What is credit application fraud?
ENS' Forensics team have seen an upsurge in clients who have
fallen victim to credit application fraud, a particular type of
cybercrime. This type of fraud usually results in substantial
losses with limited prognosis for the recovery of funds or goods
and in most instances, clients lack the necessary insurance cover
for protection against such incidents.
The South African Police Service ("SAPS") can investigate these crimes through their dedicated unit known as the South African Police Service Computer Crime Unit ("SAPS CCU"), which works closely with other law enforcement agencies and private sector partners to investigate and prosecute cybercriminals. The Cybercrimes Act, enacted in 2020, also provides SAPS with extensive powers to investigate, search, access, and seize digital devices and data related to cybercrimes. However, like many law enforcement agencies worldwide, SAPS faces challenges such as the shortage of appropriate skills, and the need for continuous training and resources to keep up with the rapidly evolving nature of cyber threats.
In reality, law enforcement responses to these crimes are often slow, and fragmented and seldom result in successful prosecutions.
Credit or loan application fraud, a form of identity theft, occurs when fraudsters use stolen personal and/or company information to apply for credit with a provider, all without the knowledge or consent of the individual or business involved.
Once the line of credit is granted by the unsuspecting credit
provider or lender, the fraudsters purchase goods to the value of
the credit limit. The discovery of these scams will usually go
unnoticed for a couple of months until the credit provider
discovers that their payment request has been ignored.
The Modus Operandi
There are multiple victims in the credit application scam, the
first being the individual or company whose identity has been
stolen. The fraudsters assume this identity and use it to apply for
various forms of credit, such as a retail store credit card, a bank
account with an overdraft, a personal loan from an insurance
company, or purchasing a motor vehicle on credit.
The second victim is the unsuspecting credit provider or lender who grants the credit to the fraudsters. While their loss is not a stolen identity or information, it does result in financial loss.
How do the fraudsters steal your personal
identity?
Fraudsters can steal personal identities through various methods.
Here are some common techniques:
- Data Breaches: Large-scale data breaches can expose personal information, which fraudsters can use or sell on the dark web.
- Phishing, Smishing, and Vishing: These involve fraudsters sending deceptive emails, text messages, or phone calls to trick individuals into revealing their personal information.
- Malware: Scammers send out malicious software via email which can infect devices. When clicked or opened, it allows the fraudsters to steal information directly from the device e.g. login and password information giving scammers access to mailboxes etc
- Card Skimming: Devices attached to card readers can capture card information during legitimate transactions e.g: at restaurants.
- Unsecured Browsing: Using unsecured Wi-Fi networks at airports, shopping malls or restaurants and entering information into unsecured websites can expose personal data to attackers.
- Physical Theft: Thieves or pickpockets steal wallets, purses, laptops, mobile devices or physical mail which can provide access to personal documents and information.
- Social Engineering: Manipulating individuals into divulging personal information through impersonation or other deceptive tactics.
How do the fraudsters steal your company
information?
Fraudsters use several methods to steal company information for
identity theft. Here are some common tactics:
- Phishing Attacks: Scammers send deceptive emails that appear to be from legitimate sources, tricking employees into sending them company documents, and records or revealing sensitive information or enticing employees to click on malicious links.
- Social Engineering: Fraudsters manipulate employees into divulging confidential information by impersonating trusted individuals or creating a sense of urgency.
- Malware and Ransomware: Malicious software can be used to infiltrate company systems, steal data, or lock systems until a ransom is paid.
- Insider Threats: Disgruntled or compromised employees may steal or leak sensitive information. Our experience shows that call centre employees are particularly at risk due to several factors including personal financial pressure. Syndicates understand that call centre employees usually have legitimate access to multiple layers of company records and often solicit or intimidate these employees to provide this information. Information is exchanged for gratification or due to threats of intimidation. Call centre employees may also lack the necessary training and awareness and may not recognise the signs of a scam or understand the importance of following security protocols.
