The Art of Getting Rich by Stealing Pennies
How scammers used virtual business services to commit large-scale fraud
Facts:
One of the many twists in business identity theft schemes is something called transaction laundering, or “factoring”.
Transaction laundering occurs when criminals mimic a legitimate business by using their credentials to set up a fake company.
From there, they can apply to various payment processing merchants and get approved to authorize transactions — often using stolen credit cards — for non-existent products and services.
The high demand for payment processors has created an expectation of instant onboarding and fast turnaround times for businesses, making it difficult for these companies to monitor the transaction portfolios of their clients.
Because of this, laundering operations often go undetected for long periods of time, making it a profitable endeavor for criminals.
A Cautionary Tale
In an elaborate, decade-long scam, a gang of unknown thieves stole nearly $10 million by authorizing micro charges on more than a million credit and debit cards. The fraudulent charges, however, went unnoticed by 90 percent of the card owners.
By only processing a single small transaction — ranging from 20 cents up to $10 — per card, the thieves were able to bypass fraud detection algorithms and quickly cash out the stolen funds.
How were they able to process over a million cards in the first place? By mimicking legitimate U.S. companies.
To do this, the criminals obtained the federal tax IDs of several businesses and set up bogus companies with nearly identical names. They then used a service called Regus to establish addresses in the same building as the companies they were impersonating. Regus lets businesses operate "virtual offices" out of a number of prestigious addresses — such as the Chrysler Building in New York — for as little as $59 per month. Any mail sent to these virtual offices was then forwarded to another company, Earth Class Mail, which scanned the mail and sent it to the criminals via email.
But faking an address wasn’t enough. The gang also employed a virtual phone service to have phone calls forwarded to their overseas location — in addition to setting up legitimate-looking retail websites.
Source: Erik Mclean on Unsplash
With everything in place, the criminals began applying to dozens of payment processors. When asked to provide additional information on the identities of the companies’ executives, they handed over legitimate names and social security numbers that had been used to register their fictitious businesses.
To get their money out of the U.S., the thieves had to recruit money mules. These mules were U.S. residents who were looking for work via sites like Indeed, Craigslist, or LinkedIn. Operating under the impression that they were helping offshore businesses, the unsuspecting new hires opened bank accounts and helped the fraudsters move money offshore.
Once approved by payments processors, the bogus companies were able to charge consumer credit and debit cards, which had been purchased from online carder forums and black market websites. The funds were then sent to the money mules and transferred overseas.
When the charge showed up on a consumer’s monthly bill, it was paired with a merchant name and toll-free phone number. But anyone who tried calling to dispute the charge received an automated voicemail recording saying the number had been disconnected. Or, in some cases, instructing them to leave a detailed message.
The calls, of course, were never returned.
The Larger Scheme At Play
By taking advantage of modern technology and business convenience services, criminals can disguise their location and execute their scams from anywhere in the world. To be clear, these services are entirely legal and, more often than not, are used for their intended purposes by millions of consumers and businesses each day. However, like any other service, they can also be exploited and abused for illegal purposes.
Regardless of where they live, thieves can set up virtual shop at any U.S. location, using information easily obtained through a quick Google search. In this manner, they are able to give their fictitious businesses an air of authenticity and can piggyback on another company’s reputation and financial history to steal large sums of money.
How It Works
The way this scheme typically plays out is best depicted by the aforementioned story; however, the part where criminals make use of widely-available “business conveniences services” deserves a closer look. Therefore, the following tactics have been broken down to show how these con artists commit their crimes, while hiding their true identities and making their online activities appear legitimate:
Resource #1: Virtual Office Services
A virtual office is a physical location — and corresponding mailing address — that is shared by many businesses. However, no one from these businesses actually works at the virtual office, as it is primarily used to receive mail. The virtual service provider may offer a wide range of services, including a receptionist to greet visitors or take phone messages, mail forwarding and fax services, remote check deposits, and even a conference room for occasional client meetings. In order to use these services, one must subscribe and pay a monthly fee.
Virtual office services are popular among companies that need to establish an out-of-state presence; those who desire a well-known street address — like Pennsylvania Avenue or Wall Street — but can’t afford to rent at such locations; employees and freelancers that work remotely; and small businesses that want to appear more professional, without the expense of renting a complete office suite.
Business identity thieves and fraudsters also use virtual offices for these same conveniences, but with more nefarious purposes in mind.
Case-in-point: A local "office" address and telephone number can be quite useful in scams, especially when there’s a professional receptionist to add more legitimacy to the ruse. Regular mail forwarding allows scammers to receive important documents anywhere in the world, while remaining physically outside the jurisdiction in which they plan to perpetrate their fraud. And because most of these services can be rented almost immediately over the phone or online, criminals can set this up rather anonymously.
