Business identity theft is alive and well

And it can happen to your business.

Criminals do not discriminate – any type of business or organization of any size or legal structure including sole proprietorships, partnerships, LLCs, trusts, non-profits, municipalities and county governments, school districts and corporations are all targets for business identity theft.

What exactly is business identity theft?  First, let’s clarify that we are not talking about an information security breach or an incident involving the loss or theft of confidential consumer information. Rather, business identity theft discussed here involves the actual impersonation of the business itself.

It happens when criminals pose as owners, officers or employees of a business in order to get their hands on cash, credit or loans, leaving the business on the hook to deal with the debt. A favorite tactic of identity thieves involves the theft of the tax identification number (TIN) or employer identification number (EIN) of the company or the owners’ personal information to use that data to open new lines of credit or obtain a business loan based on the company’s identity.

Another common form of business identity theft occurs when criminals file fake documents with the Secretary of State’s office to change company information such as its registered address or the names of directors, officers or managers. Once the records have been changed, the identity thieves can establish lines of credit or new accounts with the false information.

Other examples of the fraudulent use of a company’s information include current or former employees making use of their access to financial documentation; establishing a temporary office space or merchant accounts in a company’s name; going through a business’s trash and recycling bins to find account numbers or other sensitive data; using phishing attacks or other scams to get the business’s banking or credit information from employees; and filing for tax credits with stolen EINs.

Businesses are an attractive target for identity thieves. Generally speaking, a company will have higher credit limits than an individual, so opening a new account or line of credit in a business’s name will yield more cash for a criminal and larger purchases will receive less scrutiny. Perhaps most frustrating, companies are required by law to report certain identifiers (an address, EIN/TIN, and names of directors in most states), meaning the information is publicly available and easily accessible to anyone.

The invoicing and payment terms typically available to businesses can also work against them. Identity thieves may have a window of up to 30 days after a purchase to disappear before a company detects a problem – and even longer if the thieves use a different address.

Unfortunately, business identity theft is an underreported crime for a variety of reasons. Companies often have no idea their identity has been compromised until they begin receiving unfamiliar bills and collection notices when it is already too late to stop the thieves. Government agencies receive frequent requests for changes to company information and an address change is unlikely to raise red flags. Some businesses aren’t paying close enough attention or fail to caution employees about the possibility of phishing scams, while others may be embarrassed or concerned about their reputation with customers and don’t want to report what happened.

Given the underreporting problem, statistics on business identity theft can be hard to come by. However, the Internal Revenue Service (IRS) said it has seen the number of corporate tax returns flagged for potential business identity theft increase exponentially in recent years, from 350 in 2015 to 4,000 in 2016 with a jump to 10,000 in only the first six months of 2017. The cost of the damage has also risen dramatically, from $122 million in 2015 to $268 million the following year and $137 million for just the first half of 2017.

Importantly, these numbers reflect just one of the many forms of business identity scams.

What can companies do to protect themselves? Click here for a checklist of the most important steps for prevention and what to do if your business becomes a victim.

April 12th, 2018|Criminal Activity, Fraud, Security|

FTC files charges against operators of alleged high school diploma mills

The Federal Trade Commission (the “FTC”) filed complaints on February 10, 2016 against two operators of online “high schools” that claim to be legitimate but allegedly are diploma mills, charging anywhere from $135 to $349 for a worthless certificate.

Complaints in both cases filed by the FTC in the U.S. District Court for the District of Arizona charge that the operators bought several website names designed to appear like legitimate online high schools and used deceptive metatags with terms such as “GED” and “GED online” to bring the bogus sites higher in search rankings. Once consumers got to the sites, messages popped up implying that the diplomas offered were equivalent to an actual high school diploma.

According to the FTC’s documents, the “courses” amounted to four untimed and unmonitored multiple-choice tests, requiring that students answer 70% of each test correctly. For some “high schools,” when students failed to meet that standard, they were redirected to the test once more, and this time, the correct answers were highlighted so that the students could change their answers.  Other “high schools” provided students with an online “study guide” that also highlighted the correct answer for students to select when taking the test.

Upon completing the tests, the FTC’s documents charge that consumers were directed to a set of menus to evaluate their “life experiences,” where selecting that he/she knows how to “balance [a] checkbook” translates as credit for accounting coursework.  If a consumer says they “listen to music occasionally,” he/she may be given credit for a music appreciation course.

The FTC’s complaints in both cases point to numerous consumers who sought to use the diplomas to get jobs, apply for college and even join the military, only to find out that their diplomas were not recognized.

February 23rd, 2016|Fraud, Lawsuit|

Do you know about specialty consumer reports?

Credit reports are a part of life, whether applying for a credit card or purchasing a home. But what about specialty consumer reports?

Many people are unaware that dozens of other types of consumer reports exist, filled with information about medical and prescription history, for example, or insurance claims. Specialty consumer reports gather data from a wide variety of sources including information provided by consumers on applications (such as an apartment lease or a wireless phone contract) as well as public documents like criminal records and marriage licenses.

