Our friend asked us to look at this company, and the results make for a nice case study in the detection of possible fraud.

We started with the Escrow Atlantic website. It looks professional enough, but we always like to know who has registered an internet domain since that can provide a good clue as to who is behind the operation. Sometimes this is hidden information, but in this case it isn’t. It turns out that by going to Network Solutions’ Who Is registry here, we found that Escrow Atlantic’s site is registered to a man in Florida who has an Italian telephone number. His email address is a hotmail account with the name of a different individual.

None of this is tantamount of a scam, of course, but it’s a little unusual. Why not a company email address? Why an Italian phone number when, according to the company website, the company has no office in Italy?

We pressed on and tried to call Escrow Atlantic, but the toll-free number went to the voicemail of “Escrow Atlantic” (and not a particular person). The numbers for the Florida and Missouri offices went instantly to voicemail, and we were unable to connect with the London number.

A search for a business registration record at the Secretaries of State in Florida and Missouri turned up no record of a company called Escrow Atlantic. Nor was it registered under that name at Companies House in the United Kingdom, where you can do a free search here.

Finally, we emailed the Missouri office of Escrow Atlantic, and here we got quick responses, up to a point. Where is the company registered? We were referred to the website’s contact page with the office addresses and phone numbers. We asked again and were told that Escrow Atlantic is “Registered in the United Kingdom with offices in America and Australia.”

Unfortunately, when we responded that we could find no registration in the UK, the company went quiet on us. Of course, Escrow Atlantic could be a “DBA,” or doing business as – a business name different from the official company name – but it would be easy enough for the company to tell us that.

While we can’t say that Escrow Atlantic is not a reputable company, if it is it could do two things to boost our confidence:

1. Get someone -  anyone - to answer the phone;
2. Provide that most basic of information: the place of incorporation and the name of the company that was incorporated.

Another big change is that hedge funds, rather than having to collect only really large sums of money from wealthy people, will now be able to raise up to $1 million a year in small amounts from people not previously allowed to invest in such vehicles. Remember all the complaining that only the really rich had access to the elite performance hedge funds were able to provide? That protected a lot of little people from Bernie Madoff, but never mind – now the little people will have the same chance as everyone else to make a lot of money or, if not hand it to a criminal, invest with someone who won’t deserve the huge fees he will be charging.

Now say you are thinking of putting money in a hedge fund, or are given the task of checking out a prospective hedge fund for your client. The hedge fund has been around for three years and has pretty good returns. What else should you look at?  We’ve written in "Allen Stanford: Persistent Due Diligence Could Have Made a Difference" about the huge red flags Allen Stanford had flying if investors had just cared to look. Bernie Madoff, aside from his tiny auditor, declared with the SEC just a fraction of the stocks under management he was supposed to have had.

In the interest of avoiding such disasters in future, here for starters are some of the questions would recommend:

• What funds did the principals run before? Hedge funds can (and often do) close up shop when they don’t do well. They return money to investors and dissolve. But what about the managers of those poorly-performing funds? It’s accepted practice in the world of hedge funds that managers of failed funds get new investors and open new funds under a different name. Is your manager one of those on the rebound?

• What were the circumstances that caused the old fund to close? Was it the retirement of the manager’s partner, or just sub-par returns? If unclear on this, are there any former employees or investors we could talk to in order to find out what really happened?

• Beyond previous fund experience, have the managers ever been subject to regulatory sanctions? Have they ever been sued by investors or anyone else? If the answer to the lawsuit question is “yes, but the legal matter settled,” we would advise that you retrieve the court documents (manually is usually the way we usually do this, not on line) and then read the allegations made against your manager.

• Finally, you want to make sure the fund is registered where it says it is and the principals are really the people as represented. We’ve written before in "Prevent Corporate Identity Theft: A Consumer's Checklist" about preventing corporate identity fraud, and now that hedge funds can advertise you want to be especially careful that the address to which you send your money corresponds to the one in official records.

Will all of this take a little bit of time? Sure. But given that some people agonize for a year about which kind of luxury car to buy, it makes no sense to us that cocktail party chatter alone should be the basis for an investment worth several Porsches.

Due diligence isn’t as much as fun as the Porsche showroom, but failure to do it right could mean a downshift to a Hyundai when you least expect it.

