FraudKast
The LexisNexis Risk Solutions FraudKast exposes fraud and theft across all types of government benefit programs. We seek to interview leading experts from both law enforcement, as well as agency investigators to understand and reveal nefarious methods against federal and state programs.
Examples of government fraud that will be included are DMV fraud, SNAP fraud, student loan fraud, social security fraud, state retirement fraud, housing fraud, Medicaid/Medicare, and Tax refund fraud, etc.
All guest experts are on the front lines of detecting, preventing, and fighting these types of government fraud.
FraudKast
Business Identity Theft and Fraud with Ralph Gagliardi
The next wave of fraud will be tied to the misuse of business identities. Businesses' identities can be taken over by fraudsters, or a fraudster can create an entirely new business with the intent of defrauding other businesses, government agencies, or individuals. Either way, those businesses are registered on the Secretary of State’s business registry and become listed as “In Good Standing”, which is misleading to the average citizen or business. During this FraudKast we will explore the shortcomings of the business registry and what can be done to solve the issues.
DISCLAIMER: The information provided in this podcast is for informational purposes only and is not intended to and shall not be used as legal advice. The views and opinions expressed in this episode are solely those of the speaker/s and do not necessarily reflect the views or positions of LexisNexis Risk Solutions. LexisNexis Risk Solutions does not warrant that the information provided in this podcast is accurate or error-free.
Narrator: Hello and welcome to the FraudKast, brought to you by LexisNexis Risk Solutions. The series that shines a light on fraud and theft across numerous government benefit programs. FraudKast is hosted by Larry Benson, Director of Strategic Alliances for LexisNexis Risk Solutions Government division, and the creator and principal author for the Fraud of the Day website. And now, here’s Larry with today’s guest.
Larry Benson: Welcome to the FraudKast. This is Larry Benson, your host, and today we are going to examine business identity theft. Yes, businesses can have their identity stolen as well. To help me today, our guest is Ralph Gagliardi, who's the agent in charge at the Colorado Bureau of Investigation. He's got 33 years of law enforcement experience and he's an expert in fraud and identity theft and organized crime. Ralph, welcome.
Ralph Gagliardi: Thank you, Larry. Thanks for having me.
Larry: This is great. I'm glad you could join us. So, Ralph, we have to start off by giving everybody a baseline understanding. Can you explain to us how businesses get established in a state, and how they register with the Secretary of State, and some of the challenges that you see?
Ralph: Yes, for sure. Business, and the flow of business, and what it does for a person, right? Well, the states have Secretary of State's offices that allow would-be business owners to register that business with a given state. Now there are different ways to do this at various states, but in Colorado you get on the Internet, go to the Colorado Secretary of State's office, and you go through the process there online, filling out what you're going to name your business, and where it's going to be located, who's the principal officers, so to speak, how you're going to get the mail, that kind of thing. So then when that business is registered, you pay a fee. Sometimes fees are smaller, larger, depending on what you're doing and what kind of special might be going on right then. But then that business is registered with the state.
Larry: So, once they register with the state and pay a fee, what is the Secretary of State checking or verifying on that registration? Because my understanding is that you could basically say whatever you like. But what are the checks and balances?
Ralph: Well, the main check and balance is that the person or persons causing that registration to be filed, that they have to, there's a little small print area that says “Are you the true and accurate person? Is this legit?” type of deal. I'm not reading it off the screen here, so “Can you verify, attest, and affirm” type of deal. Under penalty of law, right, that, yes, you're the person that can do this. So that's the first thing. What's the old adage? Locks, though, are only meant to keep honest people honest. So that is really what we have going on here. The vast, vast majority of folks who register are following that to the tee, abiding by the law. The problem is, what about the wolves out there? So, the checks and balances then comes in to what that person says and attests to and then from there, how the Secretary of State keeps track of the database. They only, the Secretary of State, only has the database. They do not verify the data that goes in. So, once that wolf logs into the system and creates a business, we work, law enforcement and or the Secretary of State's office, work to mitigate what can happen. Can we try to contact the person who caused that false filing, if you will? Or how do we get at it? So, the balance is having a great partnership with the Secretary of State's office and or law enforcement to get at those folks that would want to defraud the system.
