The Long Running Mysterious Fraud in the Small Business Finance Industry and How to Defend Yourself

The submitted deals are real. The merchants are real. Everything checks out until suddenly it doesn’t. The merchants block the payments and find out they’ve been scammed.The funders find out they’ve also been scammed. But it’s too late because the money is gone and the fraudsters disappear without a trace.

deBanked reviewed hundreds of court documents, emails, and websites in preparation for this story and spoke with multiple people familiar with the matter, though only one would agree to go on record. Here’s the story of how the scam works and what you need to know to defend yourself.

It was a textbook merchant interview call. The business owner answered the questions succinctly and convincingly. He knew his stuff and sounded confident, like somebody who wanted to just finish the process and get the underwriter to issue a final approval on his funding application. His accent said little about where he was from. It sounded like it could be Mid-Atlantic or perhaps lower New England, just a regular business owner on Main Street USA.

“It sounded a little nasal, right?” said Alex Shvarts, CEO of FundKite, after playing the recording for me to judge.

The tone of the voice did actually sound unusual after thinking about it. Something was off about the call and that was the only tell. For the person on the other end of the phone wasn’t who they claimed to be. It would later be debated if they had used voice changing technology, one of many layers of obfuscation that had been put in place to cover up what is quickly becoming the scheme of the decade.

FundKite had signed up a new broker and promptly received two deals from them. On this particular one the paperwork attached to the application was real. This was a real business and these were their real documents. But the real owner of the business had no idea that any of it had been used to apply for funding with FundKite.

In a typical identity theft scenario, a scammer gets a lender to send the loan proceeds to a bank account that is controlled by the scammer, keeping the victim completely in the dark that their identity is being used for the fraud until much later when a default occurs. But in this case the scammer intended to have a funding company send money to the victim’s actual bank account. It’s a twist that understandably makes it very difficult for the funding company to later believe that the merchant’s identity had been stolen since they were the ones receiving the proceeds. But once the business has been funded, the scammer executes the next step in the scheme, convincing the business owner to send the money to them. If that sounds like a whole lot more work to make this heist successful, then you have no idea how many layers of deceit are in play and the scale at which it’s operating.

It started sometime around 2019 (maybe even earlier) and is still happening to this day across the industry. The scammer uses stolen identities to incorporate businesses, followed by using those entities to open up bank accounts for them. One account is used to impersonate being a lender and another to impersonate being a broker. They first get to work by being the fake lender and register a domain name that closely resembles and could be mistaken for a real lender they’re trying to impersonate. According to records obtained by deBanked, domain names challenged via UDRP and seized as part of an ongoing investigation into the fraud reveal that the scammers also use stolen identities to register the domains, making the real buyers untraceable.

The objective of having these fake domains in the first place is to contact existing real borrowers of the real lender and to pass themselves off as the real lender. It’s a classic phishing scheme.

There’s various theories as to how this is done, but there’s a possibility that public records are sufficient for the scammer to accomplish this step. A reverse UCC search can reveal the names of a lender’s customers and the time in which they received a loan. From there, big data or cursory internet searches are enough to obtain the contact info of those borrowers. This type of list building is nothing new and fairly common in the data business.

The scammers then email the borrowers from the fake domain, purporting to work for their real lender, and give them the great news that positive repayment history has afforded them the reward of being able to refinance their loan at a lower rate.

It is generally good practice to check the domain name of a sender, even though that itself is not foolproof, but an incorrect one, especially one that resolves to a “404 Error Not Found” page, should be a sufficient indicator that these emails are coming from an impostor, yet business owners still fall for it, perhaps because they recognize the name and find the offer consistent with their expectations.

In one case that deBanked reviewed, the opportunity was presented to refinance a double digit APR loan down to as low as 4% with the same lender. When the victim was asked during a deposition if that number had struck him as suspiciously low, he said it did not, especially considering his belief that he had “excellent payment history” and that he felt like it made sense to get a break after all the stresses of covid.

