The Big Business of Stealing from Small Businesses
How identity thieves are impersonating companies for financial gain
Facts:
Business identity theft — also known as corporate identity theft — involves the illegal impersonation of a business for financial gain.
Using publicly available information, criminals can use business identities to open card accounts, initiate wire transfers, or commit tax fraud.
Small businesses make appealing targets because they don’t typically have the required security controls in place to detect and deter fraudulent activity.
Unlike consumer credit fraud, the payoff for stolen business credit is huge, often resulting in companies closing their doors and employees losing their jobs.
A Cautionary Tale
Andy Pham was convinced that a mistake had been made.
While updating the business records of the Idaho-based property developer, Pham’s secretary had noticed that something wasn’t quite right: he was no longer the managing member of Caballos De Oro Estates LLC.
The company held five acres that Pham and a group of investors had recently purchased in northwest Las Vegas — for a tidy sum of $4.95 million.
Apparently, someone had logged onto the Secretary of State’s website and removed Pham’s name. The new managing director of Caballos De Oro Estates LLC was James Kalhorn, a Colorado Springs dentist.
Figuring this was all just a misunderstanding, Pham told his assistant to change it back and send Kalhorn a cease-and-desist letter.
Four months later, he received a foreclosure notice in the mail. According to the letter, Kalhorn had moved the Las Vegas property over to another LLC. He then proceeded to borrow nearly $2 million against it, from private lenders. But now that loan was in default and the state of Nevada was about to seize the five acres of land.
Now Pham knew it wasn’t a mistake. It was fraud.
The Larger Scheme At Play
Pham’s story highlights the ease at which a fraudster can overtake legal ownership of a company, wreaking havoc in the process. All it takes is a little knowledge on how to exploit existing systems.
For as little as $10, anyone can masquerade as a business or name themselves director of an existing company. To execute this, bad actors navigate to a local Secretary of State's online portal and begin the process of “requesting changes” to their target company’s official records. These changes can be made in just a few clicks and will be accepted by the state, no questions asked.
Source: Las Vegas Review Journal
Once the records are changed, scammers can easily impersonate their targets to access corporate credit lines and other business assets. In fact, their have been several cases in which thieves used bogus business ownerships to purchase land, cell phones, and luxury vehicles, en masse, before selling these goods for cash. Others have relied on lenders who extend lines of credit and authorize financial transactions with very little scrutiny.
In any event, by the time the rightful business owners realize what happened, it can be too late — leaving them saddled with bad credit or fighting to get their property back.
How It Works
By law, Secretaries of State generally do not have the statutory authority — nor the discretionary power — to review, confirm, or investigate the information provided in business registrations or filings. Instead, their authority is limited to ensuring that the basic requirements have been met, that all submitted forms contain the required information, and that the filing fees have been paid.
Therefore, most states abide by the principle of “good faith filings,” meaning that so long as the aforementioned requirements have been met, the Secretaries of State must accept this information at face value. Thus, making it relatively easy for criminals to manipulate state business registration systems and use them for personal gain.
Source: Joshua Sukoff on Unsplash
Below are four tactics that are commonly employed to impersonate a company via this method:
Tactic#1: Making fraudulent changes to your business registration
For the cost of a small processing fee, — typically $10 to $20 in most states — a thief will attempt to file a fraudulent change of business address and/or remove existing managing directors, owners, or registered agents and replace these names with his own.
By changing your business' registered address or registered agent, the thief then becomes the recipient of important legal notices and statements. This information can be valuable in many ways, including intercepting letters that might have otherwise alerted you to this change.
Alternatively, replacing the company’s executors places the criminal in a perceived position of control over your business' operations — at least as far as outside parties are concerned. Thus, he is able to act on behalf of your company and carry out a variety of illegal activities. Examples include initiating a fraudulent sale of your business assets, opening new business bank accounts or accessing existing ones, taking out generous lines of credit, and conducting business deals in your company’s name.
Tactic #2: Fraudulently reinstating a dissolved, closed, or otherwise dead business
The con artist knows that once a business has been voluntarily or administratively dissolved, it is unlikely that the previous owners will continue to monitor their company registration records. This provides him with a window of opportunity.
As business registration records and current status (active, closed, etc.) are a matter of public record, the thief can do a quick online search for a dissolved company and attempt to reinstate it — without the previous owner’s knowledge. This is done by filing the required forms and paying a corresponding filing fee within the two-year reinstatement period. During this process, the criminal gets to choose whether or not he wants to amend the owner information on file.
Once this is done, the thief will often try to leverage the revived business’ existing credit history to get access to various loans and credit cards. After maxing everything out, he moves on to the next dead company, leaving the former owners to deal with the debt collectors.
