Anatomy of a Scam Investigation: Chapter Two

Fun

[Wondering what's going on here? Check out the Chapter Index on this series.]

In Chapter One, I introduced you to UST Development, Inc., explained why I believe that its looks-like-an-invoice-but-isn't mailing constitutes mail fraud, and asserted that anyone with an internet connection, a few bucks, and some time can investigate and expose scammers like this. Today I want to talk about Google search methodology and free resources.

But first, let's review why this is a worthwhile enterprise:

1. Scammers are scum.

2. Scammers live on the margins. That means that maybe a tenth or a half of one percent of their solicitations yields a victim, and only a few percent of victims make any real effort to do anything about being scammed, including researching, complaining about, or publicizing the scammers. Scamming "works" as an economic model because the scammers can (and routinely do) give refunds to some of those few percent who complain, and because so few go to law enforcement or publicize their experiences, they can ride out complaints for a few months, abandon the scam, and move on to a new one. This is precisely why individuals have the power to thwart scammers. If a few more percent of us research scam solicitations and report them to the authorities, if a few more percent of us Google a suspicious invoice or solicitation before biting, if a few more percent do a righteous internet cavity search of the scammers and write about it to raise the Google profile of warnings about the scam, then the margins become too narrow, the scam is publicized too quickly, and the scammers lose. The margins are the scammers' friend, but we can make those margins the scammers' foe.

3. Scammers don't stop. They redesign, reload, and repeat scams under different guises, often using similar entity names, similar pitches, and the same telephone numbers or addresses. Thoroughly researching and publicizing one scam may make it more difficult for the scammer to succeed in his next scam.

So. As I said in Chapter One, we want to learn all we can about UST Development, Inc., its activities, and the people running it. We're going to start with the scammers' most formidable foe: Google.

Google is far more powerful if you approach it with a methodology:

1. Build a search term list, consisting of entity names, variations on entity names, individual names, variations on individual names, addresses, phone numbers, email addresses, and key words and phrases from the fraudulent solicitations in question. Your list should account for abbreviations (for instance, UST's "305 N. Sacramento" may yield different results than "305 North Sacramento." Your list should also include a few common descriptors to combine with other terms — descriptors like "scam" and "fraud."

You're going to add to this list as you search, because you're going to encounter more entities, individuals, addresses, and key words. If you're being very thorough and methodical, you may want to create a list of combinations of terms (e.g. "+UST +scam") so you can keep track of what word combinations you have tried.

2. Build an issue list containing general subject matters, concepts, and ideas for later follow-up. Example: in Chapter One I noted that an early search on UST Development, Inc. yielded a Scam Informer page with a complaint. That complaint was by someone claiming to be a former employee who was promised salary but never paid. The alleged ex-employee asserted that (1) the principals of the company made numerous promises of repayment that they didn't honor (as we'll discuss later, the conduct described is classic con-man lulling), and (2) later attempted to evade payment by declaring bankruptcy. That adds subjects to our issue list: salary and payroll issues, false promises of repayment, and bankruptcy. We're going to use those later — in part by going to PACER to search for bankruptcy court records. We're going to remember these issues in order to look for patterns and corroboration. Preview: the claims of payroll issues and false promises of repayment are going to be repeated big-time.

2. Learn to use Google search commands to make your searches more effective. Google itself has some good tips, and there are plenty of essays out there on the subject. The main impediment to effective searches is not necessarily that Google fails to tell you about a page; rather, it's that Google buries the page amongst 20,000 others. Hence UST Development, without quotes, might return different results in a different order than "UST Development", with quotes. You may wind up trying both. Similarly, the order of search terms can yield different results — scam UST yields different pages than UST scam.

3. Think about how people write and talk about the things they encounter. What words would you expect people to use if they were complaining about a scam like this? What words would you expect the perpetrators to use in prior solicitations? In this context, "scam" and "fraud" are both popular, but sometimes you should consider "refund", "response", "answer", and similar terms to catch descriptions of people's efforts to communicate with the scammers. This is an art, not a science.

