Beware The Bust Out

Bustouts work like this: First, an individual or small group legally purchases the names of real companies for a few thousand dollars each. They sit on the companies for a couple of years, then blast out credit applications to a slew of distributors and resellers, seeking to buy IT products. To the creditor, the business looks clean, so it typically provides financing. The company maxes the credit line, takes delivery of easy-to-dump products and disappears without a trace.

Companies throughout the channel, from the biggest distributor to the smallest solution provider, are "sitting ducks" for these bustouts, said Gary Bares, founder and director of Verifraud, a fraud risk management unit of Direct Alliance, a subsidiary of Teletech. Bares is working with several channel companies. "It's unbelievable how easy it is," he said. "Most computer companies have no defense against this type of fraud, and the losses have been staggering."

id
unit-1659132512259
type
Sponsored post

To Catch A Thief: Watch A Slide Show Of Investigator Gary Bares At Work

And now, as distributors band together to shore up their defenses against scams like these, many in the channel believe the scammers are moving downstream, targeting smaller solution providers that can't afford robust fraud prevention systems.

"For some midsize resellers, it can literally threaten their business," said Bares. "You can get wiped out by a single fraud."

It happened to Lesley Taufer. Taufer, the former owner and CEO of the now- defunct Boulder Corp., a solution provider in Boulder, Colo., was hit two years ago by two credit-card schemes in the same week. Combine that with an $80 million bank fraud from a long-time client during the same period and she was out of business. "I lost everything: my house, my car, my business," said Taufer. "I lost everything. It was like a death."

The scams that helped put Boulder out of business included a $50,000 order for Hewlett-Packard drives that was put on multiple credit cards, a common practice for cash-starved small businesses. Taufer says the scams were done with fraudulent credit cards and the computer equipment was sent to people who accepted the equipment at legitimate addresses and then passed them on to the thieves for a fee. "They were paid by the bad guys to accept the shipments," she said. "It happened so fast that nobody could do anything about it."

Senior management was not even aware of the shipments until after the fact, she said. "By the time it made it to upper management it was too late," she said.

The $80 million bank fraud by the long-time customer was the final straw that took down Boulder Corp. "He is in prison now," said Taufer of the customer. "All of our inventory was frozen as part of his assets that the FBI used to pay the bank back. They were a secured [debtor] and we weren't. We'd been doing business with him for years. We extended credit on a very large, large, large order for us. Our bill was sitting on his desk when he got busted."

How Big Is The Problem?
For the past five years, Bares, a one-time channel credit executive, has fashioned a career out of tracking the rings known for running bustouts. Verifraud has studied more than 700 examples of possible fraud, and Bares' investigations lead him to estimate that bustouts account for up to 25 percent of overall bad debt in the channel.

Bares' research supports a claim that distributors can see about 35 to 50 large-scale bustout attempts a year. Companies without solid antifraud systems are victimized about 75 percent of the time, losing an average of $50,000 to $70,000 per attempt, he said. However, some losses have been known to reach millions for an individual distributor.

For several years, little was done to identify, arrest or prosecute the scammers, he said. In some cases, public companies are loath to categorize bad debt as fraud, Bares said. The executives in charge of credit either aren't looking hard enough, or are in denial. As long as bad debt stays within historical trends, nobody blinks an eye.

But distributors have started to wake up to the problem. Clearwater, Fla.-based distributor Tech Data estimates about 20 percent of its bad debt was fraud before it began to take action.

"It's below the surface. You have to dig a little deeper," said Art Wicks, director of loss prevention at Tech Data. "The days of using a single credit report for a new customer is not necessarily prudent. It takes more time and more due diligence."

Last year, Bares said he warned distributors of a big impending bustout scam. But his warnings went unheeded and the losses were in the millions. "We had watched the perpetrators behind this bustout run several other frauds dating back to 2000," said Bares. "We knew exactly what was coming when they became involved with a Montreal company with several locations."

Bares stopped the fraud attempt for his clients and tipped off several other distributors that he has relationships with. One of these distributors came back a couple of months later and confirmed that the bustout had been carried out and that they were talking with other distributors, one of which was out $2.9 million and another out seven figures as well.

"This is not an isolated incident," said Bares.

Distributors are learning that they have to be especially wary, said Tech Data's Wicks. "It's like a virus, it mutates," he said. "You get hit and it comes back a little bit different."

Next: Who's At Risk Who's At Risk?
Solution providers that sell a lot of products on the Web, particularly those that can be resold quickly—such as memory, processors and laptops—are most at risk, executives said.

That includes Eduardo Perez, general manager of Sparco.com, who has practically made a living preventing scammers from bilking the Millington, Tenn., solution provider, whose business is about 95 percent Internet-based.

"Oh, Lordy. We must get at least 10 [suspected bogus orders] a day," said Perez. "Fortunately for us, only about one every two months gets through now. We have our internal flags and we warn the reps here not to touch those orders."

Perez has been especially busy the past couple months as the federal and educational buying seasons were in full swing. Scammers now pretend to be educational institutions and, brazenly enough, government agencies to secure products.