Resource #2: Virtual Telephone Services
VoIP (Voice over Internet Protocol) phone services have become very popular in recent years, as they allow anyone with an internet connection to place and receive calls. In fact, many consumers and businesses alike have switched from traditional telecom companies to VoIP services because they are highly cost-effective.
Another advantage of VoIP is that it allows users to obtain phone numbers in any area code of their choosing, regardless of actual location. This feature is helpful for companies that want to give the appearance that they are a local service, even if they operate in another state or a different country. For example, if a business is located in New York but has a large number of customers in New Jersey, it can obtain numbers in both states. Therefore, even though its offices are physically in New York, the company can use its New Jersey number to communicate with New Jersey customers and vice-versa.
Criminals are prone to using virtual phone services for the same reason. Overseas scammers, in particular, benefit greatly from this technology, as it allows them to expand their operations to anywhere in the continental U.S. In other words, it doesn’t take much for a Nigerian “Prince” to set up a local number in Chicago and make bogus calls to prospective victims in that area.
Some virtual phone services also allow users to customize what shows up on the receiver’s caller ID. This can, of course, be used by scammers to impersonate credit card companies, the IRS, the FBI, whatever organization best serves their malicious purposes. Having such a tool at their disposal, thieves can easily trick unsuspecting targets into revealing credit card information, PIN numbers, social security numbers, and other sensitive information. Alternatively, this technology can be used to spoof the number of a legitimate company in order to open new merchant accounts or to access existing ones.
Resource #3: Disposable Phones
In addition to VoIP services, criminals may also purchase disposable (pre-paid) cell phones to carry out their schemes. These can easily be bought online or with cash in-store, registered under a deceptive name, then used to contact unsuspecting victims or to set up bank and payment processing accounts. Such phones can be extremely difficult for law enforcement to trace, especially since criminals often throw them away after the scam is complete.
A good example of this is when a group of cybercriminals purchased a cell phone and registered it under the name "Georgia Powers" — after a well-known utility company, Georgia Power. In doing so, whenever the thieves placed a call, this name was displayed on the victim's caller ID. Over a five-month period, 86 people were tricked into believing that their bills were overdue and that their electricity would be cut off if they didn't make immediate payment. In response, these victims willingly disclosed their credit card numbers and other personal information to the criminals, which were later used to make fraudulent online purchases.
Resource #4: Websites and the Internet
Before you navigate to a company’s webpage and say, "Wow! That's a great looking website. These guys must be legit," consider the fact that anyone can build a website quickly and easily, and for very little cost. In fact, there are many companies, like Squarespace and Wix, that offer easy-to-use templates so that users can create eye-pleasing, basic websites in a matter of minutes.
Criminals routinely use these turnkey solutions as “fronts” to lure in their targets. To add an additional layer of credibility, they often place hijacked business confidence marks somewhere on these sites.
Confidence mark n.: a mark that indicates that a business has been vetted or verified, in some way, by the organization issuing the mark. These are commonly displayed on websites to show consumers that the company is a credible organization to do business with.
These stamps of approval can easily be copied and pasted onto fraudulent websites, giving visitors a false degree of confidence that they can go ahead with business as usual. Some criminals even go as far as to embed a link on the confidence mark that, if clicked, will direct the visitor to a bogus verification page.
Long story short, all of these resources can be combined to create a very convincing fake company, both for consumers and merchants alike.
Take Steps to Protect Yourself
Below are some preventative measures you can take to keep your company and personal data from being used in these kinds of schemes:
Carefully review and reconcile account statements as soon as you receive them. Contact your creditor if you discover any unrecognized or fraudulent activity, no matter how small. Keep in mind that a common criminal tactic is to make small purchases on a compromised card — typically below $10 — and wait to see the transaction is noticed before moving on to larger purchases.
Ask trade and credit references to notify you if they are contacted. If your business provides or maintains a list of trade or credit references, request each one to notify you if they are contacted by a third party. Business identity thieves often leverage a business' trade and credit references to impersonate their target or to submit merchant account applications. They may also contact your business' suppliers — often posing as an employee — in order to request detailed account and payment information, which can later be used to make purchase orders or to engage in fraudulent business dealings.
Export and delete all information from web applications associated with expiring domain names. If your business owns a domain name that it does not plan to renew, be sure to delete any information in connected apps before allowing the domain to expire. These may include Gsuite, third party email services, calendars, etc. Known security vulnerabilities can allow anyone who later purchases the domain to access the applications associated with it — giving them full access to various email accounts, passwords, contacts, and other online account credentials.
