Skip to content
Nov 17 11

The Identity Theft Council contributes to the FCC’s Small Biz Cyber Planner, launched today

by Neal O'Farrell

The FCC is launching the Small Biz Cyber Planner, an online resource to help small businesses create customized cybersecurity plans. This is the result of an unprecedented public-private partnership between government experts and private IT and security companies, including DHS, NCSA, NIST, The U.S. Chamber of Commerce, The Chertoff Group, Symantec, Sophos, Visa, Microsoft, HP, McAfee, The Identity Theft Council, ADP and others. The online tool is available at

By almost any measure small businesses have an outsized impact on our economy and it is critically important that small businesses, a vibrant engine for job and idea creation, are secure using the many broadband enabled tools they need to efficiently run their businesses. According to a survey released in October, 2011 by Symantec and the National Cyber Security Alliance (NCSA), two-thirds of U.S. small businesses rely on broadband Internet for their day-to-day operations.

However, the Symantec survey also found that 85 percent of small businesses think their companies are cyber-secure, but barely half of these businesses actually have a cybersecurity strategy or plan in place and nearly 80 percent say they lack a written Internet security policy. With larger companies increasing their online defenses, small businesses are now the low hanging fruit for cyber criminals and many may have a false sense of security.

The Small Biz Cyber Planner will be of particular value for businesses that lack the resources to hire a dedicated staff member to protect themselves from cyber-threats. Even a business with one computer or one credit card terminal can benefit from this important guidance. The tool will walk users through a series of questions to determine what cybersecurity strategies should be included in the planning guide. Then a customized PDF is created that will serve as a cybersecurity strategy template for a small business.

This effort is part of an ongoing program to raise awareness about the cybersecurity risks to small businesses and to help these businesses become cyber-secure. Earlier this year, the FCC and a coalition of public and private-sector partners developed a cybersecurity tip sheet, which includes tips to educate business owners about basic steps they can take immediately to protect their companies. The tip sheet is available at

Also this month, Hewlett Packard is distributing the FCC’s cybersecurity tip sheet through its Security Center, its small business newsletter, and via the HP Support Assistant, an application pre-installed on most HP PC’s. This distribution by Hewlett Packard will reach millions of small business owners.

The stakes are high so we all must heed the “Stop. Think. Connect.” message of the national cybersecurity awareness campaign. With government and the private sector working together we can overcome our cybersecurity challenges and help ensure that U.S. small businesses become an even more powerful engine of economic growth and job creation.

Nov 2 11

Gangs upping the ante in identity theft

by Neal O'Farrell

One of my greatest identity theft fears has been the involvement of other criminals in identity theft. By that I mean criminals who have traditionally focused on other crimes, like burglary, switching to identity theft because they realize that identity theft is a much better business opportunity and career path for them.

We do know that burglary and identity theft are already connected, because most burglars realize that a stolen Social Security number or birth certificate is worth far more than a stolen TV or jewelry. Not only is personal information worth more, it can be sold over and over again, and there’s far less risk of being caught. And of course drugs like meth have long been associated with identity theft, in part because in the early days of identity theft the chemicals used to wash stolen checks were also a key ingredient in the synthesizing of meth.

But what if more organized criminals, like street gangs or drug dealers, realized that there was more money to be made in identity theft than selling drugs on street corners? What if they switched business and moved en masse into identity theft? It could spark another massive escalation that would be very hard to stop.

Well, it seems that my worst fears are being realized. A few weeks ago I wrote about Operation Rainmaker, an identity theft scheme busted by law enforcement in Florida. The thieves may have netted as much as $130 million by using stolen identities to file fraudulent tax returns. The most disturbing part, apart from the fact that the thieves managed to pull off such a massive heist so easily, was that the thieves were street level drug dealers who took courses in how to use the internet to commit identity theft.

They realized that if they just learned some basic skills they could make much more money, with much less risk, if they focused on identity theft over drug dealing. Drug dealing is hard work and brings a lot of risk, from arrest to death. And the dealers almost always have to rely on other people – the distributors to provide them with the drugs, the sellers on the streets to move the “product,” and of course customers willing to buy from them instead of their competitors.

But with identity theft these dealers don’t need anyone else. They can commit the crime themselves from the comfort of their own home, there’s a lot less risk, and they don’t need partners or suppliers. Unless of course you count the stolen identities they exploit.