The reports provide information geared for a specific industry. A truck driving company might purchase reports that detail a job applicant’s driving record and motor vehicle insurance claims while an insurer will review a report with claims filed by a homeowner to check an individual’s historic use of insurance policies. Other niche reports provide data on loan balances, information about any bounced checks, and bank account history for lenders; another company tracks consumers’ product returns and will alert large retailers for fraud prevention purposes.

The Fair Credit Reporting Act (the “FCRA”) entitles consumers to one free report per year from any nationwide credit or specialty reporting agency (plus another free report if an adverse action has been taken, or the consumer disputes an item in the report that was corrected).

Recently, consumer rights group Consumer Action focused on the issue of specialty consumer reports in an “Insider’s Guide to Specialty Consumer Reports: A Guide to Obtaining, Understanding and Managing Your Information,” complete with a directory of furnishers. Staffers went through the process of requesting their own reports to help provide information for consumers about the types of reports available and their rights to request reports or correct errors.

Access the Consumer Action guide.

Read the directory of specialty consumer report furnishers.

May 8th, 2015|FCRA, Fraud|

Going global: international background checks

As the business world increasingly goes global, even small or medium-sized companies may have international outposts or employees located beyond the U.S. border. In addition, with security – both physical and digital – an important issue, employers want to know everything they can about their employees.

Many employers are turning to international background checks. But a criminal record or a credit report like those used in the United States can get lost in the translation.

First up: cultural norms. What may seem perfectly routine and acceptable in the United States may confuse or offend those in other countries. For example, things like credit checks and drug tests are virtually unheard of abroad and cultural differences may yield what might by American standards be unusual answers in a personality test. A second important consideration: the law. Just as the U.S. has the Fair Credit Reporting Act (FCRA) and other regulations setting the boundaries of background checks, foreign jurisdictions have their own laws of the land. The French Labor Code, for example, requires that its “works council” review employment screening procedures prior to an employer’s use.

One huge legal complication can be found in the area of privacy law. The European Union imposes restrictions on obtaining information about employees or applicants, the way in which such information can be used, and how the information can be shared or transmitted. To alleviate some of the liability concerns, the U.S. has entered into a Safe Harbor framework with the European Commission, which requires compliance with seven principles of data security. And while the EU leads the pack, other countries (like Australia, Canada, Hong Kong, and Japan) also pose challenges with their strict regulation of privacy.

Having an applicant sign a consent form to release information may be of little help as several EU countries also recognize a presumption against enforcement of such agreements on the basis that employees and applicants have limited bargaining power in the employment context. Alternatively, employers may have better luck by having applicants do the work themselves, providing their own background information to avoid implicating data privacy laws. Of course, this raises authentication and accuracy questions.

The collection of criminal information can also present logistical challenges. Many countries do not have an organized court system, and records, if available, may have to be searched on a regional or town-by-town basis, or at multiple agencies (like the police, the court venue and a government agency, for example). Certain countries offer what is known as a “police certificate” which will confirm the information about an applicant found in police records. Some countries, like Poland, have banned the collection of criminal records altogether; Spain prohibits the possession of records but an applicant could, in theory, show an employer his or her record.

If the screening is being conducted by a consumer reporting agency located in the United States, the FCRA requirements also come into play. International background checks are not impossible, but they do pose a number of legal and cultural risks that can be tackled with the right planning and professional assistance from an experienced background screening company.

February 23rd, 2015|Criminal Activity, Educational Series, Employment Decisions, Fraud|

SEC considers background check rule proposed by FINRA

Financial institutions could face expanded obligations to conduct background screening of applicants for registration pursuant to a rule proposed by the Financial Industry Regulatory Authority (FINRA) to the Securities and Exchange Commission (SEC).

As currently drafted, the National Association of Securities Dealers (NASD) Rule 3010(e), the Responsibility of Member to Investigate Applicants for Registration, provides that a firm “must ascertain by investigation the good character, business reputation, qualifications and experience of an applicant before the firm applies to register that applicant with FINRA,” the regulator explained.

Seeking to “streamline and clarify members’ obligations relating to background investigation, which will, in turn, improve members’ compliance efforts,” FINRA proposed the addition of background checks to the Rule for the SEC’s consideration.

The change would mandate that firms verify the accuracy and completeness of the information in an applicant’s Form U4 (Uniform Application for Securities Industry Registration or Transfer) for first-time applicants as well as transfers. Written procedures for conducting the background check – including a public records search – must also be established.

While the rule is prospective, FINRA announced that it would take a look at currently registered representatives. The financial regulator intends to begin its efforts with a search of all publicly available criminal records for the roughly 630,000 registered individuals who have not been fingerprinted within the last five years; going forward, FINRA will periodically review public records “to ascertain the accuracy and completeness of the information available to investors, regulators and firms,” the agency said.

To read the Federal Register notice: click here.

