July 27, 2020

Identity thieves who specialize in running up unauthorized lines of credit in the names of small businesses are having a field day with all of the closures and economic uncertainty wrought by the COVID-19 pandemic, KrebsOnSecurity has learned. This story is about the victims of a particularly aggressive business ID theft ring that’s spent years targeting small businesses across the country and is now pivoting toward using that access for pandemic assistance loans and unemployment benefits.

Most consumers are likely aware of the threat from identity theft, which occurs when crooks apply for new lines of credit in your name. But the same crime can be far more costly and damaging when thieves target small businesses. Unfortunately, far too many entrepreneurs are simply unaware of the threat or don’t know how to be watchful for it.

What’s more, with so many small enterprises going out of business or sitting dormant during the COVID-19 pandemic, organized fraud rings have an unusually rich pool of targets to choose from.

Short Hills, N.J.-based Dun & Bradstreet [NYSE:DNB] is a data analytics company that acts as a kind of de facto credit bureau for companies: When a business owner wants to open a new line of credit, creditors typically check with Dun & Bradstreet to gauge the business’s history and trustworthiness.

In 2019, Dun & Bradstreet saw more than a 100 percent increase in business identity theft. For 2020, the company estimates an overall 258 percent spike in the crime. Dun & Bradstreet said that so far this year it has received over 4,700 tips and leads where business identity theft or malfeasance are suspected.

“The ferocity of cyber criminals to take advantage of COVID-19 uncertainties by preying on small businesses is disturbing,” said Andrew LaMarca, who leads the global high-risk and fraud team at Dun & Bradstreet.

For the past several months, Milwaukee, Wisc. based cyber intelligence firm Hold Security has been monitoring the communications between and among a businesses ID theft gang apparently operating in Georgia and Florida but targeting businesses throughout the United States. That surveillance has helped to paint a detailed picture of how business ID thieves operate, as well as the tricks they use to gain credit in a company’s name.

Hold Security founder Alex Holden said the group appears to target both active and dormant or inactive small businesses. The gang typically will start by looking up the business ownership records at the Secretary of State website that corresponds to the company’s state of incorporation. From there, they identify the officers and owners of the company, acquire their Social Security and Tax ID numbers from the dark web and other sources online.

To prove ownership over the hijacked firms, they hire low-wage image editors online to help fabricate and/or modify a number of official documents tied to the business — including tax records and utility bills.

The scammers frequently then file phony documents with the Secretary of State’s office in the name(s) of the business owners, but include a mailing address that they control. They also create email addresses and domain names that mimic the names of the owners and the company to make future credit applications appear more legitimate, and submit the listings to business search websites, such as yellowpages.com.

For both dormant and existing businesses, the fraudsters attempt to create or modify the target company’s accounts at Dun & Bradstreet. In some cases, the scammers create dashboard accounts in the business’s names at Dun & Bradstreet’s credit builder portal; in others, the bad guys have actually hacked existing business accounts at DNB, requesting a new DUNS numbers for the business (a DUNS number is a unique, nine-digit identifier for businesses).

Finally, after the bogus profiles are approved by Dun & Bradstreet, the gang waits a few weeks or months and then starts applying for new lines of credit in the target business’s name at stores like Home Depot, Office Depot and Staples. Then they go on a buying spree with the cards issued by those stores.

Usually, the first indication a victim has that they’ve been targeted is when the debt collection companies start calling.

“They are using mostly small companies that are still active businesses but currently not operating because of COVID-19,” Holden said. “With this gang, we see four or five people working together. The team leader manages the work between people. One person seems to be in charge of getting stolen cards from the dark web to pay for the reactivation of businesses through the secretary of state sites. Another team member works on revising the business documents and registering them on various sites. The others are busy looking for specific businesses they want to revive.”

Holden said the gang appears to find success in getting new lines of credit with about 20 percent of the businesses they target.

“One’s personal credit is nothing compared to the ability of corporations to borrow money,” he said. “That’s bad because while the credit system may be flawed for individuals, it’s an even worse situation on average when we’re talking about businesses.”