4. Think about connections between terms. As I noted above, you're going to be combining search terms. Doing so is a key investigative tool in testing hypotheses. Say you find complaints of a similar-sounding scam using a different name. You'll want to know if they are related. So you're going to combine terms from the first scam (say, the phone number, or individual's name) and run it with terms from the second scam (say, an address or name) to see if you find any connections.

5. Be aware of useful sites that don't tend to show up early in Google results. By design or chance, or because of some barrier to Google's scary-ass spider bots, some incredibly useful sites have information that won't turn up in response to Google searches, or at least not in the first few pages of results. Learn about them. For the purposes of a fraud investigation, some key sites are the Better Business Bureau, the Secretary of State of the various states (which often include an internal search engine with which you can find out about entities created or authorized to do business in that state), the Fictitious Business Name registries of the various counties, and WHOIS search engines listing the registrars of web sites. It's often more efficient to visit these sites first to build your search and issue lists before you start Google searching.

So. Let's get to work, shall we? This would be a good time to go to the bathroom.

Look, I said up front that this takes time, and I mean it. It can be tedious. I'm not going to describe all the unsuccessful searches here, or all the searches that yielded the same old hits, or the other boring things. Let's go for the fun stuff.

1. Starting with the fraudulent solicitation I posted in Chapter One, we're starting with search terms of UST Development, Inc., 305 N. Sacramento Avenue, 305 North Sacramento Avenue, www.ustdevelopment.com, 800-818-9777, 626-205-1133 (always remember the fax number! Note it isn't toll-free like the primary number — who knows where it may lead?), $175, "This is not a statement for services rendered but for preventative maintenance." Those are our building blocks.

2. A quick trip to www.ustdevelopment.com, the web site listed on the solicitation, gives us more terms. First, I note (as piperTom, in comments, already has) that the url redirects to a web site called www.us-telecom.com. That's not the last we'll hear of that name. From the website, after noting the awful design and architecture (typical of fraudsters; they're cheap and they think they're web designers), we add some email addresses to our search term list and some locations (Monrovia, San Diego and Las Vegas) to our issues list. As always, we check the WHOIS data. The www.us-telecom.com WHOIS doesn't yield much — they are using a professional registrar as a buffer — but the WHOIS of www.ustdevelopment.com shows that "U.S. Telecom Inc." registered it. Two lessons here. (a) Scammer entity names are often related, and you can spot patterns. Hence US Telecom becomes UST becomes UST Development. (b) Take screenshots of pages early, or print as pdfs. I could have sworn that when I ran this last week it named an individual.

3. Next, to build our search list some more, let's go to the California Secretary of State business search portal. Here you want to start a bit broader — US Telecom rather than US Telecom Inc., for example. "US Telecom" doesn't yield any obvious candidates — there's a "US Telecom Communication Services Company" out of Texas that's suspended, and a "US Telecom Long Distance" out of Nevada. Let's add those names to our search and issue lists. Foreshadowing: we're going to see that Nevada entity again. While we're there, we repeat the same search for US Telecom as an LLC, in case it's been mislabled deliberately or accidentally, or in case it has similarly-named related entities. That yields one US Telecom, LLC hit — we'll add its data to our lists to determine whether it is related. We repeat the same steps for "UST Development" and hit paydirt. It's a California corporation created in 2008 and its address matches the 305 N. Sacramento address on the solicitation. It also gives us the name of an agent for service of process, who is an individual attorney rather than a professional registered agent company.

A word about registered agents: the fact that someone is a registered agent for a scammer doesn't mean that they are in on the fraud. Agents — even individual attorney agents — often have no connection to or knowledge of the day-to-day operations of the entities for which they are the registered agent of process. Mark Bennett says as much, but suggests — correctly, I assert — that if any attorney reviewed and approved the UST Development, Inc. solicitation, that attorney would have to be either a participant in the fraud or freakishly incompetent. For what it's worth, all this started when I emailed this attorney and the general info address of UST; the President of UST called me directly, saying the attorney had called him about the email. [Edited to add: In Chapter Eleven, I report that Mr. Baranowski resigned as agent for service of process of UST Development, Inc., though not for another apparent UST/Bell entity.]