A client once approached us to see whether we could run a quick background check on domestic helper he was thinking of employing. She cheerfully offered references, photocopies of a foreign passport and green card, plus a social security number. Our conclusion after about an hour? Her SSN was probably faked, and her green card probably was too.

How did we know without picking up a phone or looking at the document? Anyone with a SSN issued after June 25 of last year got a randomized number. There’s no way for us to tell on our own whether it’s valid or where it was issued. Employers who want to find out if a prospective worker has a real SSN need to use the Social Security Number Verification Service here. You need to register, and there’s a time lag.

What’s nice for anyone else looking at SSN’s issued before June 25 of last year (as our subject’s supposedly was) is that there used to be a system employed in issuing the numbers that could be helpful in figuring out where a person may have lived and when the number was issued.

The first three numbers related to which state the number was issued in. We often find it helpful to know that if someone we’re investigating claims to have lived his entire professional life in New York, his SSN issued in Michigan or Texas gives us a clue that for a time, anyway, he was outside of New York. For someone born in the U.S. that may just mean that he was with his family for a year when he was 12.

But for a person who grew up abroad and got a SSN when he was 35, it’s nice to know where he was when he got that number. For one thing, when checking for a criminal record you get a second state to look at since there is no such thing as a single, national criminal records check available to people outside of law enforcement.

The second two numbers of the SSN are called the series number, and we use these to figure out when the card issued. This was also how we figured our domestic helper was probably faking. The series numbers were not issued sequentially, but were issued according to a known system. If you know the system and when someone’s number was issued you can see whether the number matches the real SSN series issued in that month for that state prefix. Just check the “high number” list).

In the case of our domestic helper, she had a number that should have been issued several years earlier than her arrival in the U.S. Our theory was that she copied part of the legitimate number of a relative who had a good SSN, but that relative had been in the U.S. a lot longer.

While businesses guarding against ID theft are in the same position as people afraid of having their credit ratings ruined, there is an extra consumer angle to business ID theft: How can you be sure you’re dealing with the company you think you are?

a) Check the Secretary of State on line for the company you’re dealing with. We don’t mean Hillary Clinton. Companies in the U.S. are formed at the state level, and the government department that regulates corporate formation is usually headed up by the the Secretary of State.

 At the Secretary of State, check the following:

• Is the corporation in good standing? If not, back off. Even if it is, was it recently revived after a long period of inactivity? If so, beware and look elsewhere because scammers sometimes slip into the shoes of long-dormant companies in order to give themselves a cloak of legitimacy.
• Who is the owner of the corporation? Ask on the phone when you’re making your deal, and then check to see if the records match. If not, ask why not.
• Is the address for the company one where you would expect to see this kind of business? Does it operate out of a vacant lot or a gas station? Google the address and see what pops up. If your business doesn’t, you may have an ID theft.

b) Google the telephone number you’re calling. Even businesses without a website tend to be listed by other services. If you’re calling someone’s throwaway cell phone, that number probably won’t come up on the web as being associated with the business.

c) If the business you’re dealing with is subject to a professional or occupational license, you’ll usually be able to look that up too.

How would all of this work with the business that was impersonated in the NPR story, AAA Termite and Pest Control in Memphis, Tennessee?

There is only one such business listed on the Tennessee government site here. You find that it’s based at an address on Macon Road and that it was established in 1975. Except for a four-year hiatus in the 1980s, it has been in business ever since. Someone from the Burnett family at the registered address is the company’s registered agent.

What about licenses? While license checks are possible on line in some states, rules vary by state and even within states. Sometimes licenses are handed out at the municipal level. You can look up nurses and chiropractors in Tennessee, but not licensed pesticide dispensers. To check on AAA Termite’s license status, you have to use a telephone.

That may seem labor intensive, but if you’re not hiring new contractors every day, taking a few minutes out to make sure you’re dealing with the right person can save you a world of trouble.