Holden said over the past few months his firm has seen communications between the gang’s members indicating they have temporarily shifted more of their energy and resources to defrauding states and the federal government by filing unemployment insurance claims and apply for pandemic assistance loans with the Small Business Administration.

“It makes sense, because they’ve already got control over all these dormant businesses,” he said. “So they’re now busy trying to get unemployment payments and SBA loans in the names of these companies and their employees.”

PHANTOM OFFICES

Hold Security shared data intercepted from the gang that listed the personal and financial details of dozens of companies targeted for ID theft, including Dun & Bradstreet logins the crooks had created for the hijacked businesses. Dun & Bradstreet declined to comment on the matter, other than to say it was working with federal and state authorities to alert affected businesses and state regulators.

Among those targeted was Environmental Safety Consultants Inc. (ESC), a 37-year-old environmental engineering firm based in Bradenton, Fla. ESC owner Scott Russell estimates his company was initially targeted nearly two years ago, and that he first became aware something wasn’t right when he recently began getting calls from Home Depot’s corporate offices inquiring about the company’s delinquent account.

But Russell said he didn’t quite grasp the enormity of the situation until last year, when he was contacted by the manager of a virtual office space across town who told him about a suspiciously large number of deliveries at an office space that was rented out in his name.

Russell had never rented that particular office. Rather, the thieves had done it for him, using his name and the name of his business. The office manager said the deliveries came virtually non-stop, even though there was apparently no business operating within the rented premises. And in each case, shortly after the shipments arrived someone would show up and cart them away.

“She said we don’t think it’s you,” he recalled. “Turns out, they had paid for a lease in my name with someone else’s credit card. She shared with me a copy of the lease, which included a fraudulent ID and even a vehicle insurance card for a Land Cruiser we got rid of like 15 years ago. The application listed our home address with me and some woman who was not my wife’s name.”

The crates and boxes being delivered to his erstwhile office space were mostly computers and other high-priced items ordered from 10 different Office Depot credit cards that also were not in his name.

“The total value of the electronic equipment that was bought and delivered there was something like $75,000,” Russell said, noting that it took countless hours and phone calls with Office Depot to make it clear they would no longer accept shipments addressed to him or his company. “It was quite spine-tingling to see someone penned a lease in the name of my business and personal identity.”

Even though the virtual office manager had the presence of mind to take photocopies of the driver’s licenses presented by the people arriving to pick up the fraudulent shipments, the local police seemed largely uninterested in pursuing the case, Russell said.

“I went to the local county sheriff’s office and showed them all the documentation I had and the guy just yawned and said he’d get right on it,” he recalled. “The place where the office space was rented was in another county, and the detective I spoke to there about it was interested, but he could never get anyone from my county to follow up.”

RECYCLING VICTIMS

Russell said he believes the fraudsters initially took out new lines of credit in his company’s name and then used those to defraud others in a similar way. One of those victims is another victim on the gang’s target list obtained by Hold Security — Mary McMahan, owner of Fan Experiences, an event management company in Winter Park, Fla.

McMahan also had stolen goods from Office Depot and other stores purchased in her company’s name and delivered to the same office space rented in Russell’s name. McMahan said she and her businesses have suffered hundreds of thousands of dollars in fraud, and spent nearly as much in legal fees fending off collections firms and restoring her company’s credit.

McMahan said she first began noticing trouble almost four years ago, when someone started taking out new credit cards in her company’s name. At the same time, her business was used to open a new lease on a virtual office space in Florida that also began receiving packages tied to other companies victimized by business ID theft.

“About four years back, they hit my credit hard for a year, getting all these new lines of credit at Home Depot, Office Depot, Office Max, you name it,” she said. “Then they came back again two years ago and hit it hard for another year. They even went to the [Florida Department of Motor Vehicles] to get a driver’s license in my name.”

McMahan said the thieves somehow hacked her DNB account, and then began adding new officers and locations for her business listing.