Larry: So, my history with Secretaries of State's offices across the country, there's literally thousands of filings every year. I don't know how you would keep up with doing any type of verification unless it was automated, and I would think that it's important to be able to verify who the individuals are, and that the company is legitimate. Because once they file and pay their fee, no matter where they are, they're listed as in good standing. And I think the general public looks at good standing as a legitimate entity. And I think that becomes a problem. It's misunderstood by the public.
Ralph: Yes. So that's what I came to know, oh, 13 years ago when I jumped into this genre which is business ID theft. You're going off the word and the record if you will, that's maintained by the state government, in this case Colorado, and you’re just relying on potentially that, hey, that's been vetted and you just said it, it's not vetted. The Secretary of State's offices, at least in Colorado and many others, again, they don't verify the information that goes in. They're hoping that honest people stay honest, I think, I don't know if that's a quote, but that's really what we're relying upon. And also a little bit of outdated thoughts on what frauds can happen, right? So the system was set up, used to be in person, and then of course we went online, and people weren't doing this many bad things virtually. So with different things, but as far as business identity theft, now you have fraudsters creating businesses to commit fraud. We have fraudsters taking over current businesses, hijacking them, if you will. And then committing frauds or crimes with those, we can go into that a little bit more later. But the system, the adage there is it's a little bit, you know, playing catch up. And then of course, what costs. You mentioned too is, how do they vet information? There's products out there that I believe that can help with verifying who's who. But again, there's costs, and I know especially government, we look at ways to keep costs down. But at what cost do you keep the costs down? In this case, the costs might balance out, it may not. But we do see that frequently that there's ways to get at and verify the data going into the system.
Larry: Interesting. I look at that, and I'm a little surprised that there's really no checks and balances from the Secretary of State. My concern is the fraud that's being committed and the upcoming fraud, because we see it increasing across the country where businesses are being defrauded. Now you and I have had this discussion before. I believe that businesses are being defrauded far more than what's being reported, simply because a CEO, a CIO, a CFO, is sitting there saying “I don't want to have to go in front of my stockholders. I don't want to have to go in front of my board of directors and talk about how we lost a million, two million, five million dollars. I want this to go away.” And basically they direct the CFO to bury it someplace. So there's far more business identity fraud being committed. It's going to actually come out more and more because businesses are going to get to the point that they can't afford, or don't have a way to hide it anymore. And all of a sudden you're just going to see this flood of business identity theft hitting the market, and all of a sudden the Secretaries of State are going to sit there and say “We have to do something now.” So there's a wave yet to come.
Ralph: Well, a couple points, Larry, I'd like to mention. So, our Secretary of State's office in Colorado has really been a great partner in trying to evolve with this ID theft, if you will, and this process. So for instance, they were great partners in establishing email alerts as well as password protection on various businesses. Now, where we're not evolving quickly enough, of course, I'm not the perfect person, because when I'm verifying creditworthiness, I would slow business down to a halt. I've been told that many times. But I would like to see, because right now the Secretary of State's office, I'm not going to quote statute and bore everyone here, but their statute isn't set up to take care of certain things, right. And of course, then there's the cost. Back to that evil “C” word there. And I believe that, you know, we're still making inroads to that. But as far as not reporting, I agree in some respects to that. But just one quick example of either head in the sand or not wanting to report. I do know working with probably 30 or 40 businesses that were hijacked, taken from other people, or creating a new, were used to apply for a loan or loans. The fraudsters kept these loans at a threshold they know the lending entity had, so they wouldn’t verify or vet the entity any further. So it was at 50,000. So the 30 businesses for this example, 30 different businesses, all applied for a $50,000 loan each, and the lende,r not knowing that they're all the same entity, the same bad guy, if you will. Well, I called this lending entity back east and said, “Hey, you know we have this happening.” The person on the phone said, “Hey, that can't happen. We would never have that happen here.” I said “OK, well, check into some of these and here's the examples of why they're the same people, same bad guy, and you're going to call me back.” Sure enough, my phone lit up in the morning, East Coast time of course, at you know, 5:30 AM my time here. I was on live in the board meeting with all the big shots and the C-Suite and they were quite concerned about this, and they hadn't had their head in the sand, if you will, but they were happy to know that they can see this now and maybe mitigate.