For instance, several witnesses have testified that Stanford knew that prospective investors would want assurances that his banks were properly insured.  These former co-workers allege that, perhaps concerned about being subject to a legitimate insurance company’s rigorous due diligence, Stanford created a shell insurance company.  They explained that Stanford based his mythical company in London, and gave it an appropriately self-important moniker, the British Insurance Fund Ltd.  This was back in the early 1990s, when folks didn’t have access to the Internet and Google wasn’t even invented.  So, when a conscientious prospective client requested confirmation of the insurance company’s coverage, Stanford is alleged to have gone so far as to fly his CFO from Texas to London to keep up the ruse.  Once there, his colleague faxed the prospective client a fake confirmation from an empty office in London outfitted with little more than a fax machine for that very purpose. 

It’s unclear if this was enough to answer any concerns that unwitting prospective client may have had.  It’s easy to imagine, though, that with that fax in hand he could now invest in confidence that he had done his due diligence. 

But had he really done enough?  You can’t assume that because one item on your due diligence to-do list has been properly satisfied—Insurance Confirmation, check!—that you can go easy on the other items on that hypothetical to-do list.  You don’t stop just because you got good news.  You have to keep digging around, rigorously pursuing additional information, because regardless of what you’ve affirmed so far, you never know what you will find. 

For instance, although Stanford may allegedly have had an elaborate charade in place to trick customers into believing he was adequately insured, what he couldn’t hide was the fact that as far back as 1990 he had been in serious trouble with the IRS.  According to a 1997 Tax Court case, he had been assessed an eye-popping deficiency of $497,000. Certainly uncovering that the sole owner of a bank you are considering investing in is in tax trouble is a red flag for any prospective investor.

But that’s not all.  An April 2007 FINRA report on the Stanford Group Company said the firm had been found to be operating a securities business while failing to maintain its required minimum net capital. FINRA saw fit to list an extensive group of companies owned by Allen Stanford, including Stanford Group (Antigua) Ltd.

In addition, a former employee of Stanford’s, Lawrence de Maria, alleged in an April 2006 complaint in Florida state court that Stanford was operating a Ponzi scheme. 

And all that was needed to uncover this information was an unwillingness to stop digging.  

What this situation teaches us is not just that the archdiocese should have run a criminal background check on the woman—that’s obvious.  The real lesson here is the importance of timing.  Collins was hired shortly before the archdiocese instituted a policy requiring background checks for all new hires.  The church had chosen to make background checks retroactive for existing employees who worked with minors, but they made no such allowance for employees with access to church funds.  As the archdiocese spokesman explained, “It was just a happenstance of timing that [Collins] was hired just almost immediately before the program was instituted.” 

Clearly, the church should have made background checks retroactive for a broader pool of existing employees.  A reasonably prudent policy would have required a background check for new and existing employees entrusted with financial responsibilities.  In other businesses, background checks may also be in order for employees with access to trade secrets, or with access to other employees’ confidential personal or medical information. 

Now, you’re thinking, I have a background policy in place and all new employees that have these posts are rigorously scrutinized.  Well, good. But does that same level of scrutiny also apply to internal promotions whose new posts now give them access to funds or sensitive information?  Sure, a background check on an internal candidate may seem unnecessary.  After all, she’s been working for you for a while, and you believe that you don’t have to confirm that she is trustworthy, reliable, a good team player—clearly you think so or else you wouldn’t be promoting her.  Or maybe it feels invasive to conduct a criminal background check at this point.  Perhaps you assume that you know her so well that suspecting that she’s been lying or withholding information all this time is a betrayal of sorts. 

 But due diligence requires that we take a step back and look at a situation anew.  If this person had been an external candidate for this position, she would have been subject to a much more rigorous vetting process.  An internal promotion is not a time to get lazy, or to assume that because there have been no red flags up to now everything will remain fine in the future.  Or to be afraid of what you’ll find out.  It’s so easy for companies to give themselves an out when it comes to due diligence.  Don’t do it.  Make it company policy that everyone, be they an internal promotion or external hire, who has access to funds, trade secrets, confidential information, and/or minors is subject to thorough due diligence, including a criminal background search.  That’s the only way you can have peace of mind that you've done all you can to protect your organization’s best interests.  

Why is this a story anyone should feel negative about? The fact that AIG didn’t do very well controlling its own damage is immaterial, since it’s offering insurance so that the reputation of others can be helped by companies other than AIG.

