As our industry grows and gains credibility among borrowers and investors, private lenders must proactively guard against a concerning new digital risk.

“Imagine you’re at home one night and receive a phone call from a borrower. He asks if you’ll be funding his loan, reminds you of the fee he paid, and wonders why you stopped communicating. The problem? You’ve never heard of him before.” – Jeff Smallowitz, Private Lending Direct

Where there is money to be made, there is the potential for fraud. Always.

In today’s digital lending world, the multitude of opportunities for bad actors to, well, act badly, is ever increasing and ever more sophisticated. You may be familiar with (and have personally seen a time or two hundred) “common” fraud-like borrowers faking income statements, email phishing attempts, ransomware, and elaborate wire transfer schemes.

Most of these require some element of interaction with your business, a knowledge of how things work, and where your weak points are. You can (and should) train your staff against them, educate your borrowers, hire or outsource cybersecurity experts, and purchase insurance.

When a fraudster hijacks your business’s identity—your website, your name, your reputation—it won’t be because an employee unwittingly clicked a malicious link or didn’t properly verify loan documentation. There is no training or awareness campaign that can prevent it because it’s not predicated on any exposure or attack point. It’s entirely external.

What Is Business Identity Theft?

For private lenders, business identity theft generally looks like this:

It’s You, But Not Quite You. You’re ABC Lender LLC. The scammer has cloned your website, ABClenderllc.com, but to a domain (XYZlenderllc.com) that doesn’t remotely resemble your business. They’ve also changed key details within the content of their new cloned site, like your company name (now XYZ Lender LLC), logo, location, and, of course, contact information and inbound lead forms.

The brand colors will still be yours, as is all the content that differentiates you and makes ABC Lender, well, ABC Lender. Your face will probably still be up as the CEO, but instead of John Somebody you’ll be James Someday. And these are scammers, so some of the other pertinent details will fall through the cracks in their effort to separate ABC from XYZ: social links still go to you, your embedded videos are still up (and linked to your YouTube), and many of the internal pages will still have A­BC-identifying information.

The fraudster will have spun up a host of fake social media accounts for brokers and real estate agents, planted them in popular online groups and forums, and have them make referrals and friendly recommendations to drive borrowers to the cloned site. The cloned site looks legitimate, because it was, up until it was stolen.

It’s All You. These scammers aren’t just stealing your hard work to make themselves look and sound legitimate (with breadcrumbs that lead alert borrowers back to you). Their goal is to defraud people using your business, your name, and your reputation. You’re ABC Lender LLC; they’re ABC Lender LLC. Your site is at ABClenderllc.com; theirs is ABClenderllc.net. You’re John Somebody; they’re John Somebody. Your site looks exactly like their site (except location, contact information, and inbound lead forms).

It’s So You, It’s Actually You. One lender, Jeff Smallowitz, didn’t have a website to clone. But he has a longstanding reputation in the business, is well-known in local investment groups for face-to-face lending, and a California Finance Lender License (which is likely how the fraudsters found him). Scammers built a website with their phone number, but his name, his company … and his home address.

And Then the Shoe Drops

When a borrower gets desperate enough after sinking thousands of dollars into application fees, down payments, underwriting fees, pre-closing fees, this-fee-I-just-made-up fees, they also (finally) get desperate enough to start digging.

In the cases we know of, borrowers landed in front of the “real” private lender by:

  1. Clicking through the cloned site to find out where to blast them on Google Reviews or social media.
  2. Google searching the business name to land on the real site to send angry emails and phone calls.
  3. Skip-tracing a home phone number using information on the cloned and/or real lender site.
  4. Process servicing a lawsuit.

Universally, these borrowers had not yet realized the lender was also a victim of fraud and that the scammer and lender were not the same. Many of them hadn’t yet realized they’d fallen victim to a scam at all, still believing the situation could be fixed and their money returned.

Enter AAPL

In all but one case (the private lender who didn’t have a website), by the time the borrowers found the “real” lender, that lender already had a heads up on the situation. This is because, in every case, the lender was a member of the American Association of Private Lenders and prominently displayed the member emblem on their site.

Either because fraudsters don’t realize what AAPL is or are hoping to use our credentialing to earn the trust of unwary borrowers, when these bad actors clone a site, they leave our emblem in place. And savvier borrowers will reach out to verify membership and potential red flags. We in turn check against known contact information, help borrowers understand the indicators that demonstrate they are not actually working with ABC Lending LLC or John Somebody, and then direct them to fraud victim recovery resources.