The scammers generally communicate with perfect English over email but will also do phone calls. They use Google voice numbers in the area code that match up with the real lender. deBanked called an older one that had been used and nobody picked up. They might use the name of a real employee at the lender or create a fake one, going so far as to generate a paper trail online that shows the name of that person working for the lender.

Once on the hook, they ask the victim to submit lengthy documentation over email so that the refinance can be reviewed. These are typically documents like tax returns, bank statements, a copy of a driver’s license, A/R and/or A/P schedules, etc. After that the scammer moves on to the next phase, using the phished documents to apply for loans or merchant cash advances. This is where the scammer’s fake broker entity comes in.

These fake brokers tend to pass a background check because they rely on stolen identities that are clean, the business entities they’ve created under them are real and match up, there’s a tax ID, there’s a bank account in their name, and there’s no sketchy stuff about them on the internet. They even have a website, again registered with the fake identity, that often looks like or is an outright exact copy of another broker’s website. Even a diligent funding company can be duped despite a background check. Once the fake broker is signed up with a funder, the phished merchant data is submitted but with the scammer’s phone number and email address. Oftentimes the deal amounts are large. deBanked reviewed several cases related to this scheme that ranged in size from $200,000 to $600,000.

Since all the merchant information is legit, the merchants tend to get approved. The scammers are also adept at pretending to be the merchants in an interview phone call with an underwriter, like the one I listened to previously. They can even guide the merchant through a funder-mandated bank verification under the illusion that it’s all related to their current lender for the refinance. If any questions arise about the mention of another financial company name, it’s explained away as an affiliate partner or related vendor that they use.

Once the scammer is confident the funds are coming, they tell the merchant the refinance has been approved and that there is a narrow window to complete the final steps. As part of this they send a lengthy legalese-filled digital contract with an e-sign for the fake refinance that looks exactly like their real lender’s, again reinforcing how legitimate the whole thing feels.

Once complete, they’re told that a large wire will be arriving in their account, which will actually be from the funding company they don’t know about. In a normal refinance, a lender might withhold a portion of the new loan to apply to the outstanding balance, but in these cases the victims are told that they have to receive the full amount of the funds from their lender first and then wire the outstanding balance of the loan straight back to the lender. The merchant nets the difference if there is any left over. This round-trip transaction is communicated as being their way of managing their accounting, an excuse that again seems to come across as plausible to those that think they’re dealing with their trusted lender the whole time.

In the earlier iterations of the scheme, the name on file for the bank account to wire the funds to would look almost identical to their lender’s name. When the victim sends the wire to pay off their outstanding loan, they are completely unaware that they have just wired funds to a scammer and that the entire thing had been a very elaborate ruse. It’s not until days later when their account starts getting debited by a funding company they have never heard of as part of an agreement they had never entered into do they become alerted that something is amiss. By then it’s too late. Doubly too late if the funder has also wired the fake broker a commission for putting the whole deal together in the first place.

Although the scheme can yield several hundred thousand dollars at a time, it ultimately results in the loss of their fraudulently opened bank accounts as the funders respond with an investigation that can include litigation and/or a report to law enforcement. That means the scammers have to open new accounts under new stolen identities. That’s easier said than done, which is perhaps why last year they apparently improvised on this step. They don’t need to open bank accounts for the fake lenders anymore.

Instead, according to at least three examples reviewed by deBanked, they’re more recently asking the victims to wire the funds to the general deposit account of a cryptocurrency exchange. If this sounds like it would be too obvious, consider that it has worked. The wire forms, which look identical to the earlier versions, are only different in that they contain a different account name to send the funds to. The lender’s logo can still be found on the top.