Larry: So basically, it's 30 businesses that were created, put on the Secretary of State's website, in good standing, and then applied for loans. And we're able to get those loans.
Ralph: Right, so either they were created or hijacked from another business owner and then issuers of credit, they all have their own way to verify or vet. Remember I mentioned their threshold was 50,000 in this example, but I do believe, and I have seen, and I've talked to issuers of credit or loans. They are under that impression that just having a business entity in good standing could be the almost, if not everything, the end all. Well, they don't realize the Secretary of State does not tout that just because it's in good standing that other entities should issue credit. Although good standing might seem to sound like, hey, it's in good standing, right? But it's not necessarily the case, and that's what we're trying to vet, and you know, work with the Secretary of State so that they can put out alerts, or flag, or otherwise demarcate what that good standing actually means. And then, of course, awareness and education to issuers of credit.
Larry: Now you had mentioned that emails, passwords, email notifications have been put in place, which is great because that helps with account takeover. But what it doesn't really help with is the fraudulently created business that's made from the ground up by the bad guys, and they claim they've got 5000 employees, they're located in Colorado, so on and so forth. They make it all up, and now all of a sudden that's listed on the Secretary of State's website with no real verification. So now all of a sudden those banks and lending institutions are under the impression that they're legitimate. So it sounds as though, for account takeover, you've got some things covered, but for the creation of new entities, that's a whole new world, is that right?
Ralph: Yes, absolutely. I've, I don't know if coined the term, it's not quite accurate, but I've always said that type of business identity theft was whole cloth business identity theft, meaning they create the business from the ground up. They didn't steal it from someone else. And that too has been hard to address. Once we find and locate that particular business, we look at other things to then match it to other businesses that were created. So it's like a bag of chips. The bad guys can't have just one.
They do dozens. And they're probably like me when I get into some Pringles. I can't have just one right. So they do tens to hundreds of businesses that they then, it's not necessarily a Shelf Corp, but it's, they shelve, pause that business and in some instances they use them right away. In some instances, they let them age, because as you probably know Larry, that business age, why somebody wants to take over a business? It's already established in the 1st place. Take over the record at the Secretary of State's office. It's to show the length in business. That age is also a decision of credit that the issuers of credit aren't looking at. Well, did it just change names? Because the bad guys will change the name or an address so they can control the mail. How was that tone there? That's my only impression. So they control the mail, right, and then they control the credit correspondence that comes in, that kind of thing. They also create websites too, that are fake just to get correspondence. But once that's done, that aged business, now, is then used to get other things of credit or use on other schemes.
Larry: I'm assuming not just getting bank loans, but I'm assuming credit cards, I'm assuming purchasing vehicles, other assets that they could turn around and sell.
Ralph: Right, so it's leased items, they like to lease items. I know at one point it was the high-end high-definition cameras, that were ten, fifteen, twenty thousand dollars. I won't name the brand on the camera, but they would lease that camera, get the camera, and then sell that camera. Get the cash for it.
Same with other things like printers, high-end medical equipment, importing goods, just under the name of this fake business. Because what's that business give you? Well, it gives you legitimacy, apparently, and it also layers you, hides you. It hides, obfuscates who the person is. Because remember, you only had to apply for, you didn’t have to go in person, you registered that business virtually, online, sight unseen to anybody. You didn't have to produce a license or any sort of identification, and if you did, it would just be, you know, that, well, I won't speculate if you did, but so they're hidden. That bad guy is hidden from authorities.
Larry: Sure. Now, you've been doing this for a long time, Ralph. What are the trends that you're seeing? Are you seeing this trend up? Is this something that, you know, is going up five, ten percent a year, or are you starting to see this actually exponentially increase? What are you seeing?