“They changed the email and mailing address, and even went on Yelp and Google and did the same,” she said.

McMahan said she’s since locked down her personal and business credit to the point where even she would have a tough time getting a new line of credit or mortgage if she tried.

“There’s no way they can even utilize me anymore because there’s so many marks on my credit stating that it’s been stolen” she said. “These guys are relentless, and they recycle victims to defraud others until they figure out they can’t recycle them anymore.”

SAY…THAT’S A NICE CREDIT PROFILE YOU GOT THERE…

McMahan says she, too, has filed multiple reports about the crimes with local police, but has so far seen little evidence that anyone is interested in following up on the matter. For now, she is paying Dun and Bradstreet more than a $100 a month to monitor her business credit profile.

Dun & Bradstreet does offer a free version of credit monitoring called Credit Signal that lets business owners check their business credit scores and any inquiries made in the previous 14 days up to four times a year. However, those looking for more frequent checks or additional information about specific credit inquiries beyond 14 days are steered toward DNB’s subscription-based services.

Eva Velasquez, president of the Identity Theft Resource Center, a California-based nonprofit that assists ID theft victims, said she finds that troubling.

“When we look at these institutions that are necessary for us to operate and function in society and they start to charge us a fee for a service to fix a problem they helped create through their infrastructure, that’s just unconscionable,” Velasquez said. “We need to take a hard look at the infrastructures that businesses are beholden to and make sure the risk minimization protections they’re entitled to are not fee-based — particularly if it’s a problem created by the very infrastructure of the system.”

Velasquez said it’s unfortunate that small business owners don’t have the same protections afforded to consumers. For example, only recently did the three major consumer reporting bureaus allow all U.S. residents to place a freeze on their credit files for free.

“We’ve done a good job in educating the public that anyone can be victim of identity theft, and in compelling our infrastructure to provide robust consumer protection and risk minimization processes that are more uniform,” she said. “It’s still not good by any means, but it’s definitely better for consumers than it is for businesses. We currently put all the responsibility on the small business owner, and very little on the infrastructure and processes that should be designed to protect them but aren’t doing a great job, frankly.”

Rather, the onus continues to be on the business owner to periodically check with DNB and state agencies to monitor for any signs of unauthorized changes. Worse still, too many private and public organizations still don’t do a good enough job protecting employee identification and tax ID numbers that are so often abused in business identity theft, Velasquez said.

“You can put alerts and other protections in place but the problem is you have to go on a department by department and case by case basis,” she said. “The place to begin is your secretary of state’s office or wherever you file your documents to operate your business.

For its part, Dun & Bradstreet recently published a blog post outlining recommendations for businesses to ward off identity thieves. DNB says anyone who suspects fraudulent activity on their account should contact its support team.


21 thoughts on “Business ID Theft Soars Amid COVID Closures

  1. The Sunshine State

    It’s like we are all living in a “Twilight Zone” episode where the cyber-crime just continues on unabated.

    I submit for your approval a internet security blogger by the name of Brian Krebs, a interesting fellow who like to agitate and annoy miscreants

  2. DelilahTheSober

    At least 10 years ago, someone posed as one of my company employees and tried to buy a car on credit from a car lot. It was so weird. That business (I had others) consisted 100% of eBay sales and was a part-time venture that netted less than $500 a month. Luckily for me, the car lot called to confirm the details, and I was able to explain that it was a family business with no employees on the payroll.

  3. Debbie Stuart

    Great timing for this article to hit my inbox. Just this past Saturday, I discovered a fraudulent charge on my TD Bank credit card from EINDOCS – $247. No way this was me, and I immediately called to report it. Does anyone have any insight about EINDOCS or how this happened? I did a brief search online and see that they provide EINs. I also found some less-than-stellar commentary about them. Any thoughts/recommendations? Thanks!

    1. Rob

      EINDOCS is for filing EIN numbers for opening a business. Its odd because when I filed for business in the past you can go right to IRS.gov and get it done.

    2. JT

      Strange, I just had a charge from eintaxidfiling.com for $247 hit me.