December 3rd, 2014|Fraud, Risk Management|

Pennies add up to $18.7 million in allegedly illicit gains

A bit different from the billion dollar frauds that frequently made the headlines in the years past, a complaint filed on October 5, 2014 by the justice department in the federal district court in Manhattan accuses two former New York brokers of securities fraud and conspiracy for secretly adding a few pennies to the cost of securities trades they processed to generate $18.7 million in gains. The SEC also filed civil charges against the men, and added another broker as a defendant. The SEC’s complaint alleges that from at least 2005 through at least February 2009, the defendants perpetrated the scheme by falsifying execution prices and embedding hidden markups or markdowns on over 36,000 customer transactions. According to the SEC, the defendants charged small commissions—typically pennies or fractions of pennies per share; the scheme was devious and difficult to detect because they selectively engaged in it when the volatility in the market was sufficient to conceal the fraud. One of the defendants, who was in charge of entering the prices into the trading records and playing a critical role by controlling the flow of information, already pleaded guilty to securities fraud and conspiracy.

October 15th, 2014|Criminal Activity, Fraud|

FTC halts high school diploma mill

As the request of the Federal Trade Commission (the “FTC”), on September 16, 2014, the U.S. District Court for the Southern District of Florida imposed a temporary restraining order to halt the business operations of Diversified Educational Resources, LLC (DER), and Motivational Management & Development Services, Ltd. (MMDS), and freeze their assets. The FTC’s lawsuit seeks a permanent injunction to stop the defendants’ deceptive practices and to return ill-gotten gains to consumers, which according to a preliminary review of bank records referenced in the lawsuit were more than $11,117,800 since January 2009.

The complaint alleges that the defendants violated the FTC Act by misrepresenting that the diplomas were valid high school equivalency credentials and that the online schools were accredited. The FTC charges that the defendants actually fabricated an accrediting body to give legitimacy to their diploma mill operation. DER and MMDS allegedly sold the diplomas since 2006 using multiple names, including jeffersonhighschoolonline.com, jeffersonhighschool.us, enterprisehighschool.us, and ehshighschool.org, which purport to describe legitimate and accredited secondary school programs such as “Jefferson High School Online” and “Enterprise High School Online.” The websites claim that consumers can become “high school graduate[s]” and obtain “official” high school diplomas by taking an online exam and paying between $200 and $300. In numerous instances, consumers who attempt to use their Jefferson or Enterprise diplomas to enroll in college, enlist in the military, or apply for jobs are rejected because of their invalid high school credentials.

September 19th, 2014|Employment Decisions, Fraud, Lawsuit|

The SRA issues warning about a fake website

The Solicitors Regulation Authority (the “SRA”) in the United Kingdom issued a bulletin that it received a report that a website “dovernorchambers.com is operating which refers to the firm Dovernor Chambers” and that the wording on the website appears to have been cloned from the websites of genuine law firms without their knowledge or consent. The SRA says that it is identifying a new fake law firm on an almost daily basis. Some scammers reportedly are stealing a law firm’s entire web page, and then changing the contact information to redirect traffic elsewhere.

September 19th, 2014|Fraud|

Insider trading enforcement actions continue as SEC’s top priority

Illegal insider trading generally occurs when a security is bought or sold in breach of a fiduciary duty or other relationship of trust and confidence while in possession of material, nonpublic information. In recent years, the SEC has filed insider trading cases against hundreds of entities and individuals, including financial professionals, hedge fund managers, corporate insiders, attorneys, and others. In 2014, examples of noteworthy cases include enforcement actions against the following:

Two husbands on March 31, 2014 – In two unrelated cases, the SEC charged two men with insider trading on confidential information they learned from their wives about Silicon Valley-based tech companies. Each agreed to financial sanctions to settle the charges.

Stockbroker and law firm clerk on March 19, 2014 – SEC charged two individuals who were linked through a mutual friend, with insider trading for $5.6 million in illicit profits based on nonpublic information that the clerk obtained by accessing confidential documents in law firm’s computer system.

Wall Street investment banker on February 21, 2014 – SEC charged an investment banker with making nearly $1 million in illicit profits by insider trading in a former girlfriend’s brokerage account to pay child support.

Chicago-based accountant – SEC charged an accountant with insider trading ahead of the release of financial results by the company where he worked. The individual made more than $250k in illicit profits.

May 14th, 2014|Fraud|

Supreme Court ruling extends SOX whistleblower protection to private contractors

On March 4, 2014, the Supreme Court in a split decision ruled that employees of private companies servicing public companies are covered by the whistleblower protections of Sarbanes Oxley Act of 2002 (“SOX”) [U.S., No. 12-3, 3-4-14]. In this case, two employees of a private company contracted by a publicly-traded mutual fund alleged that they were terminated in retaliation for raising fraud issues about the fund. With this decision, the Supreme Court has expanded the universe of companies regulated by the SOX whistleblower provision from about 5,000 public companies to potentially millions of private ones, including the smallest of businesses. Employers of every size and type have to be prepared for potential SOX whistleblower retaliation claims if they are a contractor or subcontractor of a publicly traded company.

March 29th, 2014|Educational Series, Fraud, Judgment|