Note that keeping track of registered agents can be useful because if diverse companies use the same agent, that could be (but may not be) a sign of a connection among them.

4. Now, it's off to the local Better Business Bureau. You may want to start with the BBB for the area where the scammer has his nominal address, or where you received the solicitation, or both, or you may want to start at the national level and do a global search on their engine. Here we hit paydirt again and more terms for our search and issue lists. US Telecom yields hits. UST Development yields hits. Those hits tell us the following: (1) we've got another address, this one at 1967 South Myrtle in Monrovia, with the same 800 number; (2) the BBB treats US Telecom and UST Development as the same entity (and posits a UST Inc.); (3) the one customer complaint describes getting a $175 "invoice" and attempting to get an answer from UST; (4) the BBB views the UST solicitation as so self-evidently improper that they've reached out to UST to tell them about U.S. postal laws regarding solicitations disguised as invoices and given them an "F" grade; and (5) DAVID BELL is listed as the "President."

After we've noted all that, we're going to use the BBB's quite useful search tool to search by individual name, address, and phone number. A search for the Myrtle address in Monrovia yields another F-rated business — "Celestial Mouldings", the 626-205 phone prefix of which is the same as the 626-205 fax prefix of UST Development. Could they be connected, or is it some sort of mail drop for multiple companies, or strip mall/office park? I don't know yet. Google Street View is not conclusive. To be safe, I'm putting it on the search list, to rule them in or out.

A note about that customer complaint on the BBB site — it reminded me of the importance of attention to detail. The customer noted that the contact email for the company was info@ustdryutilities.com. I had not noticed that; it led me to a defunct corporation called UST Dry Utilities, Inc., and another address in Ontario, California. More grist for the lists. Remember to work backwards when necessary: when you find new names and addresses and phone numbers, go back to the Secretary of State and BBB and plug them in. Always be building your list.

5. Los Angeles County's Fictitious Business Name search engine isn't very good — unlike some counties, it doesn't give access to underling filings — but it gives us some activity snapshots and potential names for our search list.

Okay: enough for today.

What. You want a taste of more?

Like, say, more salary shenanigans?

How about victimized lawyers?

An arrest?

Tune in next time.

Additional update: please read this important note.

Edited to add: Chapter Three is Up. So is Chapter Four. And now Chapter Five.

Last 5 posts by Ken White

33 Comments

31 Comments

  1. David  •  Sep 12, 2011 @11:19 am

    (2) … I could have sworn that when I ran this last week it named an individual.

    Rather than use the whois facilities of various domain providers (such as Network Solutions), you might consider using BetterWhois.com. The former may filter some information, but the latter shows a complete record, as below:

    Registrant:
       US Telecom Inc.
       1967 S. Myrtle Av.
       Monrovia, California 91016
       United States
    
       Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
       Domain Name: USTDEVELOPMENT.COM
          Created on: 09-May-08
          Expires on: 09-May-13
          Last Updated on: 21-Jun-11
    
       Administrative Contact:
          Bell, David  dbell@ustdev.com
          1967 S. Myrtle Av.
          Monrovia, California 91016
          United States
          +1.6262568911
    
       Technical Contact:
          Hostmaster, Hostmaster  hostmaster@earthlink.net
          1375 Peachtree St.
          Level A
          Atlanta, Georgia 30309
          United States
          +1.8889321997      Fax -- +1.7177035107
    
       Domain servers in listed order:
          NS77.DOMAINCONTROL.COM
          NS78.DOMAINCONTROL.COM
    
  2. Ken  •  Sep 12, 2011 @11:23 am

    You're awesome. Readers, I should point out that I've learned many things about internet cavity searches from my co-bloggers David and Patrick. The info above confirms a Monrovia address, and provides a new phone number that yields some good new results for the next chapter. It also yields a new domain (ustdev.com).

  3. TJIC  •  Sep 12, 2011 @11:28 am

    Awesome work. Looking forward each day to these updates!