Tactic #3: Registering a bogus, out-of-state business
While business registrations are made available to the public, Secretaries of State are prohibited by law from actively sharing this information with other states. The thief knows this and uses this loophole to target a company in one state, before fraudulently registering it in another state as a foreign, or out-of-state, entity.
Again, because of the “no sharing between states” law, a business that is impersonated in this manner will not be notified of the new state it has just been registered in. Therefore, owners will have no reason to suspect that anything is amiss — until they are contacted by unknown creditors or law enforcement.
Using this tactic, the criminal can piggyback on your company’s reputation, business history, and other credentials to engage in fraudulent activities in the state they have registered in.
Tactic #4: Filing under an intentionally similar business name or d.b.a
Occasionally, the criminal will register a company under a name that is deliberately similar to that of a well-established business. Through a slight variation in spelling — such as adding, removing, or abbreviating a word — or changing the entity type (LLC versus Inc.), he can create enough confusion to deceive creditors, financial institutions, and other companies.
Some examples of this might include:
Anderson Petroleum, LLC instead of Anderson Petroleum, Inc.
Williams & Son instead of Williams & Sons
Beringer Company instead of Berhinger Company
Davis Painting instead of Davis Painting & Fabrication
When the similar name is used in conjunction with real, verifiable information — from the legitimate business — the discrepancy can easily be explained away as a minor typographical error. Thus making the con artist’s purchase orders or applications more likely to be accepted.
Take Steps to Protect Yourself
Business identity thieves are creative and clever, quickly taking advantage of business owners who don’t bother taking basic precautions. That said, the following are proactive actions that can help prevent your company’s information from being used to commit fraud:
Enroll in Email Alerts. Many Secretaries of State are beginning to offer free email alerts to notify owners whenever their business registration information has been changed or updated. Enrolling in such a service can provide an early warning of potential fraud. Use your state’s resources page to learn more about the availability of these services.
Regularly review your business registration information online, even if it’s been dissolved. If your Secretary of State does not yet offer email alerts, you can still go to their website and use the "Business Entity Search" function to enter your business name and review the information on file. It’s also good to periodically check any previously closed businesses, to ensure that they have not been fraudulently reinstated.
File your annual reports and renewals on time. In addition to the risk of administrative dissolution of your company for failure to file, business identity thieves will often target companies that are classified as inactive, suspended, in default, etc. Their assumption is that,
if a business doesn't keep up with its basic quarterly or annual business filings, the owners are less likely to notice whether the information on record has been changed. Likewise, the apparent lack of attention-to-detail can give the impression that other forms of fraud may also go unnoticed.
Treat and protect your business EIN as you would your own Social Security number. There are many circumstances in which the business EIN must be provided, such as when applying for business bank accounts, reporting taxes and wages, filing W-9 forms, and so on. However, be aware that thieves can commit numerous business identity fraud schemes with just your business name, address, and EIN. Therefore, just as you would protect your Social Security number, attempt to limit EIN disclosure to only that which is necessary.
Review your business credit reports. While Dun & Bradstreet may be the most recognized source of business verification and commercial credit reporting, the three national credit bureaus — Equifax, Experian, and TransUnion — also provide business credit services. You can obtain copies of your business credit reports from each of these organizations and review them for any suspicious activity. You can also pay these services to actively monitor your business credit file and alert you to any changes.
Final Notes and Updates
Identity thieves tend to prefer businesses over individual consumers because they have deeper pockets and more weak spots to exploit. Small to medium-sized organizations, in particular, are targeted because they often lack the capital to invest in ironclad security measures.
Therefore, it’s important that businesses, both large and small, recognize that the stakes are too high to do nothing. By taking action now and signing up for alerts — as well as implementing multi-factor authentication on all accounts — companies can make it more difficult for malicious actors to infiltrate their organizations.
Useful Resources
If you fall victim to business identity theft:
http://www.businessidtheft.org/VictimAssistance/tabid/90/Default.aspx
To order a credit report:
Equifax https://www.equifax.com/business/business-credit-reports-small-business
Experian https://www.experian.com/small-business/business-credit-reports.jsp
Dun & Bradstreet https://businesscredit.dnb.com
Transunion https://www.transunion.com
Editor’s Note: Have you been affected by fraud? Most people have, in some form or another. If you have a story you would like to share, we’re sure our readers would benefit from hearing it. Please send an email to editor@theconartist.pub detailing your experience, and we will be in touch. Your privacy and any wishes of anonymity will be respected.
Thanks for reading! If you haven’t already, consider joining our community to receive in-depth exposés on the latest scams, hoaxes, and other forms of fraud.