Ralph: So business identity theft absolutely has trended, and is still continuing to trend upwards with use by the bad guys. They've found that the ease to do this, who doesn't want to be lazy, right? So the bad guys aren't stealing the car that's inside the garage and has the club on it. They're stealing the car that's outside in the driveway, idling, OK, it's low hanging fruit. And this right now is a genre for the bad guys to use, and plus it allows for huge windfall that you're virtually hidden from the authorities. So the trend is upwards. Now, I do see the Secretary of State’s really working hard and getting there with law enforcement. Not just us, but other entities, the federal agencies as well, trying to curb some of this fraud. But right now it's so easy to perpetrate that, you know, it's hard to keep afloat of what's going on.
Larry: Sure.
Now who are the individuals, do you think, that are committing these types? Are these just individuals themselves? Is this organized crime? Is it domestic? Is it international? Is it all the above?
Ralph: No, you just named them, so drop the mic right there. But yes, so the larger groups are offshore, they're outside the country of the United States. That's also helpful because how do you get at them then, right? Well, what if they're in a country that isn't so friendly with the United States? So we can't even necessarily have our federal partners go after them, because it's in a country that's, kind of condones this. So it's organized crime, offshore. We do see state side groups doing this, but not to the extent that the offshore organized crime does. The state side would get at only a small amount of businesses, if you will. And if they're stateside, they're easier to track for law enforcement frankly. Because we can track them, it's just what kind of effort can we and do we put towards finding the bad guy? So sure, you can try to hide yourself even further, but we have tools and assistance by the Secretary of State's offices that allows us to get at that data. So when it's stateside, we can go after the bad guys, so it makes it a little harder for them to really go gangbusters.
Larry: So you mentioned the banks before and you gave an example. Do you have any other examples as well? Obviously, without exposing the victims, et cetera. Because giving an idea as to how some of these frauds are perpetrated might help the listeners realize how pervasive this is.
Ralph: Well, that brings to mind Larry, lenders, and in some cases, the lenders are our banks.
Not all lenders are necessarily banks, but in this case what I'm going to mention: Know your customer. I wish I had a sound effect like lightning or thunder there. Anyway, know your customer, and then have an echo there. Well, knowing your customer is great for you and I, and how we have to show up or give up to get a bank account. Now, there are some great banks out there, institutions that do require more with businesses when you're registering a business account. Right now, there's several banks out there that open a bank account, very loose, by just giving them the name of the business. And then, of course, we've used the term Mickey Mouse identity, who owns that business. Mickey Mouse meaning that it's not legitimate, it's synthetic. So because the requirements aren't as stringent. And therefore now these bad actors have a bank account inside the American banking system that is used for a cornucopia of other frauds and crimes. When you can move money inside the American banking system, that's scary to me, that keeps me up at night. The crypto world, of course, it was designed to kind of hide and obfuscate, but when they're inside the American legitimate banking system, that worries us. And then once they're in there, of course, we can then follow and see what happens to the funds. But getting that basic ground zero bank account, it begets so much more for that fraudster. So I would beg banking institutions to please look at what they do to verify or vet or know your customer when they're allowing that business account to be opened.
Larry: I think the word you're looking for is legitimize. As soon as you have a corporation, and they can show “Hey, here's our corporate entity and oh, yeah, here's our bank account as well.” It just helps perpetuate the lie.
Ralph: Correct. It gives you that legitimate … legitimizes, like you said. We call it, what do I call it? Not vet, but if you, Larry, give me something, a good tip, right. And then I give that tip to one of my partners. My partner believes the things I tell them, and I believe things you tell me, but what if you didn't check on the person who told it to you, right? So the same thing with the banks. It looks like, hey, it must be good, so then downstream it legitimized that entity one further. So we had the Secretary of State record, that on face value seems to have legitimacy. Then we have the bank account, which also gives it another layer of legitimacy. And they're off to the races.
Larry: Now, I would think that fraudsters are going to look at, and they want to invest as little money as possible. I would think that depending on the fees that are charged by the Secretary of State, and of course you've got 50 different Secretaries of State, 50 different fee structures, et cetera, they're going to migrate towards the lowest cost places to register a business just to keep the overhead low.