In one case, deBanked was able to obtain records that allowed for the funds to be traced. The scammer had the exchange convert the wired funds into Ether, to which the Ether apparently moved between three crypto exchanges before disappearing into a generic holding address of an offshore exchange with millions of transactions. Another dead end.

deBanked emailed one of the two exchanges it reviewed related to this scheme to ask about their customer KYC procedures but received no response. The other was not contacted to avoid tipping them off to a possible active investigation. The exchanges both have deposit accounts at US banks, both of which are known for their fintech relationships. Typically, crypto exchanges that take on US customers do rely on some level of KYC. It appears based on limited evidence so far that the crypto accounts opened up by the scammers are done under the stolen identities of the merchants so that everything matches when a wire comes in. This is where it gets murky because the scammers may ask the merchants to take selfies of themselves, ones that could include holding up their ID in their hand or holding a piece of paper with a specific written message on it as proof that it’s them. That a merchant might jump through these hoops on the belief that it’s all to secure a purported refinance with their existing lender requires some suspension of disbelief, though many online finance companies these days are requiring varying levels of customer identity verification.

The outcome, in any case, is that millions of dollars have been purportedly stolen over the course of several years. The scam has been directed at all sorts of funders, from the A paper players to the Z paper players. The merchants, as the original dupes that make this possible because they fall for a basic phishing scheme, are also left to pick up the pieces. The scammers may have even scammed another high profile scammer, at least according to documents reviewed by deBanked. There’s a brazen fearlessness to it all.

A main connecting link has been funders that will do large deals, hundreds of thousands of dollars in a single transaction. But that might be changing. Industry chatter more so than hard evidence suggests the web of intended targets might be growing and that thanks to innovations with AI and crypto, the scammers may attempt to use artificial identities for the brokers rather than real ones. A lot of the steps involving bank accounts and stolen identities are no longer as necessary, which means if you’re a funding or lending company and you’re reading this, you may be vulnerable.

Sources familiar with the matter say that it’s good practice to remind your customers about possible phishing risks and to keep them informed about what methods of communication you will use throughout the life of the relationship. This includes whether or not you might employ phone calls, emails, texts, or snail mail communications, and the precise sender information they should expect. This might limit the likelihood of your own customers from getting phished but there’s tactics you can use to prevent becoming the victim funding company as well.

According to Alex Shvarts, a good start is only conducting a merchant interview on phone numbers assigned to the business. “If it’s a cell phone we have to have a cell phone bill that verifies the owner’s information,” he says. Also, if the customer has a website, avoid communicating with them over a free email address like Outlook or Gmail or Proton Mail and instead direct all communications to an address on their company domain name, one you’ve confirmed is really theirs and not a boilerplate setup by the scammers to deceive you again. Other possible steps are to use live ID verification or a common tool like CLEAR, he suggests. Shvarts wouldn’t disclose some of the proprietary methods they’ve come up with so as not to tip off a scammer reading this.

When it comes to the broker, do proper due diligence. It’s been said that a fake broker may test the waters with a small deal first before submitting the large fraudulent one to generate a level of confidence that everything is on the up and up.

According to documents reviewed by deBanked, the scammers typically rely on a relatively bare bones website for their fake broker shop, a collection of borrowed templates and verbiage from other companies out there. It’s a rabbit hole that can lead one down many wrong directions, especially in an era when similar bare bone lead gen sites litter the internet by the thousands. Consider doing a FaceTime or Zoom call with the broker so that you can see if their face matches the identity that’s been provided!

The scammers have used different domain name registrars and hosting services. They may push for a weekly or monthly payment option so as to create lead time between when the victim wires the funds to them and when the first debit hits from the funder they’ve targeted for it. They seem to prey on merchants that have an outstanding business loan rather than an MCA because it makes the low in-house interest rate refinance all the more plausible. So if you see debits in an applicant’s bank account from any one of the more commonly known online business lenders, you should be thinking about this story and ways to make sure you are speaking with the actual business owner. Do they know who you are? Have they been offered a refinance? Do they even know who their broker is?

“When you first identify the fraud, notify law enforcement including the FBI,” one source familiar with the matter said.

Sean Murray is the President and Chief Editor of deBanked and the founder of the Broker Fair Conference. Connect with me on LinkedIn or follow me on twitter. You can view all future deBanked events here.