  4. G

    No surprise the local sheriff didn’t help.

    In the nascent online shopping days of the late 1990s, a thief tried to buy over $5,000 worth of computers and screens on my credit card. I contacted a rep of the company and he confirmed they rejected the sale. I asked for the shipping address the thief used and the rep gave it to me (probably wouldn’t nowadays).

    The address was about 30 minutes away by car. The computer company agreed to overnight mail me their logo shipping labels so I could do a sting operation to catch the crooks. My friend owns a local computer store and agreed to supply some empty computer and CRT boxes. I was going to put rocks in them, label and ship them.

    This required the local police in the neighboring town to help. I’d do 99% of the work and they’d only have to arrest them when they took delivery.

    So I phoned that police dept (not sheriff) and told them about the fraud and how there are probably more victims.

    But when I told the cop the address, he said there is no such address in that town.

    Perplexed, I drove there (used a printed address from mapquest). Not only did the address exist, it 3-4 blocks away from the police station! The address was an empty house with a For-Sale sign in the front yard. Across the street were two 20-something guys working on their cars and staring at me as I walked up and looked around the empty house.

    I drove to police station a few blocks away and told them the address not only exists it’s just a few blocks away!

    I told them I’d set up a sting operation on a silver platter for them. All they’d have to do is just stake it out when the delivery arrived and arrest the thieves and probably uncover lots more fraud.

    But the cops had excuses. A detective told me he’d help but didn’t return my call. So I called him back the next day or two and he apologized, saying he was busy with a robbery at a 7/11 or similar store.

    I pointed out that the value of the theft against me was over $5k, much more than a puny 7/11 theft, and the thieves were probably committing more fraud. He said he could help in a couple of weeks, but I pointed out we had to move fast while the thieves still expected the packages. He never helped.

    That’s when I realize local cops are pretty much like janitors. They don’t prevent spills. They just clean them up.

    I never again tried to help local police.

    Besides the cops’ suspicious claim that the address didn’t exist, they just seemed hopelessly mentally ill-equipped to fight crime. Dang! I just realized I forgot to bring them donuts.

    Because the fraud was so local and the thief had my billing address, I suspected a local merchant. I remembered I had food delivered from a restaurant and the delivery driver took my credit card and made a carbon copy by rubbing the side a pen on my card underneath the carbon copy (now obsolete). He had my physical address and the card info. My guess was he gave or sold the card info to some friends. I never ate at that restaurant again even though it was about 5 blocks away.

    ===

    On the other hand, the online FBI fraud complaint form worked well years ago (haven’t used it for a long time). They made the dad of an underage scammer reimburse one of my clients and several other victims of the same scam. I still remember that kid’s name. He must be at least 35 years old by now.

    1. Moike

      Not in defense of the cop’s priorities, but a stakeout probably takes more labor unless a timed delivery can be arranged.

      Still, it would have been fun to send some junk computers in those shiny boxes.

    2. John Clark

      It seems that most cop shops are populated with individuals that need to see the obvious. Most local news reporting has that same low level.

      Three years ago i tried to report about how identity scammers were going after job seekers. I found a local tv news producer that was willing to do a story but she said that she needed to use my real name. I said NO. That would put a big target on my back. She said that in journalism they must have the real name of the interviewee. I looked her up and her educational background was business and marketing. Obviously she never read “All the President’s Men”.

    3. Sergi

      Police = civil servant, waiting for pension and benefits

      Private Detective = hungry , willing to go the extra ‘foot’ , at the right price

    4. JCitizen

      I had a minor fraud charge against my bank account once, and I knew where the breach was, but I was just curious, so I called the local FBI field office and asked them what they do about incidents like this, and he said if it is $5,000 dollars or above in losses, they will take a report and definitely investigate it. So any of the comments here at KOS regarding similar incidents, never contacted the FBI apparently.