And that if we did a sampling across the country, probably the lowest cost place to do business, whichever state that is, would probably see some of the highest fraud rates. Is that reasonable logic?
Ralph: That seems reasonable to me. I often do thought experiments of how to be the bad guy and go through this, and one of the things I would do and have done is where can I most easily affect certain frauds? Well, easy also goes to economical for the bad guy, they want cheaper is better. Now that isn't necessarily exclusive for the bad guys because they just use ID theft and credit card theft to then pay for the service or services as well. But having a lower amount of cost makes it definitely a lot easier for a fraudster.
I will know this: Business, just like credit, so let me give just a quick example. Issuers of credit, I know I was told by a big large phone company, their CEO told me one time. “Ralph, we have 10 seconds to issue credit before that customer goes down the street to our competitor. So we have 10 seconds. We have a limited amount of time. We don't want to restrict it”, right? So that's where that is. Well, same with businesses and Secretary of States, and Colorado is no different. We want to be a business-friendly state and that's great because the vast majority of businesses that are registering are legitimate. But what about those that aren't? So there has to be a balance of how you vet, what you vet, and won't prohibit or inhibit true business, but will help stem the tide of the fraudster.
Larry: So we're talking about businesses primarily that are in-state. There are also businesses that are in another state and want to register to do business in Colorado. So is there any difference in the registration process for an out of state business versus an in-state business? And are you seeing more fraud coming from those out of state registrations versus the in-state?
Ralph: I am not, at my level, not seeing more fraud from out of state registrations here. The system is set up to, again, be very business friendly, so I don't know the numbers on out of state filing fraudulent documents here. I would suggest that it's our businesses that are then taken out of state here being filed in other states or being used in other areas. I'm aware of that for sure. And working with our Secretary of State's office, I've got to say, they're not at the top of security, but they're really working and striving towards balancing this with what their mandates are. But as far as out of state business is being filed here, I have not seen an uptick of that.
Larry: OK. So the other thing that I wanted to touch on is, I know that if you're an out of state business and you want to do business within Colorado, you have to solicit a registered agent to be in the state.
So the registered agent themselves, can you speak to that and what are the pros and cons?
Ralph: Yes. So getting that business registered here, whether you're in-state or out of state, they need to have an in-state registered agent or have a mailing address here where they can be served various paperwork officially and/or get mail, right. Well, those addresses and/or names, they may be a real person, they may be a victim of identity theft, OK. So it's a real person that doesn't even know that their name and true ID is being used, and frankly, their true address. We have a lot of addresses that are used by the fraudsters because they're generic. They're a true address, but they're generic in nature, meaning that, I don't necessarily want to give out that information here to help anybody along, but it pools, if you will, that doesn't raise any eyebrows. But it should, because right now, if I see a business listing or business filing, I'll look at the address and if I don't already know it because of the constant use, I can simply Google it and go “Yep, that's definitely going to be something of a fraudster because of where it's listed at.”
Larry: OK. So the research I've done, registered agents pretty much around the country is, a registered agent has to have an address within the state, registered agent has to be over 18, and the last one, they have to be alive. So those three are pretty easy for most anyone to do. So pretty much anybody can be a registered agent for an out of state business. But I don't see where it says that you need to understand what the business is, you need to know the owner or the executives. So it seems as though they don't have to have any background at all, they’re literally, just are shifting the mail back and forth saying, “Hey, this official document came in and I'm going to mail this to you in Delaware, New Jersey, California, whatever.”
Ralph: Absolutely correct. I heard this again, that issue there Larry, I won't name, it's a syndicated talk show on Saturday afternoons here in Colorado about tech and that issue. Interesting that that person then, they're not going to also they're not going to, they could be a legitimate person here, but they're not verifying the veracity or the truthfulness of what they're being told. They're used, frankly, as a puppet, unwitting dupe. Is that a thing? And then they're using that, and then the bad guys are off to the races with their own schemes, where this middle man, this middle person, is not really the wiser on it. Now, should they be? I don't think right now the statute shows they should be and if it did show that they have to know certain things, they could be lied to and easily overcome our long arm of the law, if you will. We can't necessarily charge that individual under present statutes
Larry: So if a registered agent, all they're doing is they're taking and redirecting mail. Now the last time I checked, the Postal Service will mail out, out of Colorado to the other 49 states. Why they don't do that and why they need a registered agent to do that within the state is a little befuddling to me. But you add in the fact that this registered agent could be part of the scam or could be unwitting, as you mentioned.
