Security

Bust Out Fraud: When a Legitimate Business Is Turned Into a Weapon

Bust‑out fraud is one of the most damaging forms of business fraud. Unlike schemes that rely on fictitious companies or obviously forged documentation, bust‑out fraud exploits real businesses with real credit histories, turning legitimacy itself into the fraudster’s most powerful tool.

We recently found records involving a bust‑out scheme while performing research in connection with a commercial lending transaction. While the specific circumstances are confidential, the pattern was familiar and increasingly common across industries.

What Is Bust‑Out Fraud?

Bust‑out fraud occurs when an individual or group gains control of an existing business, builds or exploits its creditworthiness, and then rapidly incurs debt with no intent to repay. Once the credit is exhausted, the perpetrators disappear, leaving lenders, vendors, and partners with the losses.

What makes bust‑out fraud especially dangerous is that it often looks like normal business activity, until it’s too late.

How Bust‑Out Fraud Typically Works

A classic bust‑out scheme unfolds in recognizable stages:

  1. Acquisition or Control
    The fraudster purchases a business, installs themselves as an officer, or otherwise gains operational control, sometimes through seemingly legitimate mergers, management changes, or filings.
  2. Quiet Period / Credit Grooming
    For months (or longer), the company operates normally. Bills are paid on time. Credit limits may even be modestly increased. The goal is to reinforce trust.
  3. Rapid Credit Expansion
    Once confidence is established, the business applies for additional loans, vendor credit, leases, or financing, often simultaneously and across jurisdictions.
  4. Cash‑Out Phase
    Assets, inventory, or loan proceeds are diverted. Payments suddenly stop. Executives resign or become unreachable.
  5. Collapse
    The company folds, files for bankruptcy, or simply goes dark, leaving creditors scrambling to unwind what happened.

Real‑World Examples of Bust‑Out Fraud

While every scheme differs in execution, the following examples illustrate common variants.

  • Example 1: The “Too Smooth” Acquisition

A mid‑sized services firm is acquired by a new holding company. The new leadership existing staff and contracts in place, pays vendors promptly, and even invests modestly in marketing. Within a year, the company secures multiple six‑figure credit lines, followed by a sudden wave of equipment purchases and short‑term loans. Three months later, the business defaults across the board and leadership vanishes.

  • Example 2: Vendor Credit Exploitation

A long‑standing distributor with excellent payment history begins placing unusually large orders with multiple suppliers at once, negotiating extended terms. The inventory is resold quickly, often below market, to generate immediate cash. Vendors discover the fraud only after invoices go unpaid and bankruptcy filings appear.

  • Example 3: Identity Leverage Across Borders

A legitimate company with international operations is acquired by new principals. Corporate records are updated in multiple jurisdictions. The firm then secures financing in countries where credit checks rely heavily on corporate registration rather than beneficial ownership. The debt accumulates rapidly and enforcement becomes complicated once the entity dissolves.

Why Bust‑Out Fraud Is Hard to Detect

Bust‑out fraud often evades traditional fraud controls because:

  • The business already exists
  • Credit histories appear legitimate
  • Documentation is often technically correct
  • Early behavior reinforces trust rather than raising alarms

In many cases, the change in intent, not the change in structure, is what transforms a normal business into a fraud vehicle.

Final Thoughts

Bust‑out fraud exploits legitimate businesses and may remain concealed without thorough due diligence. In this instance, background screening identified prior involvement by the loan applicants in a bust‑out scheme, underscoring the value of a risk‑based review in identifying fraud risks before material exposure occurs.

 

Disclaimer: This communication is for general informational purposes only and does not constitute legal advice. The summary provided in this alert does not, and cannot, cover in detail what employers need to know about the amendments to the Philadelphia Fair Chance Law or how to incorporate its requirements into their hiring process. No recipient should act or refrain from acting based on any information provided here without advice from a qualified attorney licensed in the applicable jurisdiction.

April 6th, 2026|Categories: Commercial Transactions Due Diligence, Risk Management|Tags: , , |

Digital Spring Cleaning

Spring is traditionally a time when people do a deep cleaning of their homes. Have you thought about taking this one step further and doing a digital security deep clean? We recommend reviewing at least every quarter to minimize the risk of identity theft. Here are four steps to get you started to protect your personal data. 