      I went to the reporting site for my little problem, and gave detailed information on everything that happened, and who I suspected had been breached. But the real action happened when I went back to the compromised legitimate site to purchase my next allotment of product, and this time I used a card that used random card number to issue to the merchant for online purchases. Just as I suspected that sale was compromised too, but VISA got hold of this dodgy transaction and revoked the merchant’s card holding privileges, and it really put the dampers on their business model! They soon sold out to another US company, and even to this day they are not allowed to record card data on their customers. So I more than got even for my trouble, even though the merchant was really not aware they’d be hacked. There is more than one way to skin a cat.

      1. Robert

        > so I called the local FBI field office and asked them what they do about incidents like this, and he said if it is $5,000 dollars or above in losses, they will take a report and definitely investigate it.

        The limit has gone up. I heard, about a year ago, the FBI won’t investigate unless the loss is $1 million or more. Yes, it has gotten than bad. I suppose being politically connected or a political embarrassment helps lower that limit.

  5. Mahhn

    “the past several months, Milwaukee, Wisc. based cyber intelligence firm Hold Security has been monitoring the communications between and among a businesses ID theft gang”
    They didn’t have them arrested or dispose of the Gang – Hold Security is an accomplice then.

  6. TreFunny

    Lets just look at these two things and the picture starts to get clearer:

    “A Dun & Bradstreet 52GB database containing about 33.6 million records with very specific details about each of the people involved from job title to email address has been exposed.”

    “For now, she is paying Dun and Bradstreet more than a $100 a month to monitor her business credit profile.”

  7. Satta Matka

    The address was about 30 minutes away by car. The computer company agreed to overnight mail me their logo shipping labels so I could do a sting operation to catch the crooks. My friend owns a local computer store and agreed to supply some empty computer and CRT boxes. I was going to put rocks in them, label and ship them.

  8. Satta Matka

    It’s like we are all living in a “Twilight Zone” episode where the cyber-crime just continues on unabated.

  9. Robert Scroggins

    It seems to me that we are making it too easy to obtain credit. I know credit makes the economy work nowadays, but something needs to be done to limit credit–for businesses and individuals.

    Regards,

  10. Jim

    Interesting story. But it proves, cybercrime is legal. A law unenforced is unfortunately all to common because of manpower. And private security is not the answer. They can be called off by the next larger business, another form of bad guys.
    The comments about local, counties, little towns have Mayberry cops, very tight budgets, they have to look after the local shops, their voters, another city’s crime? You are streaching their budget very thin, and, do you contribute to their taxbase? Or, do you evade paying to the local economy’s by deferrals. That keep the county small.

  11. jason

    D&B does a horrible job of managing the DUNS. A DUNS number is required if you do anything with the US federal government (it’s required for being issued a CAGE code from SAM.gov).

    It is trivial to gain access / change information of DUNS for a company (whether you should or not). And like the personal credit bureaus (Equifax, Experion, Transunion), when someone points out how easily their system can be used for fraud… D&B responds with products to manage their mismanagement of the data. This is the fox guarding the hen house… and charging for the chickens for the privilege.

  12. Raymond Sweeney

    My business partner, Andy Pham, owned an LLC valued at $5 Mill.
    The crooks logged into Silverflume, Nevadas online business portal where the State holds all it’s entities.
    The crooks clicked on his LLC (it’s all public information), changed him out as the managing member, paid the $75 to do so, and now owned his company. They took out $2 mill in cash loans against his LLC and then attempted to sell it for $2.36 million. Andy found out months later when he received a default notice on the $2 mill cash loan. The las vegas review journal picked up his story (google Andy Pham Las Vegas review journal). He has spent over $460,000 in attorney fees attempting to get his business back. While fighting these criminals he founded http://www.companyalarm.com so that small business owners DO NOT go through what he went through.

  13. Vincent C

    Question about DNB.
    I am the owner of a French company that does more and more international business.
    My French Company appears in the DNB database with information copyed from public records in France.
    Do you feel I should monitor DNB for crooks attempting to change informations regarding my company (although original records would not be changed), because DNB seems to be used a lot around the world as a source to verify business records.

Comments are closed.