The Federal Trade Commission’s (FTC) “Red Flags” Rules are grounded in the concept that consumers and businesses have to form a partnership to combat identity theft. If businesses ignore an event that signals possible identity theft, then consumers are helpless in trying to prevent their identity from being stolen and used to fraudulently purchase goods. The same applies for business-to-business transactions. There has to be a tiered approach to prevention. The multi-agency “Red Flags” Rules has sought to address this by outlining that companies must establish policies to detect, mitigate and respond to possible identity theft.
The Rules are not about data security; they are not about building a fortress to protect your own customers’ private information from hackers—there are already laws in place that address that. The “Red Flags” Rules are about preventing identity thieves from using someone else’s or another company’s identity to fraudulently purchase products from you. They are about creating a policy barrier to prevent identity thieves from profiting from their crimes.
If more companies, especially front line employees, practice due diligence in ensuring the identity of customers, fraudsters will have fewer venues in which to capitalize.
Under the FTC’s “Red Flags” Rules, entities must first determine if they are either considered a “financial institution” or a “creditor.” The regulation uses the definition of “creditor” as “businesses or organizations that regularly provide goods or services first and allow customers to pay later. Examples of groups that may fall within this definition are utilities, health care providers, lawyers, accountants, and other professionals, and telecommunications companies. This also applies to businesses that regularly grant loans, arrange for loans or the extension of credit, or make credit decisions. Examples include finance companies, mortgage brokers, and automobile dealers or retailers that offer financing or collect or process credit applications for third party lenders.” In addition, the definition includes anyone who regularly participates in the decision to extend, renew, or continue credit, including setting the terms of credit. Basically, this means that business-to-business creditors are considered “creditors” under the rule.
Second, a creditor or financial institution must provide “covered accounts” to be subject to the regulation. “Covered accounts” are broken into two categories: consumer accounts designed to permit multiple payments or transactions, and any other account that presents “reasonably foreseeable risk from identity theft.” This second type is a catch-all leaving businesses to make their own determination of the risks their accounts face. It does not mean “any risk from identity theft,” because, technically all accounts are going to face some sort of risk from identity theft because of the world we live in today. It means any type of account where there exists definitive potential for the person placing an order or asking for the extension of credit not to be the person they say they are or the company they represent or have the authority to place the order from the company they allegedly represent.
For example, if a creditor meets face-to-face with every customer that places an order and checks the relevant identification (photo ID, Social Security Number, etc.), secures verifiable addresses, contact points, shipping destination for goods, payment method and account numbers, the likelihood of identity theft is minimal. It doesn’t mean that it doesn’t exist entirely; there is always a chance since maybe the customer might actually be a master forgery artist. But the manner in which the company verifies the identity of new and existing customers means the chances for identity theft aren’t “reasonably foreseeable.”
On the other hand, if a company accepts applications and orders over the phone, e-mail or fax, and doesn’t practice due diligence in verifying that the person submitting the order is who they say they are before shipping product, the chance for an individual to be committing fraud via identity theft rises considerably. Because of this, these accounts are then considered as having “reasonably foreseeable risk from identity theft.” The easiest way to determine “reasonably foreseeable risk” of a particular company’s accounts is if that business has dealt with cases of fraud via identity theft in the past.
Credit managers know the vulnerabilities that exist in their company’s process and the potential for fraud that exists. They must come to their own conclusions about potential fraud, and, if they decide little to no risk exists, they then must continue to conduct periodic risk assessments to support that decision.
The Rules are trying to prevent companies from being lax in their approach to verifying a person or business’ identity before shipping goods. From the commercial credit perspective, companies should already be adhering to the tenets of the “Red Flags” Rules since there typically isn’t the safety net of a credit card company, bank or other third-party to absorb the costs of fraudulent purchases. If a commercial creditor is duped, that business directly eats the loss. Because of this, there are usually policies in place to reduce exposure to the risk from fraud. Simply, the “Red Flags” Rules are about enforcing due diligence of the front line functions and not letting the potential for a big dollar commission to cloud common sense, as well as ensuring that that due diligence is being followed up by the back office.
The best example I can think of for “reasonably foreseeable risk” in commercial credit fraud from identity theft, as well as the potential ill that can arise from a lack of due diligence, is the case of WESCO Distribution, Inc. For me, it clearly demonstrates in the most classic and basic sense what the FTC’s “Red Flags” Rules is trying to prevent and how often obvious red flags are ignored.