- Physical Theft: Stealing physical documents, and devices, or accessing unsecured areas within a company can provide valuable information.
- Unsecured Networks: Using unsecured Wi-Fi networks or failing to properly secure company networks can expose data and company records to attackers.
- Fake Websites and Spoofing: Creating fake websites that mimic legitimate company sites to capture login credentials and other sensitive information.
How the fraudsters apply for the credit
Once the fraudsters have stolen the identification of an individual
or company, the next step is to apply for credit with a credit
provider. There are several ways to do this and the fraudsters will
usually try to distance themselves from personal interaction and
will usually make use of false email addresses to apply for the
credit and use mobile phones with pay-as-you-go or unregistered SIM
cards to commit this type of fraud. These methods provide anonymity
and make it harder for authorities to trace their activities. The
fraudsters will create an email domain which resembles the
victim's name or company email domain then use this false email
address to send through the credit application to the unsuspecting
credit provider.
Email is a significant attack vector used by fraudsters for credit application fraud for several reasons:
- Email has a wide reach and almost everyone has an email address making it a broad target for attackers.
- Email is easy to use, simple and inexpensive and can be sent by fraudsters from half way across the globe.
- Fraudsters are easily able to impersonate trusted entities, such as banks, retailers, or insurance companies to trick recipients.
- Humans make errors and may inadvertently click on malicious links or download harmful attachments, especially when emails look legitimate.
- Many users have not received any formal cyber training or awareness and are not fully aware of the various phishing scams and may easily fall for sophisticated scams. Elderly computer users are also particularly vulnerable as they have limited computer usage experience.
Case Study 1 – How easily fraudsters can steal
your company information
An engineering company receives an unsolicited email invitation
purporting to be from a large state-owned enterprise
("SOE") inviting them to register on the
SOE's supplier database [Red Flag]. The
fraudsters have created a false SOE email domain (which closely
resembles the legitimate SOE domain name) and sent an email with
the subject title "INVITATION TO REGISTER ON THE SOE SUPPLY
CHAIN DATABASE." The email signature is falsely attributed to
a senior procurement manager at the SOE.
Attached to the email was an SOE supplier application form named "Supplier Application Form SOE Supply Chain Database". The email notified the engineering company that if they wished to be registered on the database, they were required to complete the application form and send supporting documents. However, the body of the email and the supplier application form are both riddled with grammar and spelling errors, the SOE logo in the footer of the email is misaligned and there are inconsistencies in the font and formatting [Red Flags]. The junior accounts clerk who receives the email application has received no fraud or cyber awareness training and therefore does not identify any of the glaring red flags [Control Breakdown].
The engineering company, eager to register on the SOE supplier database, failed to contact the SOE telephonically to confirm the Supplier Application Request [Control Breakdown], and they responded to the above email and sent the fraudsters the completed registration form together with the following supporting documents:
- Certified copies of the director's identity documents,
- Company's SARS tax registration documents,
- Letter of good standing for compensational injuries and diseases,
- SARS Tax compliance certificate status pin,
- SARS VAT registration,
- Municipal utility statement,
- UIF supplier registration form, a banking confirmation letter of their company bank account,
- B-BBEE Certificate,
- CIPC Disclosures certificate,
- CIPC Registration certificate,
- Company profile, and;
- Rental agreement for the property which they occupied.
A few days later, the engineering firm receives a follow-up request from the false SOE email address confirming that their application to register on the SOE supplier database had been successful, however, they still needed to submit a copy of the company's latest financial statements, management accounts and six months bank statements. The engineers respond the following day, sending the fraudsters the above supporting documentation.
The fraudsters, now in possession of all the necessary
documentation are now able to assume the identity of the
engineering firm. They create a false email domain that closely
resembles the domain name of the engineering firm itself. They use
a false email address purporting to be the engineering company and
approach several businesses where they apply for credit in the name
of the engineering company, using all of the provided supporting
documents to support these credit applications.
