices or were being subject to debt collection efforts.

Every domain name was subscribed to newsletters or communities or some service in which one could use to learn personal information or business information about the previous owner.

Unknown but likely is that some of these domains may have been the “lost password” email address of record for other accounts online, a particularly troubling thought.

As the litany of stroke-inducing vulnerabilities piled up, then came live correspondence. Lenders wanted to know where to send a still-owed commission, a borrower was reaching out for customer service, old business partners were trying to rekindle past relationships.

Presumably such domains could give someone access to portals or databases where previous customer data was held. This implies that not only is the old domain owner at risk but that business vendors that had not disabled access to their systems for the defunct users could also be at risk from nefarious actors now in control of email addresses belonging to former customers.

A nefarious actor could surely dream up still more ways to carry out compromising acts. I disabled incoming email altogether for the domains pretty soon into my aforementioned discoveries so that emails to those domains would simply bounce back and indicate to the sender that there’s nobody there anymore.

And my original hypothesis had been blown to smithereens. These domains generated no material web traffic of note, except for probing “bots” instead of human users. What I thought might be a hidden source of web traffic, a clever insight on internet marketing 101, instead turned out to be a glimpse into a business’s worst nightmare.

No matter how much one’s business has failed, control over the domain name should be preserved at all cost, that is unless, all of the above vulnerabilities are addressed first and completely.

Originally, the costs of this journalistic experiment were to be recouped by simply reselling the domains onto the public market for fair market value. Instead, they were simply cancelled, cast back in the sea anonymously, where anyone else could buy them and do whatever they want with them. I, however, made no effort to alert anyone’s attention to them.

The publication of this story was delayed as I, the journalist, had to weigh the merits of disclosing my findings. But as the data says, 41% of expired domains are going to get snapped up anyway. And true to form, I was actually outbid by other unknown buyers by some of the original domain names I had hoped to acquire for my experiment. A financial service company’s domain and all the vulnerabilities with it, were sold to bidders willing to pay $30, $40, or $50+ versus my $10-$20 or so budget. That seems a terrifyingly small cost. And I highly doubt they were journalists.

Perhaps those domains are generating web traffic, but if they’re not, one has to ponder why someone would want to acquire the lapsed domains of so many dead financial service companies. And post-pandemic, there are too many to count.

If the death of a thousand companies has taught me anything, it’s that even business failure needs a well thought-out security plan. Otherwise one risks death by a thousand cuts.

View the magazine issue this story appeared in here