  • Change your passwords. Your company probably automatically asks you to switch passwords every 4-6 weeks. But when is the last time you changed your passwords on your personal social media accounts, subscriptions, or places you shop? You should consider updating these passwords, too. In fact, old passwords can be easy ways for hackers to steal your identity. Delete old accounts you no longer use. You might be surprised to find that some of those are decades old with easily guessed passwords. When you choose your new passwords, do not repeat them across various accounts. You’re just making it easier to get hacked.
  • Review your social media accounts. Have you been cloned on Facebook, Instagram, or other social media platforms? Take a moment and search for yourself on these sites and see if you appear more than once. Don’t wait for your friends to send you a text saying, “I just got a friend request from you, but we’re already friends.” If you’ve been cloned, report it and change your passwords.
  • Avoid oversharing. Think twice before you overshare information or play a social media game that asks you to list personal information about yourself. These simple activities are ways that hackers gather your data. The latest high-risk trend is sharing a picture of your COVID vaccination record with your full name and date of birth clearly visible. Instead, consider sharing a photo of an “I got vaccinated” sticker. 
  • Have you been hacked? A cybersecurity FBI agent once told me, “It used to be a case of not if, but when you’ve been hacked. Now it’s a case of you’ve been hacked, and you either know it or don’t know it yet.” HaveIBeenPwned is one of several free sites where you can check if you’ve been caught up in a security breach.

These four steps will help you do a simple yet effective spring cleaning of your digital presence and protect your online identity. 

March 18th, 2021|Categories: Risk Management|Tags: , , |

The legalities of monitoring employees online

As a general principle, employers are legally permitted to monitor their employees online during business hours. Keeping a close eye on workers can help maintain company confidentiality, limit workers from surfing the web on company time and ensure the prevention of harassment.

But such monitoring does come with caveats, as well as risks.

For example, screening employee email on the employer’s network may be permissible but may require advance notice. In states such as Connecticut and Delaware, laws are in place that require employers to provide prior notice before electronically monitoring employees. A union contract may also place certain limits on monitoring and public-sector employees may have some rights under the Fourth Amendment with regard to unreasonable search and seizure.

Federal law can also come into play. Although the Electronic Communications Privacy Act (ECPA) generally prohibits the monitoring of electronic communications, it contains a “business purpose exception” that permits employers to monitor the electronic communications of workers if the company has a “legitimate business purpose.” The statute also allows monitoring with consent and many companies do this by including such permission as part of the onboarding process for new employees before granting access to the company’s networks or systems.

Another wrinkle: third-party communications. States such as California and Illinois mandate that all parties to a communication provide consent to its interception in transit. For employers, that means providing notice to recipients of employee emails and obtaining their consent before scanning a message from a friend or third party. Many companies post a notice on the company’s website and/or include a statement in employee emails that all messages are subject to monitoring and any response implies consent with the employer’s practices.

Even with all these issues, monitoring emails may be more straightforward than focusing on employee social media accounts. The Stored Communications Act (SCA) addresses the situation of accessing electronic communications stored by a provider (such as Gmail or Microsoft), as distinct from an employer accessing emails on its own system. Under the SCA, employers can be liable for the unauthorized access and disclosure of electronic communications in storage on corporate servers of a provider.

Further, roughly half the states ban employers from either requiring or requesting a worker to verify a personal online account like a Facebook profile, blog or Instagram or to log on to their social media account. While technology is available for employers to get around these laws (using keystroke logging software, for example, or taking screenshots), some of the information being monitored by an employer could itself be protected – such as union organizing activities under the National Labor Relations Act, attorney-client communications or in some states, geolocation data.

Mobile devices add another layer to the analysis. For workers using employer-provided mobile phones or devices, the employer has the right to legally monitor use from contact lists to photos and videos to Internet visits and emails. As for bring-your-own-device (BYOD) situations, the terms are generally dictated by the employer’s BYOD policy, but this is an emerging area of law and therefore murky.