The fraudsters also applied to purchase three new bakkies from a
car dealership, secured credit at a large hardware store and
purchased a large number of building materials. Additionally, they
applied for credit at various other engineering firms to purchase
engineering tools and equipment and applied for credit at a steel
manufacturer where they purchased steel.
The engineering firm, unaware of the above credit applications and purchases on their behalf, only became aware of the fraud much later when they were contacted by the above lenders requesting payment.
Case Study 2 – How fraudsters use stolen company
information to apply for credit
Company A (the victim), a plastics manufacturing company based in
Johannesburg, receives an email purporting to be from the group
procurement manager of a well-known large retailer. This email is
not from the retailer but from fraudsters who have done their
homework and created an email domain like the large retailer's
and assumed the retailer's identity. The fraudsters then
emailed Company A requesting to apply for a line of credit to the
value of ZAR5,000,000.00. The sales department of Company A failed
to properly scrutinise the email domain name of the retailer [Red Flag] and they
responded to the fraudsters by sending them a credit application
form. A few days later Company A received an email with the
completed credit application form as well as all the required
documents from the fraudsters, including a Certificate of
Confirmation issued by the Companies and Intellectual Properties
Commission, Company resolution, a Bank Confirmation letter
confirming bank details, a SARS notice for registration for VAT and
copy of ID documents of the directors of the large retailer.
Delighted to have the large retailer as a new client and the commissions they will be receiving, the sales team of Company A pushed for the new account and sent the new credit application form to their finance team. Company A conducts a credit rating check on the retailer and they receive confirmation from their credit bureau that the retailer is good for credit limited up to ZAR500,000.00.
Company A then proceeded to conduct only very superficial due diligence checks on the retailer:
- No site visit inspection is conducted on the retailer's delivery address as prescribed by Company A's credit department procedures and policy, as they are a well-established brand [Control Breakdown]. Had someone at Company A performed a simple Google search of the address provided by the Retailer they would have established that the address is not linked to the retailer.
- The sales representative of Company A failed to take pictures of the retailers' premises both outside and inside of the delivery warehouse [Control Breakdown].
- Company A failed to scrutinise the mobile number provided by the retailer in their emails [Red Flag], had they run the mobile number through the TrueCaller app they would have established that the number is referenced as "Fraud Scammers".
- Company A failed to notice that the landline telephone numbers provided in the retailer emails are all based in Johannesburg, however, the head office of the legitimate retailer is based in KwaZulu-Natal [Red Flag].
- Nobody at Company A called the retailer's head office to confirm the credit application or orders received [Control Breakdown].
- Meetings arranged between the retailer and Company A were all cancelled at the last minute by the retailer as they were "too busy" to meet with Company A [Red Flag].
- The name of the buyer from the retailer is unknown to the sales representatives of Company A who know most of the buyers at the retailer [Red Flag].
- All of the communication between Company A and the retailer was done via email [Control Breakdown].
- The CEO of Company A overrides the Credit Agency's suggestion of a credit limit of ZAR500k as well as Company A's internal credit policy and grants limitless credit to the retailer "because they are a well-established brand, and he believes they are good for it" [Control Breakdown].
The fraudsters immediately placed an order with Company A for goods to the value of ZAR1 million and requested that these be delivered to a warehouse in Johannesburg. The type of goods ordered by the fraudsters do not match the profile of the customers of the retailer group [Red Flag]. Company A failed to verify the physical delivery address provided by the fraudsters [Control Breakdown].
On delivering the goods to the warehouse, the driver of Company A noted that there was no signage reflecting the name of the large retailer at the delivery address [Red Flag]. The delivery address is a storage facility that leases out storage space [Red Flag]. The driver immediately notifies management at Company A of this anomaly and the credit department checks the email correspondence in the fraudster's email and confirms that the address is correct [Control Breakdown].