Then we send a very bad news email to our member, along with next steps to get the fraudster site shut down (download here). But that takes time, sometimes months (if we’re successful at all). In the interim, lenders must deal with a 1-2-3-4 punch to their time, reputation, budget, and sometimes personal lives.

It’s Not Enough

When we point out that every business identity theft victim we know of was also displaying our member emblem, we’re aware this is the definition of confirmation bias. How many fraudsters removed the emblem from a cloned site? How many borrowers never reached out to verify membership? How many members are not displaying the (entirely voluntary) credentials? How many more private lender victims aren’t AAPL members?

The larger picture issue here is that technology makes this scam easy to perpetuate. It’s easy to buy domains, clone websites, and replace information. Many bad actors have backup copies ready to spin up when a cloned site is shut down. Most of these scammers operate internationally in countries known for ignoring this kind of activity, so there’s little permanent recourse. Simply put, mitigating business identity theft is like playing a game of whack-a-mole.

The solution is to make things less easy, more uncomfortable, and even outright inhospitable for scammers—both for individual fraud events and as an industry. The more we can monitor for potential threats and the faster we can react, the more time, effort, and money fraudsters are forced to put into the scheme. Eventually they give up and move on to an easier target.

Download AAPL’s DIY Fraud Site Takedown Guide

Long term, preventing and reacting quickly to crack down on fraud is a powerful weight in our favor against new regulation or licensing requirements. Scammers don’t care if they are defrauding businesses or consumers. When an industry becomes a haven for fraud, the government has historically proven that they view the easiest method to “protect the public” is to require a license to practice.

You Don’t Need to DIY (and Probably Shouldn’t)

Where there is fraud, there are people who make it their business to fight it (literally). Online Brand Protection is a growing sector of cybersecurity, encompassing monitoring for domains, social media, mobile apps, and the web.

In our industry, it looks like counterfeit monitoring, but for content and brands rather than knock-off products. Companies specializing in these services use machine-learning technology to:

  • Create domain watchlists so brands don’t have to purchase every iteration of their name.
  • Monitor for site cloning and social media impersonation.
  • Monitor for usage of protected images (like trademarked logos and emblems).

On finding fraudulent activity, they have Fastlane processes to rapidly:

  • Inject decoy data into scammer phishing forms, hiding victims’ “real” data in a bunch of looks-real-but-actually-fake information.
  • Have web browsers place “go back!” alerts on fraud sites.
  • Take down fake social media profiles that directly refer borrowers to the fraud site.
  • Take down the fraud site via the site registrar and/or hosting provider.

This multipronged monitoring and mitigation approach means that brand protection specialists can usually find and remove fraudulent activity within days, if not hours, and often before anyone falls victim to the scam. These services range from software-as-a-service with high-touch/monitoring required from the user to all-inclusive packages with human-reviewed alerts.

Enter AAPL (Again)

As the oldest and largest association for the private lending profession, we have a responsibility to be aware of everywhere our name is used and where our logo and member emblem appear. We must be proactive in safeguarding the industry by shutting down fraudsters pretending AAPL membership to gain borrower trust and by stepping up monitoring so we can alert members to potential business identity theft and other scam activity. We cannot rely on victims to be our canary in a coal mine.

To that end, we researched, interviewed, and vetted more than 20 of the top online brand protection providers. Several work with financial services clients and hit the right blend of technology and account management. Ultimately, there is only one we feel confident can meet most of our members’ needs across service offerings and price point.

Allure Security will monitor not only AAPL brand assets but also member site content. They also understand the importance of reacting quickly to protect lenders and borrowers when business identity theft occurs. As part of its partnership with AAPL, Allure Security will take down members’ first cloned site.

We also encourage members to proactively take advantage of a 30% AAPL Member Discount on Allure Security services that include advanced domain and cloned site monitoring, blocklisting from search engines, data decoy injection into phishing forms, and social media monitoring. AAPL receives no compensation or affiliate fee.

Locking down your brand assets will protect your reputation and prevent diverting untold resources to respond to threats after they’ve already gained a foothold. Importantly, doing so will also contribute to a broader effort to make our industry a safe, trusted place for borrowers, investors, service providers, and lenders to conduct business. Reach us at contact@aaplonline.com for more information and to get started today.