If more drug dealers come to the same conclusion, if could be good news for the fight against drug use but terrible news for identity theft. And signs are other criminals are catching on. According to an analysis just released by the FBI, “gangs are also engaging in white collar crime such as counterfeiting, identity theft, and mortgage fraud, primarily due to the high profitability and much lower visibility and risk of detection and punishment than drug and weapons trafficking.”

And according to the National Gang Intelligence Center (NGIC) many gang members are now using the Internet for identity theft, computer hacking, and phishing schemes. Earlier this year, law enforcement officials arrested dozens of members of the Armenian Power gang on a variety of charges that included including a $2 million credit card scam and a large-scale check fraud scheme.

The FBI estimates that there are around 33,000 known gangs in the United States, with nearly 1.5 million active members. If these gangs start moving seriously into identity theft and other frauds, there’s no telling how bad identity theft will become. And especially with law enforcement already stretched to the limit.

Oct 25 11

Follow up on our identity theft case

by Neal O'Farrell

Yesterday I blogged about how we were helping a small business take down a clone of its company that thieves were using to commit identity theft and other frauds.

The thieves had registered the .net version of the company’s web address instead of .com, and we managed to get the domain register to block that domain in a matter of hours.

I figured that the crooks wouldn’t give up that easily and I was right. Today they popped up again, registering a new domain with the same registrar but this time hyphenating it as

Such an easy thing for them to do but almost impossible for the victim company to stop because they simply can’t register and police every single version of their domain name.

The registrar is Tucows and they have been fantastic at responding and helping us take down the bad guys. But it looks like the bad guys have done extensive research on the victim company and are not going to release their grip too easily.

We’ll see where they pop up next but it’s a warning to every small business to be very vigilant about this kind of attack – very easy to commit, very hard to stop.

Oct 24 11

Following a live business identity theft case as it happens

by Neal O'Farrell

If you’ve never heard of business or corporate identity theft, expect to hear a lot about it in the future. Corporate identity theft is where the thieves clone an entire business, usually a smaller one, instead of an individual. Then they pretend to be that business and obtain credit using the victim company’s credit history or order goods only to disappear into the night leaving the real business to face the often devastating consequences.

These cases are on the rise for two reasons – they make a heck of a lot of money for the crooks, sometimes $1 million or more. And they’re very easy to pull off because most of the information the thieves need to clone a business identity is already freely available – the victim company’s own web site is often where the thieves start. Some of the gangs involved can spend a year or more researching their victims, and are usually long gone before the victim company finds out anything’s wrong.

According to one recent article the Colorado Secretary of State’s office has registered 85 victim companies with total losses of approximately $3.4 million. One business alone suffered a loss of at least $250,000. And according to Dun And Bradstreet, who track this growing crime, up to 15% of commercial credit losses are as a result of business identity theft.

I first got this case at 2pm on Wednesday October 19th. The victim this time was a small bay area electronics firm that was fielding calls from vendors wanting to confirm large orders supposedly placed by the victim company for electronics parts. Problem was, the company had not placed any orders. Not so, said the vendors who received the orders by email and showed them to the victim.

The orders came in very convincing emails using the victim company’s correct email address. The email order included an 800 number and that number directed the caller to the company’s real employees. Or at least voice mail boxes in the employees’ names.

But it was all a scam. And not only a live one but a dangerous one. The crooks had spent a lot of time researching the company. They set up their own web site and email address, even using the company’s web address. Except they were using instead of address, which the company had failed to register.

The first thing the victim did was contact their local police department, although they expected very little to come from it. Most police departments wouldn’t even consider this a crime, and certainly would have no idea where or how to investigate it. A typical victim in this type of case would be on their own and largely helpless.

Their only option would be to try to find out the name of the domain registrar that the crooks used to register the domain and ask them to take some action. But that could take months, or might never happen at all. Many registrars, often based in distant countries with few laws on this topic, simply ignore such requests. Or legal action, a court judgment or a search warrant are required. But with no police department ready to even investigate, there’s absolutely no chance of any of these happening.

But the victim was very lucky. They happen to be based in Hayward California and called Hayward PD, a relatively small police department with only one officer working full time in the fraud division. But not just any officer. Inspector Anne Madrid is a veteran fraud and identity theft investigator who knows identity theft better than most experts. Anne is a crusader for victims of identity theft and sits on the board of the Identity Theft Council.