Three days later the fraudsters placed a further three orders
for ZAR2.9 million, exceeding the initial credit limit once again
[Control
Breakdown]. On the same day, Company A once again delivered
the goods to the same address with no signage [Red Flag].
Two days later the fraudsters placed a further three orders for
ZAR1.8 million, exceeding the initial credit once again [Control Breakdown]. A
day later the manufacturing company delivered the goods to the same
address with no signage [Red Flag].
Company A delivered ZAR5.7 million of stock to an unverified
address provided by the fraudsters and suffered financial loss.
There are several red flags and control breakdowns in the above two case studies that could have provided an early warning or identified and prevented the fraud from occurring.
Corporates - What are the red flags to look out for?
Should your company receive a credit application, several red flags may indicate potential fraud. Be on the alert for the following:
- Inconsistent information: Discrepancies in the applicant's information, such as different addresses, phone numbers, or employment details across documents.
- Forged or altered documents: Signs of tampering in documents such as bank statements, pay slips, or bank confirmation letters. Pay particular attention to inconsistencies in fonts, signatures, and the formatting and alignment of documents.
- Incomplete or blank sections: Applications with missing or incomplete sections might suggest the applicant is trying to hide information.
- Unusually high income: Claims of excessively high income that don't match the applicant's occupation or industry can also be a red flag.
- Lack of documentation: Applicants who avoid providing requested documentation or offer insufficient information.
- Sudden financial changes: Rapid changes in financial behaviour, such as a sudden surge in credit inquiries or opening multiple new accounts over a short period.
- Suspicious delivery addresses: such as delivery to leased warehousing premises with no signage of the purported customer, deliveries to construction sites or in some cases, even at meeting points on a highway.
- Suspicious identifying information: Identifying information that doesn't match records or seems suspicious, such as a photo in an ID book that does not resemble the applicant.
- Alerts from credit agencies: Notifications of fraud alerts, or address discrepancies from credit reporting agencies.
- Unusual account activity: Patterns of activity that are inconsistent with the applicant's history, such as a significant increase in credit inquiries or new credit relationships.
What should corporates be doing to prevent credit application fraud?
Credit Departments need to be vigilant and look beyond just the credit application. Here are some suggested steps to enhance the verification process and assist the credit department in making more informed and secure decisions:
- Policy and procedure: Ensure your company has an updated credit application policy and clear procedures for onboarding new clients, including the various checks and controls that need to be in place to safeguard your business.
- Telephonic verification: Cross-check the landline numbers supplied on the credit application form and in the email against the listed landline numbers of the company applying for the credit. Contact the applicant using the verified landline number (not the telephone numbers provided in the email or on the application form) to confirm the details submitted. Additionally, run the mobile numbers provided through the TrueCaller app and search online to identify whether there are any adverse comments linked to those numbers.
- Confirm Email domain name: Check that the email domain name matches the email domain name of the legitimate company that is applying for the credit.
- Site visits: Conduct a site visit to confirm the applicant's address and business operations as well as the delivery address for the goods (if applicable). Take pictures of the outside and inside of the delivery address and provide these pictures to the delivery driver to ensure the goods are delivered to the correct address.
- Document verification: Ensure that all submitted documents are authentic and have not been tampered with. This includes checking for spelling mistakes and consistency in fonts, signatures, and formatting of documents and emails.
- Reference checks: Contacting trade references and previous creditors can provide insights into the applicant's payment history and reliability.
- Public Records Check: Reviewing public records for any legal issues, bankruptcies, or loans can help assess the applicant's financial stability.
- Regular Employee Training: Holding regular training and awareness sessions for credit department and sales employees to recognise signs of cyber scams and fraud and understand the latest trends. This will ensure that employees remain vigilant and can respond quickly when they suspect fraud.
By implementing these measures, companies can minimise the risk of credit application fraud and safeguard both their businesses and their customers.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.