All of these legal considerations are centered in the United States. Companies that operate outside the U.S. borders will have international law to contend with as well, notably the European Union General Data Protection Regulation (GDPR) and regulations found in its member states. As a general matter, EU law and the GDPR offer employees a greater level of privacy than that found in the United States. Last year, the EU’s highest court did rule that companies can monitor employee email – if workers are notified in advance.

Perhaps most importantly, employers should recognize that like all things related to technology, the legalities of monitoring employees online are constantly evolving. Being able to adapt to changing laws, regulation and technology will keep employers on their toes.

May 4th, 2018|Categories: Employment Decisions|Tags: , |

Business identity theft is alive and well

And it can happen to your business.

Criminals do not discriminate – any type of business or organization of any size or legal structure including sole proprietorships, partnerships, LLCs, trusts, non-profits, municipalities and county governments, school districts and corporations are all targets for business identity theft.

What exactly is business identity theft?  First, let’s clarify that we are not talking about an information security breach or an incident involving the loss or theft of confidential consumer information. Rather, business identity theft discussed here involves the actual impersonation of the business itself.

It happens when criminals pose as owners, officers or employees of a business in order to get their hands on cash, credit or loans, leaving the business on the hook to deal with the debt. A favorite tactic of identity thieves involves the theft of the tax identification number (TIN) or employer identification number (EIN) of the company or the owners’ personal information to use that data to open new lines of credit or obtain a business loan based on the company’s identity.

Another common form of business identity theft occurs when criminals file fake documents with the Secretary of State’s office to change company information such as its registered address or the names of directors, officers or managers. Once the records have been changed, the identity thieves can establish lines of credit or new accounts with the false information.

Other examples of the fraudulent use of a company’s information include current or former employees making use of their access to financial documentation; establishing a temporary office space or merchant accounts in a company’s name; going through a business’s trash and recycling bins to find account numbers or other sensitive data; using phishing attacks or other scams to get the business’s banking or credit information from employees; and filing for tax credits with stolen EINs.

Businesses are an attractive target for identity thieves. Generally speaking, a company will have higher credit limits than an individual, so opening a new account or line of credit in a business’s name will yield more cash for a criminal and larger purchases will receive less scrutiny. Perhaps most frustrating, companies are required by law to report certain identifiers (an address, EIN/TIN, and names of directors in most states), meaning the information is publicly available and easily accessible to anyone.

The invoicing and payment terms typically available to businesses can also work against them. Identity thieves may have a window of up to 30 days after a purchase to disappear before a company detects a problem – and even longer if the thieves use a different address.

Unfortunately, business identity theft is an underreported crime for a variety of reasons. Companies often have no idea their identity has been compromised until they begin receiving unfamiliar bills and collection notices when it is already too late to stop the thieves. Government agencies receive frequent requests for changes to company information and an address change is unlikely to raise red flags. Some businesses aren’t paying close enough attention or fail to caution employees about the possibility of phishing scams, while others may be embarrassed or concerned about their reputation with customers and don’t want to report what happened.

Given the underreporting problem, statistics on business identity theft can be hard to come by. However, the Internal Revenue Service (IRS) said it has seen the number of corporate tax returns flagged for potential business identity theft increase exponentially in recent years, from 350 in 2015 to 4,000 in 2016 with a jump to 10,000 in only the first six months of 2017. The cost of the damage has also risen dramatically, from $122 million in 2015 to $268 million the following year and $137 million for just the first half of 2017.

Importantly, these numbers reflect just one of the many forms of business identity scams.

What can companies do to protect themselves? Click here for a checklist of the most important steps for prevention and what to do if your business becomes a victim.

April 12th, 2018|Categories: Commercial Transactions Due Diligence|Tags: , |

California’s A.B. 1710 enhances privacy protections for sensitive personal information

Effective January 1, 2015, A.B. 1710 amends California’s breach notification, security procedures, and Social Security number (SSN) laws, generally outlined as follows:

  • provides that existing personal information data security obligations apply to businesses that maintain personal information, in addition to those who own or license the information;
  • provides that if the person or business issuing the notification was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services, if any, be made at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached, if the breach exposed or may have exposed SSN and driver’s license numbers;
  • provides that a person or entity may not sell, advertise for sale, or offer to sell an individual’s SSN, except as permitted.
October 15th, 2014|Categories: Legislation|Tags: , , |

Right to be forgotten: sweeping changes are coming

According to a June 26, 2014 article in The Wall Street Journal, GOOGL in Your Value Your Change Short position Google, Inc., started removing results from its search engine under Europe’s new “right to be forgotten,” implementing a landmark ruling by the European Union’s top court that gives individuals the right to request removal of Internet search results  for their own names.

