As our industry grows and gains credibility among borrowers and investors, private lenders must proactively guard against a concerning new digital risk.
This article was originally published in the American Association of Private Lenders’ Fall 2023 issue of Private Lender Magazine.
Where there is money to be made, there is the potential for fraud. Always.
In today’s digital lending world, the multitude of opportunities for bad actors to, well, act badly, is ever increasing and ever more sophisticated. You may be familiar with (and have personally seen a time or two hundred) “common” fraud-like borrowers faking income statements, email phishing attempts, ransomware, and elaborate wire transfer schemes.
Most of these require some element of interaction with your business, a knowledge of how things work, and where your weak points are. You can (and should) train your staff against them, educate your borrowers, hire or outsource cybersecurity experts, and purchase insurance.
When a fraudster hijacks your business’s identity–your website, your name, your reputation–it won’t be because an employee unwittingly clicked a malicious link or didn’t properly verify loan documentation. There is no training or awareness campaign that can prevent it because it’s not predicated on any exposure or attack point. It’s entirely external.
What Is Business Identity Theft?
“Imagine you’re at home one night and receive a phone call from a borrower. He asks if you’ll be funding his loan, reminds you of the fee he paid, and wonders why you stopped communicating. The problem? You’ve never heard of him before.”
– Jeff Smallowitz, Private Lending Direct
For private lenders, business identity theft generally looks like this:
It’s You, But Not Quite You. You’re ABC Lender LLC. The scammer has cloned your website, ABClenderllc.com, but to a domain (XYZlenderllc.com) that doesn’t remotely resemble your business. They’ve also changed key details within the content of their new cloned site, like your company name (now XYZ Lender LLC), logo, location, and, of course, contact information and inbound lead forms.
The brand colors will still be yours, as is all the content that differentiates you and makes ABC Lender, well, ABC Lender. Your face will probably still be up as the CEO, but instead of John Somebody you’ll be James Someday. And these are scammers, so some of the other pertinent details will fall through the cracks in their effort to separate ABC from XYZ: social links still go to you, your embedded videos are still up (and linked to your YouTube), and many of the internal pages will still have ABC-identifying information.
The fraudster will have spun up a host of fake social media accounts for brokers and real estate agents, planted them in popular online groups and forums, and have them make referrals and friendly recommendations to drive borrowers to the cloned site. The cloned site looks legitimate, because it was, up until it was stolen.
It’s All You. These scammers aren’t just stealing your hard work to make themselves look and sound legitimate (with breadcrumbs that lead alert borrowers back to you). Their goal is to defraud people using your business, your name, and your reputation. You’re ABC Lender LLC; they’re ABC Lender LLC. Your site is at ABClenderllc.com; theirs is ABClenderllc.net. You’re John Somebody; they’re John Somebody. Your site looks exactly like their site (except location, contact information, and inbound lead forms).
It’s So You, It’s Actually You. One lender, Jeff Smallowitz, didn’t have a website to clone. But he has a longstanding reputation in the business, is well-known in local investment groups for face-to-face lending, and a California Finance Lender License (which is likely how the fraudsters found him). Scammers built a website with their phone number, but his name, his company … and his home address.
And Then the Shoe Drops
When a borrower gets desperate enough after sinking thousands of dollars into application fees, down payments, underwriting fees, pre-closing fees, this-fee-I-just-made-up fees, they also (finally) get desperate enough to start digging.
In the cases we know of, borrowers landed in front of the “real” private lender by:
- Clicking through the cloned site to find out where to blast them on Google Reviews or social media.
- Google searching the business name to land on the real site to send angry emails and phone calls.
- Skip-tracing a home phone number using information on the cloned and/or real lender site.
- Process serving a lawsuit.
Universally, these borrowers had not yet realized the lender was also a victim of fraud and that the scammer and lender were not the same. Many of them hadn’t yet realized they’d fallen victim to a scam at all, still believing the situation could be fixed and their money returned.
Enter AAPL
In all but one case (the private lender who didn’t have a website), by the time the borrowers found the “real” lender, that lender already had a heads up on the situation. This is because, in every case, the lender was a member of the American Association of Private Lenders and prominently displayed the member emblem on their site.
