define design deploy

We define ourselves by our experience, reliability, and performance. Our tagline “define design deploy” encapsulates how we deliver these virtues to our customers.

Exposing the Process: How Fake Companies Are Set Up to Steal

Inside IT: Why We Dread Updates as Much as You Do
02 December 2024
all
Exposing the Process: How Fake Companies Are Set Up to Steal
December 11, 2024 by in all

It’s really easy and we’re going to show you how. 

Let’s take a cybersecurity perspective on how criminals exploit the trust of small businesses by showing step by step how easily they can create a seemingly legitimate company with just a few dollars.

In this article, we’ll start at the very beginning of the scam—the creation of the fake company itself. Understanding this process is essential for implementing effective IT security so we can create strategic defences. The goal is that business owners, stakeholders, and decision-makers grasp the simplicity and danger of these tactics so they can appreciate the importance of proactive measures. A comprehensive understanding of this threat empowers CISOs and IT leaders to advocate for the security investments necessary to protect against it.

The Pitch: Why This Scam Works

Imagine this: For just a few bucks and a few hours in front of a computer, you could create a company that looks legitimate enough to pull off a variety of scams.  At a minimum you can collect personal information, but the real goal is to fool small businesses into wiring payments and giving us access to their systems. . Small businesses are especially vulnerable—they don’t have the resources of Fortune 500 companies but often handle transactions and data worth thousands, even millions.

Here’s why this works so well:

  • Low Cost, High Reward: Setting up a fake company costs next to nothing compared to the potential payouts. A domain name, some fake reviews, and a few hours online can net you massive returns.
  • Small Businesses are Trusting: Unlike large corporations with entire departments dedicated to vetting vendors, smaller companies often rely on relationships and trust—making them easier to fool.
  • The Illusion of Legitimacy: With today’s tools, you can spin up a professional-looking website, populate it with fake testimonials, and even create convincing business registrations—all within days.
  • Global Reach, Remote Execution: You don’t even have to be in the same country as your targets. With the internet, everything from networking to phishing can be done from the comfort of your home.

Step-by-Step Guide to Creating a Fake Company

Step 1: Set Up a Convincing Digital Identity

  • Domain Registration: Use registrars like GoDaddy or Namecheap to register a domain. For instance, registering “BlueShieldIT.com” costs around $12. Add privacy protection to hide your identity from public WHOIS databases.
  • Defensive Measure: Use domain monitoring tools like DomainTools to track domains similar to your business name.
  • Website Creation: Use platforms like Wix or Squarespace. Populate the site with stock photos from Unsplash or Shutterstock, or generate unique images with AI tools like DALL·E. Remember, AI alone isn’t enough to create an entirely realistic site.
  • Defensive Measure: Reverse-search images on Google to detect stock photos or AI artifacts.
  • Social Media Presence: Create LinkedIn profiles for fake employees. Use services like SocialWick to buy followers or tools like PhantomBuster for connection automation.
  • Defensive Measure: Scrutinize profiles engaging with your business. Look for low activity or recently created accounts.

Step 2: Build a “Business” Reputation

  • Business Registration: Register through state websites like California’s bizfile. Use virtual office services like Regus to provide a credible address.
  • Defensive Measure: Verify businesses using state databases and cross-check addresses with Google Maps.
  • Online Reviews: Buy fake reviews on platforms like Fiverr or AppSally. These services often use offshore freelancers to post convincing feedback.
  • Defensive Measure: Look for review patterns, such as repetitive language or profiles with no other activity.

Step 3: Engage with the Target Audience

  • Networking: Use LinkedIn to connect with executives and staff remotely. Send personalized messages to build trust.
  • Defensive Measure: Verify new connections and be cautious with unsolicited requests.
  • Fake Partnerships and Offers: Examples include offering discounted office supplies with upfront payments or low-cost cybersecurity audits that request access to sensitive systems.
  • Defensive Measure: Verify offers and request references before signing contracts.

Step 4: Extract Payments, Data, or System Access

  • Credential Harvesting: Post fake job openings on platforms like Monster.com or Indeed to collect sensitive details.
  • Using Legitimacy to Deploy Malware: Distribute malware under the guise of legitimate software, as seen with the fake video conferencing app Realst. Victims install the app after being contacted for a “meeting,” unknowingly compromising their systems.
  • Phishing Emails and Invoices: How: Send emails from your fake domain (e.g., accounting@BlueShieldIT.com) requesting payment for services.. nclude fake PDFs or links that mimic legitimate invoices.

Conclusion: Defend Your Business Against Fake Companies

Fake companies are inexpensive to create but can cause significant damage to small businesses. By understanding the tactics criminals use, you can build stronger defenses and protect your organization. From verifying vendors to training employees, proactive measures are key.

Scott Morabito is a technologist and founder of TechTonic.  He is a computer scientist and resides in Concord MA

Comments
Share
Scott Morabito

logo