Not to be outdone when it comes to privacy legislation, California Senate recently approved SB 1348 requiring online data brokers who sell consumer information to provide an opt-out mechanism and consumer access to the data.  The bill, which now moves to the State Assembly for consideration, gives California consumers the right to review the information maintained by a data broker and request that it be permanently removed, within 10 days. Once removed, the information cannot be reposted or sold to a third-party. Notably, the bill attempts to include consumer reporting agencies in the category of data brokers.

Although there is no actual movement on the federal level, the Federal Trade Commission (the “FTC”) urges that Congress consider enacting legislation to make data broker practices more visible to consumers and allow greater control over the immense amounts of personal information that is collected about them and shared by data brokers. In its study presented in a report issued May 27, 2014, the FTC found that data brokers operate with a fundamental lack of transparency.

July 9th, 2014|Categories: Legislation|Tags: , |

Proposed bill would establish standards for national data security

The bill, introduced in the Senate on January 15, 2014 and cited as the Data Security Act of 2014, would require entities such as financial institutions, retailers, and federal agencies to better safeguard sensitive information, investigate security breaches, and notify consumers when there is a substantial risk of identity theft or account fraud. The new requirements would apply to businesses that take credit or debit card information, data brokers that compile private information, and government agencies that possess nonpublic personal information.

January 23rd, 2014|Categories: Legislation|Tags: , |

New regulation in the UK mandates licensing of private investigators

Presented to the Parliament by the Secretary of State for the Home Department by Command of Her Majesty on July 31, 2013, the new regulation, which will take effect next year, makes operating as an unlicensed private investigator in the United Kingdom a criminal offense. Licenses will be granted by the Security Industry Authority only when an applicant has successfully completed training and achieved a government-recognized qualification, including an understanding of relevant laws and standards, and the skills required to conduct activities ethically; has confirmed his/her identify; and has passed a criminal background check.

September 12th, 2013|Categories: Legislation|Tags: , |

FINRA issues investor alert about calls from brokerage firm imposters

The Financial Industry Regulatory Authority (“FINRA”) issued a new alert on August 6, 2013 labeled as Cold Calls from Brokerage Firm Imposters—Beware of Old-Fashioned Phishing to warn investors of calls from scammers claiming to be representatives of at least one well-known brokerage firm. In this latest twist on phishing scams, the fraudsters are cold-calling investors claiming to offer information about certificates of deposit with yields well above the best rates in the market in an attempt to get potential victims to divulge their personal or financial account information.

FINRA is reminding investors who receive unsolicited calls to never provide personal information or authorize any transfer of funds to any unknown person, and encourages anyone who believes that he/she has been scammed to file a complaint using its online Complaint Center or send a tip to FINRA’s Office of the Whistleblower.

August 7th, 2013|Categories: Commercial Transactions Due Diligence|Tags: , , |

Scraped information for sale to employers

Employers legally can’t discriminate based on gender, race and other factors which they may get from social-media profiles, but some indeed are using such data in their employment decisions. Media sources reported that scraping for employment purposes is growing, and that an employment screening company in Florida began offering limited social-networking data, including some that is scraped, about a year ago. Scrapers operate in a legal gray area. Internationally, anti-scraping laws vary, and in the U.S., court rulings have been contradictory. Media reports quoted Eric Goldman, a law professor at Santa Clara University saying: “Scraping is ubiquitous, but questionable. Everyone does it, but it’s not totally clear that anyone is allowed to do it without permission.”

December 23rd, 2010|Categories: Employment Decisions|Tags: , |
© 2012- SCHERZER INTERNATIONAL | ALL RIGHTS RESERVED
Go to Top