Skip to content

Following a live business identity theft case as it happens

by Neal O'Farrell on October 24th, 2011

If you’ve never heard of business or corporate identity theft, expect to hear a lot about it in the future. Corporate identity theft is where the thieves clone an entire business, usually a smaller one, instead of an individual. Then they pretend to be that business and obtain credit using the victim company’s credit history or order goods only to disappear into the night leaving the real business to face the often devastating consequences.

These cases are on the rise for two reasons – they make a heck of a lot of money for the crooks, sometimes $1 million or more. And they’re very easy to pull off because most of the information the thieves need to clone a business identity is already freely available – the victim company’s own web site is often where the thieves start. Some of the gangs involved can spend a year or more researching their victims, and are usually long gone before the victim company finds out anything’s wrong.

According to one recent article the Colorado Secretary of State’s office has registered 85 victim companies with total losses of approximately $3.4 million. One business alone suffered a loss of at least $250,000. And according to Dun And Bradstreet, who track this growing crime, up to 15% of commercial credit losses are as a result of business identity theft.

I first got this case at 2pm on Wednesday October 19th. The victim this time was a small bay area electronics firm that was fielding calls from vendors wanting to confirm large orders supposedly placed by the victim company for electronics parts. Problem was, the company had not placed any orders. Not so, said the vendors who received the orders by email and showed them to the victim.

The orders came in very convincing emails using the victim company’s correct email address. The email order included an 800 number and that number directed the caller to the company’s real employees. Or at least voice mail boxes in the employees’ names.

But it was all a scam. And not only a live one but a dangerous one. The crooks had spent a lot of time researching the company. They set up their own web site and email address, even using the company’s web address. Except they were using the.net instead of the.com address, which the company had failed to register.

The first thing the victim did was contact their local police department, although they expected very little to come from it. Most police departments wouldn’t even consider this a crime, and certainly would have no idea where or how to investigate it. A typical victim in this type of case would be on their own and largely helpless.

Their only option would be to try to find out the name of the domain registrar that the crooks used to register the domain and ask them to take some action. But that could take months, or might never happen at all. Many registrars, often based in distant countries with few laws on this topic, simply ignore such requests. Or legal action, a court judgment or a search warrant are required. But with no police department ready to even investigate, there’s absolutely no chance of any of these happening.

But the victim was very lucky. They happen to be based in Hayward California and called Hayward PD, a relatively small police department with only one officer working full time in the fraud division. But not just any officer. Inspector Anne Madrid is a veteran fraud and identity theft investigator who knows identity theft better than most experts. Anne is a crusader for victims of identity theft and sits on the board of the Identity Theft Council.

Anne immediately called me and asked if I could help because I’m familiar with this kind of case. I recently spoke on the topic before the National Association of Secretaries of State, who
launched a task force to address the issue because crooks often use corporate registration records that are publicly available through state web sites.

I sent out a call to the Anti Phishing Working Group to see if anyone had contacts with the domain registrar, Tucows in Canada. Within minutes I had all the contacts I needed and asked Tucows’s abuse team to see what they could do to take the site down. By seven the next morning the Tucows team was on the case and the domain was blocked.

But that’s probably not the end. The crooks will probably just register another domain, maybe in another country, and just make it harder to take down. And they don’t care that their scam has been uncovered. There’s no way to warn suppliers across the country that a rogue company is out there placing orders, and they’ll keep doing it, in plain sight, until they feel it’s time to move on to the next victim. After all, there’s little chance that local law enforcement is going to come knocking on their door any time soon.

Stay tuned!