I just don't see the value of it. And the reason why I keep harping on this is I see Colorado just put into effect that they're going to do a background check on the registered agents, but they're not going to do a background check on the businesses that are outside of Colorado. And that's the real problem.
Ralph: Sure. And it gets down to the volume. You know, I don't represent what the Secretary of State’s Office does with certain things, but I do have to say they have a high volume of work and there's only so many staff members and so much tech that they're currently using. How would, I'm not speaking for them, how do they get at this right? And I think they're making, there's some awareness that they're aware, Secretary of State's offices around the country, and looking at tools and other, maybe even some statutes that help them mitigate, hopefully some of this. It's drinking from a fire hose. God, I said I wouldn't use that today, but it really is. So how do we as the system, we meaning law abiding folks who want to stop fraud and curb it, how do we get at it? So it's partnerships, it's awareness, and I don't know if I answered your question.
Larry: No, you did. What I'm getting at is my personal feel is that the registered agent really is just kind of in the way. I just don't see any value that's added there because the mail can go directly to any address in the country. On top of that, now you turn around and go well, if you're going to take the time to vet the registered agents, since they're just in the way and adding no value, why aren't you vetting the owners and the board of directors. And now all of a sudden, my next question would be, are there tools out there that could help automate the process? I understand your point about drinking from the firehose, but if you can automate the process and be able to focus on just those that are coming in that you can flag through the automated process and say “Hey, these three percent look suspicious, this is where we're going to focus.” Do you know of any solutions out there that could do that? Or do you have any idea as to what the Secretary of State could layer on top to resolve this problem?
Ralph: Sure. First off, I'd like everybody to know I did get Larry to say drinking from a fire hose and I will win that one dollar bet, thank you. So I think the biggest term out nowadays, in the last, what, three months, is this thing called AI, artificial intelligence. What product or products are out there?
I guess I can ask ChatGPT. Let's ask it. So, but I do believe there's a technical response to this, meaning technological that you can look at data, vet it, verify it, and I see it used all the time. And I think that's one big spot. I think it runs in the background, I think it's, obviously it comes with the price. So you know, who knows? If certain entities, whether Banks, Secretary of States, if they can afford certain things, that's not for me to say, but there is AI product out there that I believe can mitigate greatly.
Larry: Well, that's great. We need to, I think, focus on that, and I think what we need to do is start looking at, from the standpoint of friction, we want to minimize the friction to legitimate businesses. But we also have to realize that some friction has to be put in place to protect those legitimate businesses from the fraudsters coming in, creating bad businesses and then trying to dupe them and steal their money. And as this increases, and as you pointed out, the Internet is a great way to obscure identities. They're going to hide behind the Internet, they're going to use a corporate name, whether it's account takeover or an account created from the ground up. Either way, they're out there to steal money and products from existing organizations, and somebody's got to start doing something about it because the bleeding is just going to get worse and worse.
Ralph: It absolutely is.
Larry: So, Ralph, I think we need to wrap up. Anything that you want to add?
Ralph: Yes, in wrapping up some of my comments today, if you are an issuer of credit or somebody involved in the decision of issuing credit, don't believe everything you read or see. Do your own diligence and make sure you're making informed decisions.
Larry: OK, Ralph. Thank you very much for your time. We certainly appreciate it. I owe you one dollar and hope to speak with you soon. Thank you.
Ralph: Yes. Thank you.
Narrator: Thank you for listening to this episode of the FraudKast. If you’re interested in learning more, head over to our website at FraudKast.com for more episodes, transcripts, and social media links. And remember, that’s FraudKast with a K, not a C. And to stay current on what’s occurring in the world of fraud, be sure to check out FraudoftheDay.com.