Use Google Alerts or a similar service for online monitoring. Because thieves can easily impersonate your business in other states or online, a simple way to combat this is to use a free monitoring service like Google Alerts. Rather than taking time away from your business to actively conduct searches for these imposters, Google Alerts allows you to quickly set and receive email alerts for search results and news stories that match terms you specify, such as your business name.
Protect your information from the Whois database with domain privacy services. Thieves, scammers, and spammers frequently utilize the public Whois database, which provides them with details on the registered owner of any website — including name, key contacts, address, email, and phone number. This information can be used in a variety of scams and also for spam email. Therefore, if your business maintains a website, consider opting for a domain registration privacy service. These services replace your business information in the Whois database with their own. You still retain full ownership and control of your company’s domain, but your information is better protected from prying eyes.
Be alert for impostors on the web and in the phone book. Common tactics used to impersonate a business — in order to steal customers or intentionally defraud them — range from hi-tech to low-tech. Some cybercriminals will attempt to lure in your business prospects and existing customers through phishing email scams or phony websites that look just like yours. Other business imposters will use company details to establish accounts on social networking sites like Facebook or LinkedIn. These bogus social profiles can include your business' logos, images, and information, but provide alternate contact details. Likewise, yellow page listings with deceptively similar business names are a low-tech, low-cost tactic employed by criminals to trick clients and prospects into calling the imposter company. Not only does this cause your business to lose revenue, it also damages your company's brand and reputation — as your information was used to commit the fraud.
Final Notes and Updates
The cost of transaction laundering goes far beyond the billions lost in merchandise, as it forces businesses to spend vast sums of money hiring security experts and setting up protective infrastructures. Meanwhile, consumers can issue chargebacks for fraudulent transactions in just a few clicks and banks have to replace stolen credit cards all too frequently. Needless to say, the ripple effect of these crimes creates a drag on economic activity.
What’s even more frustrating is that these thefts go largely unreported to law enforcement, which means no investigation and no punishment for the perpetrators. Most large corporations often don’t report them because it reflects badly on their brand. Cardholders also don’t file reports because their banks immediately void bogus charges.
Meanwhile, the ones who do get hurt are small businesses — and their risk goes back to the early days of ecommerce:
When banks and credit card companies were unwilling to approve payments over the Internet, big retailers stepped up. They saw the potential of online sales and accepted the liability, in exchange for being able to tap a new and powerful sales channel. And while fraudulent orders were more obvious back then, — with non-matching billing and shipping addresses, among other giveaways — these days, criminals are more sophisticated. An order from a Texas resident’s credit card can be routed through a computer in Texas so that it won’t trigger a security alert, and the owner of that hacked computer in Texas will never know. Days later, when the owner of the Texas credit card disputes the fraudulent charge, the payment is reversed and the merchandise is lost.
Large retailers, like Amazon, have advanced detection systems that minimize these kinds of fraudulent transactions. But if these systems fail, the company can easily absorb the costs and continue to conduct business as usual.
Small businesses, on the other hand, don’t have that luxury. If a company ships out $3,000 of merchandise for an order made with a stolen credit card, law enforcement won’t even bother pursuing the thief. Why? Because the cost of the investigation often outweighs the value of what was stolen. So, when the charge gets reversed a few days later, the small business has no choice but to absorb the loss and the “chargeback fee” from the credit card processing company. If this happens often enough, the owner will eventually go out of business.
Therefore, until the public begins pushing for a solution to this multibillion-dollar problem, the current state of the industry will continue to defeat the “little guys” and allow cybercriminals to get away with millions of fraudulent transactions.
Useful Resources
To report a fraud:
https://www.ic3.gov/default.aspx
Checklist for victims of business identity theft:
http://www.businessidtheft.org/VictimAssistance/tabid/90/Default.aspx
To be alerted to mentions of your business online:
Example of a domain registration privacy service:
https://www.namecheap.com/security/whoisguard
To order a credit report or to place a freeze on your credit:
Equifax https://www.equifax.com
Experian https://www.experian.com
Transunion https://www.transunion.com
Dun & Bradstreet https://businesscredit.dnb.com
Editor’s Note: Have you been affected by fraud? Most people have, in some form or another. If you have a story you would like to share, we’re sure our readers would benefit from hearing it. Please send an email to editor@theconartist.pub detailing your experience, and we will be in touch. Your privacy and any wishes of anonymity will be respected.
Thanks for reading! If you haven’t already, consider joining our community to receive in-depth exposés on the latest scams, hoaxes, and other forms of fraud.