Threat actors never miss an opportunity to use recent events to infect computer systems or quickly and easily gather personal information. The Corporate Transparency Act (“CTA”) is just such an opportunity and businesses and individuals subject to the act need to be wary.
The CTA’s goal is to assist the government in ferreting out criminal enterprises and make it more difficult for criminals to hide their ill-gotten gains. The CTA therefore requires certain business entities to submit “beneficial ownership information” to the Financial Crimes Enforcement Network (FinCEN). Doing so provides the government with greater transparency to the ownership structures of, and relationships between, those entities. The CTA became effective as of Jan. 1, 2024, and requires online filing with FinCen by a certain date (depending on when the relevant entity was formed). Failure to comply could lead to criminal and civil penalties. For more background on the CTA law and compliance requirements, please refer to our legal update “Preparing for the Corporate Transparency Act.”
Criminals have already seized on this opportunity by sending emails that appear to be official notices regarding complying with the CTA and containing malicious links or QR codes. Clicking on fraudulent links or using fraudulent QR codes could infect your system with nefarious programs or ransomware. Indeed, FinCEN has already issued an alert about fraudulent compliance notifications:
Alert: FinCEN has been notified of recent fraudulent attempts to solicit information from individuals and entities who may be subject to reporting requirements under the Corporate Transparency Act. The fraudulent correspondence may be titled “Important Compliance Notice” and asks the recipient to click on a URL or to scan a QR code. Those e-mails or letters are fraudulent. FinCEN does not send unsolicited requests. Please do not respond to these fraudulent messages or click on any links or scan any QR codes within them.
Additionally, threat actors may utilize the CTA to gain valuable information in another way. Under the CTA, covered entities are required to provide specific information about “beneficial owners”: name, date of birth, residential address, and “an identifying number from an acceptable identification document such as a passport or U.S. driver’s license, and the name of the issuing state or jurisdiction of [the] identification document.” Not only does the CTA require the entity to provide an identifying number, but the entity must also submit “an image of the identification document used to obtain the identifying number.” In other words, companies will have to provide a copy of each individual beneficial owner’s driver’s license, passport, or other identification document.
Given that the CTA requires electronic submission of valuable personally identifiable information, threat actors may pose as third-party companies offering to assist in filing and compliance. In doing so, threat actors will likely request the victim entity or people to upload the required information and images. The entity and people would then be providing passports, driver’s licenses and other identifying document images as well as other personal information directly to the threat actor. This would provide identity thieves key information necessary to successfully steal someone’s identity and to launch additional schemes.
Companies and individuals should be wary of unsolicited CTA-related communications, including emails and regular mail, seeking personal information allegedly for compliance reasons. These communications may appear to come from FinCEN, the IRS, or other governmental agencies and departments, but if you look closely they are scams. Additionally, if you are going to utilize a third-party to assist you in your compliance with the CTA, you should only utilize third-parties you know and trust (such as law firms, known corporate compliance entities, or other companies you have worked with in the past and trust).
