The Federal Trade Commissionâs (FTC) âRed Flagsâ Rules are grounded in the concept that consumers and businesses have to form a partnership to combat identity theft. If businesses ignore an event that signals possible identity theft, then consumers are helpless in trying to prevent their identity from being stolen and used to fraudulently purchase goods. The same applies for business-to-business transactions. There has to be a tiered approach to prevention. The multi-agency âRed Flagsâ Rules has sought to address this by outlining that companies must establish policies to detect, mitigate and respond to possible identity theft.
The Rules are not about data security; they are not about building a fortress to protect your own customersâ private information from hackersâthere are already laws in place that address that. The âRed Flagsâ Rules are about preventing identity thieves from using someone elseâs or another companyâs identity to fraudulently purchase products from you. They are about creating a policy barrier to prevent identity thieves from profiting from their crimes.
If more companies, especially front line employees, practice due diligence in ensuring the identity of customers, fraudsters will have fewer venues in which to capitalize.
Under the FTCâs âRed Flagsâ Rules, entities must first determine if they are either considered a âfinancial institutionâ or a âcreditor.â The regulation uses the definition of âcreditorâ as âbusinesses or organizations that regularly provide goods or services first and allow customers to pay later. Examples of groups that may fall within this definition are utilities, health care providers, lawyers, accountants, and other professionals, and telecommunications companies. This also applies to businesses that regularly grant loans, arrange for loans or the extension of credit, or make credit decisions. Examples include finance companies, mortgage brokers, and automobile dealers or retailers that offer financing or collect or process credit applications for third party lenders.â In addition, the definition includes anyone who regularly participates in the decision to extend, renew, or continue credit, including setting the terms of credit. Basically, this means that business-to-business creditors are considered âcreditorsâ under the rule.
Second, a creditor or financial institution must provide âcovered accountsâ to be subject to the regulation. âCovered accountsâ are broken into two categories: consumer accounts designed to permit multiple payments or transactions, and any other account that presents âreasonably foreseeable risk from identity theft.â This second type is a catch-all leaving businesses to make their own determination of the risks their accounts face. It does not mean âany risk from identity theft,â because, technically all accounts are going to face some sort of risk from identity theft because of the world we live in today. It means any type of account where there exists definitive potential for the person placing an order or asking for the extension of credit not to be the person they say they are or the company they represent or have the authority to place the order from the company they allegedly represent.
For example, if a creditor meets face-to-face with every customer that places an order and checks the relevant identification (photo ID, Social Security Number, etc.), secures verifiable addresses, contact points, shipping destination for goods, payment method and account numbers, the likelihood of identity theft is minimal. It doesnât mean that it doesnât exist entirely; there is always a chance since maybe the customer might actually be a master forgery artist. But the manner in which the company verifies the identity of new and existing customers means the chances for identity theft arenât âreasonably foreseeable.â
On the other hand, if a company accepts applications and orders over the phone, e-mail or fax, and doesnât practice due diligence in verifying that the person submitting the order is who they say they are before shipping product, the chance for an individual to be committing fraud via identity theft rises considerably. Because of this, these accounts are then considered as having âreasonably foreseeable risk from identity theft.â The easiest way to determine âreasonably foreseeable riskâ of a particular companyâs accounts is if that business has dealt with cases of fraud via identity theft in the past.
Credit managers know the vulnerabilities that exist in their companyâs process and the potential for fraud that exists. They must come to their own conclusions about potential fraud, and, if they decide little to no risk exists, they then must continue to conduct periodic risk assessments to support that decision.
The Rules are trying to prevent companies from being lax in their approach to verifying a person or businessâ identity before shipping goods. From the commercial credit perspective, companies should already be adhering to the tenets of the âRed Flagsâ Rules since there typically isnât the safety net of a credit card company, bank or other third-party to absorb the costs of fraudulent purchases. If a commercial creditor is duped, that business directly eats the loss. Because of this, there are usually policies in place to reduce exposure to the risk from fraud. Simply, the âRed Flagsâ Rules are about enforcing due diligence of the front line functions and not letting the potential for a big dollar commission to cloud common sense, as well as ensuring that that due diligence is being followed up by the back office.
The best example I can think of for âreasonably foreseeable riskâ in commercial credit fraud from identity theft, as well as the potential ill that can arise from a lack of due diligence, is the case of WESCO Distribution, Inc. For me, it clearly demonstrates in the most classic and basic sense what the FTCâs âRed Flagsâ Rules is trying to prevent and how often obvious red flags are ignored.