  4. David  •  Sep 12, 2011 @11:35 am

    I'm sure you've already noticed the address on the photocopies of the returned checks, since you previously alluded to that physical location. So I'll just note that it's an amazing time to be a consulting detective.

  5. Dan  •  Sep 12, 2011 @11:37 am

    The facts of the case in pdf of the lawsuit ("victimized lawyers") are almost cliche, right out of the 419 scammer handbook. You have to wonder at what point the attorneys realized that they should have never taken on the case. Client selection is so critical.

  6. Scott Jacobs  •  Sep 12, 2011 @11:51 am

    I wouldn't be shocked if you find a lot of incorporation docs coming from Nevada – IIRC, Nevada has some very nice Inc and LLC laws allowing for owners of a business to remain hidden, or at least unpublished.

    I've long suspected such laws have an origin in the Mob.

    And Ken, remind me how much the yearly fee is to stay on your good side. :)

  7. Roger  •  Sep 12, 2011 @12:58 pm

    Scamming 101: The wife is nearly always complicit.

    See the 3rd result here:

    http://www.veromi.com/Search.aspx?sType=name&db=&fn=Cynthia&mn=S&ln=Bell&city=&state=CA&dobmm=&dobdd=&doby=

  8. Roger  •  Sep 12, 2011 @1:03 pm
  9. Roger  •  Sep 12, 2011 @1:08 pm
  10. Ken  •  Sep 12, 2011 @1:27 pm

    Its not my experience that the wife is always complicit, Roger. I'm open to evidence, but haven't yet seen in in this case.

    Edit: Also, please note that Ms. Bell maintains that Bell is her name, that Lapolice is her former name, and that she does not use aliases, and that she is not any of the other persons with other names listed through those links.

  11. RandomDude  •  Sep 12, 2011 @2:05 pm

    Ken,

    Check out Pedalz and Zencycles, Cynthia Bell primary, located at [redacted].

    Her name and numerous aliases appear on several other commercial entities as well.

    Madonna Francis Bell,
    Cynthia Francis Bell, Cindy S Bell, etc

    Checking that address, which matches plenty of hits for David William Bell, it appears the house was built in 1977 and sold to an Archie Bell, who died in January 2010 at the age of 72. The narrative emerges that Archie's daughter, Cindy Francis, married William David Bell and was living with her father through numerous iterations of "enterprise."

    It's entirely possible there is another Cynthia Bell in southern CA that married a William David Bell, but it seems quite unlikely based on the many, many businesses that tie back to these names.

    Edited: Note that Ms. Bell indicates that the "Madonna" name is not her, and that Bell is her name and Lapolice her former name.

  12. RandomDude  •  Sep 12, 2011 @2:06 pm

    Sorry, David William, not William David in that last paragraph.

  13. doug  •  Sep 12, 2011 @2:13 pm

    i love it.

  14. bill.  •  Sep 12, 2011 @3:29 pm

    This is very entertaining and informative. But as a side note, and as someone who is not a lawyer nor have I taken part in any legal proceedings, reading thru the "victimized lawyers" pdf I am astonished by how much of that $25,000 is a very large number of 10 minute phone calls.

  15. Mark Bennett  •  Sep 12, 2011 @4:32 pm

    Bill, as I read it those are not ten-minute phone calls, but rather tenth-of-an-hour (or six-minute) phone calls.

    Prepare to be further astonished: to a lawyer billing in 0.1-hour increments, any amount of time less than six minutes counts as "six minutes." So a 0.1-hour phone call might have lasted twenty seconds.

  16. Ken  •  Sep 12, 2011 @5:11 pm

    About to drop some money on some criminal records.

  17. Grandy  •  Sep 12, 2011 @7:53 pm

    "Minimum length" time units is not really uncommon across many fields. E.g. it's not unusual for an IT support person who is going by the hour to bill over-time work in minimum time increments (and this is often contractually agreed on).