Beyond a gratuitous swipe at AIG, lazy journalists don’t tend to like PR companies, period. That’s because journalists like to get right at the company they’re writing about and often resent intermediaries. Yet intermediaries are simply another kind of specialist. Why would the CEO of an oil company know the best way to talk to the media, any more than a reporter would know how to run an oil company?

It’s not always a matter of just “telling the truth,” because during a crisis litigation is almost always pending and certain facts are subject to attorney-client privilege.

Better journalists mind PR companies less, because better journalists use a lot of the same resources good lawyers and investigators use: public records and interviews with former employees of the company they are looking at.

And guess what? If you call up a PR company standing between you and the CEO of an embattled company and you ask a great question based on lots of research in securities records, court documents, and interviews, it will matter much less whether there’s a PR company in your way. If the company needs to answer the question, it will do so regardless of any PR advisor. If they can’t or won’t answer it, a good question is still a good question whether or not there’s a “no comment” after it.

A story about Adoboli in the Wall Street Journal describes him a “well educated” and “polite,” which must fall into the category of Dog Bites Man.

After all, has anyone who looked and acted like a Hell’s Angel ever held a job for very long at a big bank?

If Adoboli is guilty, his name will go alongside lots of white-collar criminals who seemed perfectly nice, smooth and well turned out, with all the right degrees after their names.

UBS may have done proper due diligence on Adoboli before hiring him and may well have turned up no red flags.

But the lesson here for anyone doing due diligence is that a nice suit and a good degree mean a little something, but not enough on which to make a decision about a person’s character or ability. 

As if to confirm worst-case scenarios, Citibank then revealed that hackers have accessed the accounts of some 200,000 credit card customers in North America.

Even with a rash of data breaches, encryption is the part of computer security we tend to forget about. We know increasingly that social networking can let too many strangers into our lives and that we should think twice before entrusting anyone with sensitive financial information.

But how many of us encrypt data on our computers? It’s so easy to do, and I would argue that it should become best practice for professionals everywhere. Our firm does so it, so that if our computers were ever stolen thieves would find nothing but encrypted garbage where case files should be. We like the free, open-source Truecrypt program, available here. Other alternatives are available but at a cost.

But what about email? There is plenty of evidence that a deleted email can stick around in many forms on your computer or server even after you hit “delete,” but few think about the dozen servers between your office and the server of the person receiving your email. Both you and the recipient can do whatever you want, but your unencrypted email may be stuck (for years or decades) on multiple servers in multiple countries, all ready to be hacked.

While it’s true that hackers with enough patience and computing power can break many encryption codes, the idea is to raise the cost for criminals even to try.  If you encrypt just the tiny portion of your emails carrying sensitive financial information, you direct a hacker right to your most vulnerable material. If you encrypt thousands of emails, a hacker will give up after working for hours to unveil messages that say “Happy Birthday!” or “Tks, will do.”

Yesterday the U.S. Commerce Department issued its green paper on cybersecurity, but stopped short of recommending encryption of emails. It strikes us that for certain highly sensitive matters encryption of email is worth the trouble. There can be problems with forwarding, and in many cases it makes sense for both sides to have an encryption program. Otherwise, you need to keep the same string of messages going for a non-licensee to benefit from the encryption-licensee’s program.

At the very least, we should all make sure our email accounts have their own passwords. That way if someone looks at your desktop computer at work, your Microsoft Outlook can at least stay locked. Password protection for Outlook can be arranged by setting a password for your Personal Folders File (.pst) within Outlook. You can do this on the File menu under Data File Management.  

Why someone (either a criminal or a government operator conducting a sting) would want to invent a law firm is not hard to imagine. For anyone to be taken in by a fake firm would mean they had done not the slightest bit of due diligence.

Without knowing for certain whether or not the law firm in question is genuine, here is a free, one-step process you should always follow when researching a new lawyer:

1. Attorneys need to be licensed. As with any other licensed profession, look up the licensee. In the case of the firm listed above, the partner who is supposed to have attended a New York law school is not listed at being admitted to practice law in New York.

There could be reasons for that, I suppose, but why have a single location in New York when you can't practice there? Then there is this: That same partner is supposed to hold a Bachelor of Civil Law degree from a U.S. law school that awards the Juris Doctor degree and not the BCL.