The WESCO Case: A Classic Example of Business-to-Business ID Theft
In July 2006, an individual claiming to be the branch manager of WESCOâs Cleveland, Ohio branch began placing purchase orders with several computer distributors for seemingly innocuous items such as toner, ink cartridges and computer memory sticks. The distributors took the orders and began sending invoices to the Cleveland branch, who, not knowing anything about them, then forwarded those invoices on to corporate. Corporate was intrigued, but thought it was an isolated incident.
Shortly thereafter, a similar situation came to light as someone posing as WESCOâs chief executive officer (CEO) began submitting orders for the same items. Theyâd place an order for several thousand dollars and ask for a line of credit. From that point, everything picked up speed and the number of incidents began to soar into the hundreds.
- Almost all of the transactions took place over the internet and the salesmen for the distributors failed to place a single phone call to verify any of the information or authority. The e-mails from the individual claiming to be WESCOâs CEO and others provided a series of phone numbers, and if any of these would have been dialed, they would have been found out as being fictitious or disconnected. Laziness and greed torpedoed the logic of salesmen.
- The perpetrators would pose anywhere from a corporate executive at WESCO, to a purchasing agent, to one of the companyâs 400 branch managers. In some cases it would be a genuine person, like the CEO, CFO or a number of other executives, or it would be a common name plucked from the air that with WESCOâs large employee base, one so happened to exist.
- The vast majority of the contact was done via e-mail, originating from fraudulent e-mail addresses that had âWESCOâ somewhere in the name. For example, slight variations like @wescodists.com and @wescocompany.com first appeared, and then followed by more obvious frauds like firstname.lastname@example.org and email@example.com. But salesmen did not stop and think why would a company that does $5 billion a year in sales use free e-mail addresses? WESCO collected more than 40 different e-mail addresses and at least two dozen different individuals that the scammers posed as.
- On first contact, the fraudsters would ask for a quote, and once that was received, they would come back with a purchase order. The purchase order, a fairly uniform document, would be legitimate looking enough, including a WESCO logo that had been extracted from one of the companyâs websites and placed in the letterhead to make it look more official.
- The fraudulent purchase order was typically for between $30,000 and $60,000 and they would ask for net 30 day terms and that the items be shipped overnight. Most of the time they were given some kind of a line of credit, either partial or whole.
- If a credit application was sent to be filled out, the fraudsters could fill it out since the information was readily available. WESCO is a publicly traded company and the pertinent information could be gathered through one of the companyâs websites or through its prospectus. To add to the convincing scheme, the fraudsters were armed with WESCOâs Dun & Bradstreet number, which was also readily available, as well as some of WESCOâs references.
- After making an order, the fraudsters would provide a point of contact which was usually a residential address somewhere in the United States, not a warehouse or distribution center. And in every single case, the address was different than where the person making the order was supposedly located.
Between July 2006 and the end of 2007, fraudsters portraying as WESCO representatives hit at least 1,500 companies. The assault didnât slow and in the first quarter of 2008, another 200 companies contacted WESCO reporting they had received fraudulent purchase orders in the companyâs name. The lack of follow through cost some of the scammed companies as much as $750,000 and some smaller firms were outright ruined by the fraud.
More frustrating for WESCO was convincing law enforcement agencies to pursue the case because though WESCOâs identity as a corporation was being used fraudulently, it wasnât technically a victim and wasnât suffering a monetary loss, just a reputational one. It was final able to convince law enforcement that in itself was theft. The company has worked diligently to put a stop to the identity theft and stress to first time vendors or any companies that have any suspicions about an order to contact the company directly.
In the WESCO case, ultimately two men were arrested. It represents how easy a massive scam can be perpetrated in todayâs environment where more and more business is being done electronically and face-to-face contact is disappearing. WESCO also developed its own set of âred flagsâ that it handed out to its sales and order staff, using the lessons learned from above, to prevent it from becoming a victim of similar fraud.
For commercial creditors, this is the classic case of fraud via identity theft that the FTCâs âRed Flagsâ Rules is trying to prevent. The Rules reiterate: Make that simple phone call. Google an address if it is different than one normally given. If something seems suspicious, act, donât shrug.
These are the matters that companies must consider when weighing âreasonably foreseeable risk from identity theftâ on their accounts. Companies have to ask themselves at which point would their policies and procedures kick in to avoid them being the victim of the kind of scheme outlined above, and whether could they even be victim of such a scheme in the first place. Maybe, the most important aspect to note is that probably the majority of company ies that accepted a purchase order from the fraudsters portraying as a WESCO representative would be fined under the FTCâs âRed Flagsâ Rules for violating the regulation.
To read the entire version of the WESCO case, NACM members can refer to the May 2008 issue of Business Credit magazine and the article, âAttack of the Doppelgangers.â
Matthew Carr, NACM staff writer. Follow us on Twitter @NACM_National