Either because fraudsters don’t realize what AAPL is or are hoping to use our credentialing to earn the trust of unwary borrowers, when these bad actors clone a site, they leave our emblem in place. And savvier borrowers will reach out to verify membership and potential red flags. We in turn check against known contact information, help borrowers understand the indicators that demonstrate they are not actually working with ABC Lending LLC or John Somebody, and then direct them to fraud victim recovery resources.
Then we send a very bad news email to our member, along with next steps to get the fraudster site shut down (See DIY Fraudbuster Guide). But that takes time, sometimes months (if we’re successful at all). In the interim, lenders must deal with a 1-2-3-4 punch to their time, reputation, budget, and sometimes personal lives.
It’s Not Enough
When we point out that every business identity theft victim we know of was also displaying our member emblem, we’re aware this is the definition of confirmation bias. How many fraudsters removed the emblem from a cloned site? How many borrowers never reached out to verify membership? How many members are not displaying the (entirely voluntary) credentials? How many more private lender victims aren’t AAPL members?
The larger picture issue here is that technology makes this scam easy to perpetuate. It’s easy to buy domains, clone websites, and replace information. Many bad actors have backup copies ready to spin up when a cloned site is shut down. Most of these scammers operate internationally in countries known for ignoring this kind of activity, so there’s little permanent recourse. Simply put, mitigating business identity theft is like playing a game of whack-a-mole.
The solution is to make things less easy, more uncomfortable, and even outright inhospitable for scammers—both for individual fraud events and as an industry. The more we can monitor for potential threats and the faster we can react, the more time, effort, and money fraudsters are forced to put into the scheme. Eventually they give up and move on to an easier target.
Long term, preventing and reacting quickly to crack down on fraud is a powerful weight in our favor against new regulation or licensing requirements. Scammers don’t care if they are defrauding businesses or consumers. When an industry becomes a haven for fraud, the government has historically proven that they view the easiest method to “protect the public” is to require a license to practice.
You Don’t Need to DIY (and Probably Shouldn’t)
Where there is fraud, there are people who make it their business to fight it (literally). Online Brand Protection is a growing sector of cybersecurity, encompassing monitoring for domains, social media, mobile apps, and the web.
In our industry, it looks like counterfeit monitoring, but for content and brands rather than knock-off products. Companies specializing in these services use machine-learning technology to:
- Create domain watchlists so brands don’t have to purchase every iteration of their name.
- Monitor for site cloning and social media impersonation.
- Monitor for usage of protected images (like trademarked logos and emblems).
On finding fraudulent activity, they have Fastlane processes to rapidly:
- Inject decoy data into scammer phishing forms, hiding victims’ “real” data in a bunch of looks-real-but-actually-fake information.
- Have web browsers place “go back!” alerts on fraud sites.
- Take down fake social media profiles that directly refer borrowers to the fraud site.
- Take down the fraud site via the site registrar and/or hosting provider.
This multipronged monitoring and mitigation approach means that brand protection specialists can usually find and remove fraudulent activity within days, if not hours, and often before anyone falls victim to the scam. These services range from software-as-a-service with high-touch/monitoring required from the user to all-inclusive packages with human-reviewed alerts.
Enter AAPL (Again)
As the oldest and largest association for the private lending profession, we have a responsibility to be aware of everywhere our name is used and where our logo and member emblem appear. We must be proactive in safeguarding the industry by shutting down fraudsters pretending AAPL membership to gain borrower trust and by stepping up monitoring so we can alert members to potential business identity theft and other scam activity. We cannot rely on victims to be our canary in a coal mine.
To that end, we researched, interviewed, and vetted more than 20 of the top online brand protection providers. Several work with financial services clients and hit the right blend of technology and account management. Ultimately, there is only one we feel confident can meet most of our members’ needs across service offerings and price point.
Allure Security (alluresecurity.com) will monitor not only AAPL brand assets but also member site content. Allure Security also understands the importance of reacting quickly to protect lenders and borrowers when business identity theft occurs. As part of its partnership with AAPL, Allure Security will take down members’ first cloned site.
We also encourage members to proactively take advantage of a 30% AAPL Member Discount on Allure Security services that include advanced domain and cloned site monitoring, blocklisting from search engines, data decoy injection into phishing forms, and social media monitoring. AAPL receives no compensation or affiliate fee.
Locking down your brand assets will protect your reputation and prevent diverting untold resources to respond to threats after they’ve already gained a foothold. Importantly, doing so will also contribute to a broader effort to make our industry a safe, trusted place for borrowers, investors, service providers, and lenders to conduct business. Reach us at contact@aaplonline.com for more information and to get started today.