The scammers are always readjusting their techniques, he added. For example, just when his company learned to ensure that a shipping address was legitimate, the bad guys took to calling FedEx or UPS to change the ship-to address when the package was in transit.

"This is the worst one because the bank will not protect us because we didn't deliver it to the people we were supposed to deliver it to," Perez said. "Once we got better at recognizing their behavior, they switch."

Now, he's changed his guidelines with the carriers to guarantee that shipping addresses can't get changed en route.

In another example, Sparco.com learned to be suspicious of orders from first-time customers requesting overnight shipping. So the bad guys got creative. "They'd place a $20 or $30 order, pay that, then follow it up with a laptop request. We relax, we see they're repeat customers and then the chargeback comes. There's a similar pattern. They try to get your trust first," Perez said.

The warning system is still very manual, he added. Sparco.com tried several automated systems, but the margin of error was too high, he said. "Everything looks fine, but the e-mail address is bogus. Or everything is fine except the IP address where it comes from. [The e-mail order request] could be lower case, or everything is in caps. You watch for that," he said.

Recognizing Fraud
A former finance executive at a large, publicly traded reseller said his company vastly underestimated the amount of fraud being committed against it.

"We know there was a certain amount of fraud within the industry. It wasn't that we didn't think there was none. But the vast majority of it is hidden behind legit businesses and through bustouts. We had very limited fraud checks and procedures in place. We thought they were fairly sufficient," said the finance executive, who asked not to be named.

The company changed its tune when it made an acquisition and the company it was buying had a more thorough fraud prevention strategy, he said.

Even then, the executive said, his attitude was "prove it to me." The reseller gave 18 months worth of bad debt files to Verifraud, which came back with evidence that about one-third of what the reseller considered bad debt was actually fraud by characters well-known to Bares. The cost was more than a million dollars over that 18-month period.

"He did an unbelievable analysis," the finance executive said of Bares. "It was preventable fraud, too. We immediately said, 'OK, we've got a problem. What do we do?' "

Bares worked with the finance executive to develop some polices and procedures.

"Over the next two and a half years, only one fraudulent deal slipped through—that was it. And that was because we didn't follow our own policy," the executive said.

The criminals are smart because they tend to keep the orders at a size that put them below the radar of most warning flags, about $30,000 to $50,000, the executive said. But multiple strikes can quickly add up to more than $1 million annually.

"It was just little piddly stuff. The bigger stuff we were catching," the finance executive said.

And therein lies the problem for other solution providers. As distributors and large resellers put more sophisticated processes in place, the bad guys aren't going to give up. They're going to target the next level of channel company down the food chain, such as solution providers that can't afford elaborate fraud detection services.

Next: Why Aren't These Guys In Jail? Why Aren't These Guys In Jail?
It's difficult and expensive to prove a company unlawfully and purposely tried to defraud a creditor, as opposed to just being bad at business. In some cases, the cost of building a case and seeking prosecution is more expensive than writing it off. Law enforcement officials file their reports but unless the amount stolen is above a certain threshold, Bares said he is told a full-scale investigation is not warranted.

"If a law enforcement agency has the option of a slam-dunk drug case and this, they're not going to answer your calls," said Bares. "That's why the perpetrators have been successful for so long."

One federal law enforcement official with whom Bares has worked closely on several cases recently told him, "We're sick of being the collection department for corporate America."

Only once has Sparco.com seen a scammer prosecuted, Perez said. It was for an $18,000 order that was large enough to attract the attention of the FBI and the Internet fraud unit of his local police department.

"We didn't recover the product, but they went to jail," he said. "It's a new type of crime. Local police departments don't usually handle it because it's not big enough to proceed. If you get a big order, you can get a couple of agencies involved and get it prosecuted."

What Can Be Done?
Unfortunately, there are no shortcuts or easy answers to combating fraud like bustouts in the channel. Scammers are buying companies now with the intention of using them four years down the road to run yet another bustout, according to Bares.

In the past couple of years, distributors have increased measures to shore up their credit defenses, joining organizations like the National Association of Credit Managers and talking among themselves to share suspect applications.

Some distribution executives were reluctant to share their latest prevention strategies, saying it's best to keep some things secret. "These crooks are always one step ahead of you. Anything you publish, they're going to read," said Joe Chaudoin, director of credit and financial services at D&H Distributing, Harrisburg, Pa.

Every once in a while, though, the crooks get sloppy and make themselves easy to spot, said Chaudoin. D&H once got a large purchase order on behalf of Temple University that turned out to be phony. "The only reason we caught it was because they spelled 'Temple' wrong," he said.

Yet, you can't rely on the scammers to be sloppy, Chaudoin said, which is why D&H is active with several fraud prevention groups and credit agencies.

Case in point: One D&H solution provider recently got taken for $500,000 with a credit card scam.

"Our VARs need to be very concerned about the different scams out there when it comes to credit cards and diverting shipments," Chaudoin said. "It's a very difficult problem. They're all doing it a lot smarter. We've caught most of it, but we can't get cocky."

STEVEN BURKE contributed to this story.