  18. John  •  Sep 12, 2011 @8:14 pm

    Want me to drive by and take a picture, tell you what's there? I live about 20 minutes from South Myrtle in Monrovia: it's between me and the Home Depot, so I'm there a lot (serial handyman). I promise not to get out of the car.

  19. G Thompson  •  Sep 12, 2011 @9:36 pm

    Google also has another not widely known search ability – Google Finance which is currently Beta only for certain countries
    Looking on Google Finance for UST gives some interesting factoids plus names from Hoovers. (The Hoovers Link is basic info unless you want to pay for it)

    For people and Business Searches (its beta and wonky on Buss search though) I have for years used pipl
    For example On the Business Search using basic info you get some interesting public data but a lot of false positives too.

    Though using the normal name and specific location search Useful Information abounds (esp under public records) and look at the perty pics on the side ;) . Cut down, change and massage the search for even better data. Sometimes this saves having to pay for standard checking especially if like me you reside in another country.

    Searching for yourself is probably not a good idea ;) though the username and email searches pipl does is amazing.

  20. Pete Hokner  •  Sep 13, 2011 @1:33 pm

    We just got the same invoice today (09-13-11). Thanks for the info – this will be sure to go to the shredder. To John who is 20 minutes away – yes, please drive there, get out of your car, and kick this guys a** !

  21. Ken  •  Sep 13, 2011 @1:39 pm

    Thanks, Pete! I assume you got here through a search for UST. That's exactly why I am doing this. Can you tell us what industry you are in?

  22. Ken  •  Sep 13, 2011 @1:58 pm

    Search hits for today only as of 2:00 p.m. PST:

    ust development, inc. ontario (3)
    ust development, inc. preventative maintenance
    ust development scam invoices
    ustdevelopment.com (3)
    http://www.ustdevelopment.com (2)
    ustdevelopment.com reviews
    ust development inc scam
    ust development inc ontario ca

  23. Adam Steinbaugh  •  Sep 13, 2011 @5:32 pm

    If you're dropping money, a few bucks spent on a DomainTools.com DNS history can reveal prior addresses, web hosts, and other sites hosted on that server (useful if the hosting company is small)

  24. John  •  Sep 14, 2011 @8:48 am

    Pete, sorry, but I don't want to muddy Ken's water by creating a sympathetic "victim".
    But there are other means….. (cue mad, scary laughter)mwaahwahhwahwahhahaha

  25. Gabi  •  Sep 17, 2011 @8:08 pm

    Interestingly enough, us-telecoms.com, as opposed to us-telecom.com, looks fairly reputable and it pops up in the website completion bar.
    I bet they hope that people will look at that site instead.

  26. n/a  •  Sep 17, 2011 @9:48 pm

    Several sites give historical "WHOIS" data, e.g. http://www.domaintools.com/research/whois-history/

    I can't find any free ones but there must be some out there.

  27. Andy  •  Sep 18, 2011 @6:05 am

    There are references in these posts to future discussions of PACER, but those discussions don't materialize. No link, no info.

  28. Ken  •  Sep 18, 2011 @7:20 am

    There are references in these posts to future discussions of PACER, but those discussions don’t materialize. No link, no info.

    Aw, gee, Andy, am I not producing free content fast enough for your tastes? I'm so sorry!

  29. Pete  •  Sep 18, 2011 @11:33 am

    Don't forget the Internet Archive's wayback machine: http://www.archive.org/web/web.php – it lets you enter a url and gives you all the changes to the site over time. They only have two snapshots of ustdevelopment.com from 2010, but have dozens of snapshots of us-telecom.com dating back to 2002.

  30. Ken  •  Sep 19, 2011 @8:43 am

    I really love that some commenters are giving me leads on methods I had forgotten or had never heard of.

  31. Michael  •  Sep 29, 2011 @7:10 am

    If the company is foreign, and they have an English-language page separate from their native language, check the native-language page too (easier to do now with Google translate). Several years ago we were approached by a German bank with suspicious-looking terms for a listing on Frankfurt. The people on their English webpage checked out, but their German page had different people listed as officers, and some of those turned out to have been charged in the past with securities fraud.

2 Trackbacks