Sidebar/Graphic: DIY Fraudbuster Guide
Gather Intel
There are several providers for these tools. Below are recommendations that tend to have more complete information.
1. Find the registrar of the scam site by searching the domain at lookup.icann.org/en.
- The search result may include an abuse contact email or phone number.
- Otherwise, search the registrar’s website for abuse notification process.
2. Find the IP address of the scam site domain using “Website to IP Lookup” at NSLookup.io.
- Search the resultant IP address at search.arin.net.
- On the ARIN results, find the abuse team contact information for the site’s hosting provider.
3. Ask borrowers how they found the fraudster site.
- Links to referring social media profiles
- Links to social media forums and/or groups
- If via internet search, what search engine and term(s)
Build Your File
1. Keep track of affected borrowers
- Name and contact details
- Amount they were each defrauded
- How they found the fraud site
- Where they have submitted complaints
- If their complaints name you/your business
2. Document the fraud site.
You may consider an all-in-one site archiving software like Stillio (stillio.com), Pagefreezer (pagefreezer.com), or TrueScreen (truescreen.com)
a. Site screenshots that include the domain
b. Video recordings of a screenshare as you navigate the fraud site
3. Track where you’ve reported (see below)
Report, Report, Report
Your goal here is to make law enforcement aware of (and proactively protect yourself from possible recourse), stop referral traffic, and take down the fraudulent site.
1. Government agencies and law enforcement
- Attorney General—Your state and fraudster’s “business location”: https://www.naag.org/find-my-ag/)
- Federal Trade Commission: https://reportfraud.ftc.gov
- US Cybersecurity and Infrastructure Security Agency: email phishing-report@us-cert.gov
- Federal Bureau of Investigation Internet Crime Complaint Center: https://www.ic3.gov/Home/FileComplaint
2. Report abuse to domain registrar and website hosting service.
Each provider will have their own reporting methods. Common methods:
- Abuse phone number, form, or email from ARIN search results
- DMCA takedown notice
- Additional international resources via the World Intellectual Property Organization (https://www.wipo.int/members/en)
3. Report referring social media profiles.
- To the platform
Most providers will have some kind of abuse/report button for posts and profiles. - To the group/forum
Message the group/forum moderators to block the profiles and request they alert their members.
4. Report for blocklisting in web browsers and email services:
- Google (used by Chrome, Firefox, Safari): https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en
- Microsoft (used by Edge and IE): https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site-guest
Alert Others
1. Create a quick-reference sheet based on this Guide but with specifics of what to report and where to go.
a. Fraud site information
b. Specific pages where phishing occurs
c. Registrar, hosting, and social media reporting links
2. Send your quick reference to affected parties.
a. Anyone whose logo or name also appears on the cloned site
b. Defrauded borrowers
c. American Association of Private Lenders
We will pass your sheet on to borrowers who reach out to us directly.
Engage Expert Help
AAPL Members receive a 30% discount off all Allure Security services. We have engaged Allure Security for AAPL brand and limited member site monitoring. We do not receive compensation or any affiliate fee for members who enlist their services. Reach us at contact@aaplonline.com for more information and to get started today.
Allure Security
Both members and non-members may sign up for a free trial at https://alluresecurity.com/aapl.
1. Domain and Web Impersonation Monitoring (We recommend this for most members.)
- Similar domain detection
- Web beacon deployment (advanced cloned site alert)
- Blocklisting from web browsers, email services, etc.
- Data decoy injections into phishing forms
- Fraud site take down
2. Social Media Impersonation and Monitoring (brand and/or company executives)
We recommend this for larger lenders or lenders who have previously experienced impersonation attacks.
- Monitoring on Facebook, LinkedIn, Instagram, Twitter
- Profile take down
Kat Hungerford is executive editor of Private Lender magazine and digital project manager at the American Association of Private Lenders. She specializes in operations, project management, and marketing. Hungerford also acts as secretary for the association’s Government Relations Committee, which serves as AAPL’s advocacy arm in Congress and state legislatures. AAPL is the oldest and largest national organization representing the private lending profession. The association supports the industry’s dedication to best practices by providing educational resources, instilling oversight processes, and fighting regulatory encroachment. Find more information at aaplonline.com.