The WESCO Case: A Classic Example of Business-to-Business ID Theft
In July 2006, an individual claiming to be the branch manager of WESCO’s Cleveland, Ohio branch began placing purchase orders with several computer distributors for seemingly innocuous items such as toner, ink cartridges and computer memory sticks. The distributors took the orders and began sending invoices to the Cleveland branch, who, not knowing anything about them, then forwarded those invoices on to corporate. Corporate was intrigued, but thought it was an isolated incident.
Shortly thereafter, a similar situation came to light as someone posing as WESCO’s chief executive officer (CEO) began submitting orders for the same items. They’d place an order for several thousand dollars and ask for a line of credit. From that point, everything picked up speed and the number of incidents began to soar into the hundreds.
- Almost all of the transactions took place over the internet and the salesmen for the distributors failed to place a single phone call to verify any of the information or authority. The e-mails from the individual claiming to be WESCO’s CEO and others provided a series of phone numbers, and if any of these would have been dialed, they would have been found out as being fictitious or disconnected. Laziness and greed torpedoed the logic of salesmen.
- The perpetrators would pose anywhere from a corporate executive at WESCO, to a purchasing agent, to one of the company’s 400 branch managers. In some cases it would be a genuine person, like the CEO, CFO or a number of other executives, or it would be a common name plucked from the air that with WESCO’s large employee base, one so happened to exist.
- The vast majority of the contact was done via e-mail, originating from fraudulent e-mail addresses that had ‘WESCO’ somewhere in the name. For example, slight variations like @wescodists.com and @wescocompany.com first appeared, and then followed by more obvious frauds like email@example.com and firstname.lastname@example.org. But salesmen did not stop and think why would a company that does $5 billion a year in sales use free e-mail addresses? WESCO collected more than 40 different e-mail addresses and at least two dozen different individuals that the scammers posed as.
- On first contact, the fraudsters would ask for a quote, and once that was received, they would come back with a purchase order. The purchase order, a fairly uniform document, would be legitimate looking enough, including a WESCO logo that had been extracted from one of the company’s websites and placed in the letterhead to make it look more official.
- The fraudulent purchase order was typically for between $30,000 and $60,000 and they would ask for net 30 day terms and that the items be shipped overnight. Most of the time they were given some kind of a line of credit, either partial or whole.
- If a credit application was sent to be filled out, the fraudsters could fill it out since the information was readily available. WESCO is a publicly traded company and the pertinent information could be gathered through one of the company’s websites or through its prospectus. To add to the convincing scheme, the fraudsters were armed with WESCO’s Dun & Bradstreet number, which was also readily available, as well as some of WESCO’s references.
- After making an order, the fraudsters would provide a point of contact which was usually a residential address somewhere in the United States, not a warehouse or distribution center. And in every single case, the address was different than where the person making the order was supposedly located.
Between July 2006 and the end of 2007, fraudsters portraying as WESCO representatives hit at least 1,500 companies. The assault didn’t slow and in the first quarter of 2008, another 200 companies contacted WESCO reporting they had received fraudulent purchase orders in the company’s name. The lack of follow through cost some of the scammed companies as much as $750,000 and some smaller firms were outright ruined by the fraud.
More frustrating for WESCO was convincing law enforcement agencies to pursue the case because though WESCO’s identity as a corporation was being used fraudulently, it wasn’t technically a victim and wasn’t suffering a monetary loss, just a reputational one. It was final able to convince law enforcement that in itself was theft. The company has worked diligently to put a stop to the identity theft and stress to first time vendors or any companies that have any suspicions about an order to contact the company directly.
In the WESCO case, ultimately two men were arrested. It represents how easy a massive scam can be perpetrated in today’s environment where more and more business is being done electronically and face-to-face contact is disappearing. WESCO also developed its own set of “red flags” that it handed out to its sales and order staff, using the lessons learned from above, to prevent it from becoming a victim of similar fraud.
For commercial creditors, this is the classic case of fraud via identity theft that the FTC’s “Red Flags” Rules is trying to prevent. The Rules reiterate: Make that simple phone call. Google an address if it is different than one normally given. If something seems suspicious, act, don’t shrug.
These are the matters that companies must consider when weighing “reasonably foreseeable risk from identity theft” on their accounts. Companies have to ask themselves at which point would their policies and procedures kick in to avoid them being the victim of the kind of scheme outlined above, and whether could they even be victim of such a scheme in the first place. Maybe, the most important aspect to note is that probably the majority of company ies that accepted a purchase order from the fraudsters portraying as a WESCO representative would be fined under the FTC’s “Red Flags” Rules for violating the regulation.
To read the entire version of the WESCO case, NACM members can refer to the May 2008 issue of Business Credit magazine and the article, “Attack of the Doppelgangers.”
Matthew Carr, NACM staff writer. Follow us on Twitter @NACM_National