Anne immediately called me and asked if I could help because I’m familiar with this kind of case. I recently spoke on the topic before the National Association of Secretaries of State, who
launched a task force to address the issue because crooks often use corporate registration records that are publicly available through state web sites.

I sent out a call to the Anti Phishing Working Group to see if anyone had contacts with the domain registrar, Tucows in Canada. Within minutes I had all the contacts I needed and asked Tucows’s abuse team to see what they could do to take the site down. By seven the next morning the Tucows team was on the case and the domain was blocked.

But that’s probably not the end. The crooks will probably just register another domain, maybe in another country, and just make it harder to take down. And they don’t care that their scam has been uncovered. There’s no way to warn suppliers across the country that a rogue company is out there placing orders, and they’ll keep doing it, in plain sight, until they feel it’s time to move on to the next victim. After all, there’s little chance that local law enforcement is going to come knocking on their door any time soon.

Stay tuned!

Oct 11 11

Identity thieves make it rain money in Florida

by Neal O'Farrell

It was addictive. Just like the dope they once sold on the streets, if not more, according to the story in the Seminole Heights newspaper. “The scheme is extremely simple but extremely lucrative,” said the U.S. Secret Service Special Agent in Charge.

They were talking about Operation Rainmaker, an identity theft scheme that was so easy and so lucrative it persuaded drug dealers to abandon their age-old trade and turn instead to identity theft instead. The operation got its name from law enforcement simply because of the vast amounts of money thieves were able to rain down on themselves – about $130 million in fact.

Authorities were only tipped off to the scheme when tax payers began to file complaints that when they went to file their own taxes, they found someone else had filed using their name. And that was the core of the scam.

Here’s what they discovered. The thieves were using public sites like to assemble the identities of the living and the dead, and were also buying complete identities on the black market – something that’s surprisingly easy for anyone to do.

Once the thieves had assembled enough information about an individual, they used off-the-shelf tax return software like Turbo Tax to file fraudulent tax returns. And that was probably the easiest part of the entire scam. The IRS is unable to thoroughly review or cross-reference every single tax return they receive, or spot any red flags like a sudden change of a taxpayer’s address. And if the amount of the return is under $10,000, it rarely gets scrutinized.

So naturally the thieves kept their returns under the $10,000 threshold and then sat back and watched the IRS rain money down on them. That money came in credit cards or checks issued by the Treasury and sent to a variety of homes, some of them vacant, or deposited electronically into bogus accounts.

Once they had their hands on the funds, the thieves would go on spending sprees. The scheme was so lucrative and widespread, authorities in the area said they noticed a significant reduction in street-level drug dealing. According to the story, informants told police that local drug dealers quickly realized that identity theft was a much more lucrative and safe line of business.

As soon as authorities got wind of the scheme, they assembled a task force that included police and Sheriff’s departments, the United States Secret Service, the United States Postal Inspection Service, State Attorney’s Office, and the United States Attorney’s Office.

But in spite of all the evidence they had gathered, authorities had trouble in filing charges of tax fraud because the IRS refused to share the records they had – apparently the IRS protects the personal information of thieves who are caught committing tax fraud.

Nearly fifty people have been arrested so far, and here’s exactly how law enforcement laid out the multiple steps in this bizarre criminal enterprise:

• Create Fake Identity

• Suspects search the web to find identities of deceased or living victims.

• Defendants buy large volume of identities from suspects who are stealing names and social security numbers from businesses, medical facilities or prisons.

• File Fraudulent Tax Return Online

• Suspects use multiple electronic filing programs including, Turbo Tax, Tax Hawk and Tax Slayer. Turbo Tax is the most commonly used.

• Suspects refer to this tax scam as “doing drops.”

• Request Refund on Green Dot Card, Treasury Check or Direct Deposit

• Suspects have refunds sent to vacant homes, another suspect’s home or an innocent bystander’s home and then intercept the mail.

• Defendants open fraudulent bank accounts to receive direct deposits.

• Cashing in the Refund

• Suspects withdraw money from ATM’s.

• Buy large ticket items or money orders at legitimate businesses.

• Suspects launder the money through illegal businesses.

And apart from how easy it was to pull of the scam – if they’d stuck to victimizing dead people they might never have been caught – the most worrying part of the story is how drug dealers and other criminals are turning away from traditional crimes and to identity theft. And with so few investigations, arrests and prosecutions for identity theft, what have these crooks to worry about?
Operation Rainmaker