Scam Warning - Elite Pay Group
SummarySo to kick off our alerts system we have Elite Pay Group; who advertise services mainly focused on contractors and the self-employed, targeting those groups to sell services around tax consultancy and payroll.
NB: Recent updates to this case have upgraded the scam level.
On their website they note that they are already trusted by "1000's of customers due to our strict compliance related products...". However there is no such entity called "Elite Pay Group" or derivations based on combination registered at companies house. On their website there is no specific set of terms and conditions, nor note of whether EPG is a trading name.
Of greatest concern is that this type of entity would potentially deal with sensitive financial information, which in itself requires a certain level of trust.
InvestigationI received a test message from an organisation I'd never heard of before and started to investigate them. After running standard foot-printing processes I'd discovered their website and a few other facets and whilst looking at the website itself there appeared to be some inconsistencies worth investigating further. There is statement near the bottom of the main page which is incredibly suspicious:
"We provide an information only service and do not provide advice, we act as an introducer of business. By submitting your information you are agreeing for us to send you relevant information regarding our services that may benefit your requirements from time to time."
This is essentially a declaration of opt-in without the possibility of opt-out - unless you chase this entity to remove your details. Phoning the premium rate number on the website simply gets you an expensive listen to hold music with no apparent response. There is no definition of who "us" is.
After being unable to contact directly we contacted via the form on the website for an "instant calculation". Within minutes there was an email from Ed at "Extra Limited" who claimed to have tried to call me earlier (which of course he hadn't). I passed across our 0845 number which he duly called; I asked about the nature of the relationship between Extra Limited and EPG as well as requesting contact information. Ed claimed not to be able to provide those details, and would "have to pass the request to someone else".
The next cause of concern was the T's and C's on the Extra Limited website; both the name and the registration number are valid only on the Isle Of Man Companies House register; the IoM has it's own data protection laws which slows the process down more.
A check of the VAT registration number posted on the Extra Limited website shows all HMRC post will be sent to them care of Baker Tilly Isle of Man.
|Further down the rabbit hole.|
Updates 28-08-2015After Extra Limited repeatedly failed to provide the contact details for EPG, claiming EPG had emailed me I raised complaints with the Advertising Standards Agency in the UK and the Office of the Data Protection Supervisor in the Isle of Man. Within six hours the IoM Information Commissioner had been in touch acknowledging the complaint and noting some areas of interest on initial investigation.
Firstly the front page shows a false advertisement for a "past client" called "Mark Hargreaves", who is claimed to be a technical consultant from Birmingham. The IC had already image searched this image only to discover it exactly matched the portrait of Chris Peden, director of the Gulf Coast Waste Disposal Authority.
|This is just blatant - I wonder if Chris Peden knows yet?|
Nevertheless, as a result of some of these confirmations I have upgraded this item to a Scam Warning Level 3 as there is clear obfuscation, lack of willingness to engage or respond to my original subject access request and a worrying facade for one or more businesses.
Updates 21-09-2015After following other breadcrumbs it looks like the same individuals have a history in this area. A post from 2012 on Contractor UK seems to reference them with other suspicious activity. Same ideas and the same person referenced....Mr Simon Powell.
Still no answer to my SARs, although he did respond via SMS when I sent notification of SAR delivery. There's about 29 days left before the SAR response expires.
Reasons For ConcernThe email was sent by Extra Limited minutes after my false inquiry on the EPG website. There is a clear commercial relationship but no definition of the entities involved. Personal information is at risk because there is no clear ownership. Neither entity involved so far seems to exist as a company, nor does the media firm associated with the creation of the website.
It may be that information is forthcoming next week and the alert can be removed but there are a lot of unanswered questions and incorrectly represented brands. The original communication arrived via SMS without any previous relationship with any of the organisations involved.
Not only does EPG appear to be fictional as a business entity but the chain of custody of data is also under suspicion - It looks like there are two entities somehow related to Baker Tilly and all technical records relate to the Isle of Man.
Updates 21-09-2015It appears that EPG is no longer operating as a result of the IC complaint and further investigations. Will be passing on the same concerns and complaints to IoM IC later today about the following related domains:
- contractorangels.co.uk - which brings in a new dimension of Smarter Web Company Ltd as developer
- epicpaydays.com appears to have already been suspended
- Mr Powell has been in touch to claim that he is a web developer, and just sets up the sites. However we have a statement from a marketing firm in the UK that shows him to be behind the spam SMS too.
Updates 08-12-2015The IoM IC has been in touch to provide a response to the complaint we raised. As EPG as an entity has been shut down there is no further action to take. The personal data has been destroyed and the IC has warned Mr Powell of the consequences of recurrence.
Whilst we won't press further in this instance but will keep tabs on the actors involved.
Last updated 21-09
Await the response to my request for information to Simon Powell at 78media who's company either created or owns the domain and content Some development help from Jason Long (trading as Northgate Web Hosting) 78media themselves don't seem to be registered as a company in the UK - the closest reference appears to be that of a dissolved company (no. 06525504?) The IoM Information Commissioner has contacted Simon Powell successfully. At the time of writing the EPG website is unavailable and showing a GoDaddy parked domain status
- IOM IC confirms through contact with Simon Powell that this is a fictional entity used for marketing only
Await the response to my request to Ed @ Extra Limited for clarification Have sent reminder to original email Was told to check my junk mail folder as I have been emailed (this is not true). (21-8) Have emailed again asking Ed @ Extra Limited for the contact details for EPG one last time
- Complaints raised with IC and ASA
Await the response to my request to the hosting provider on clarification of the owning company Have received an email stating that "my support ticket will be closed" unless I respond but no actual support ticket email conversation has been received. Perhaps ISP-level spam blocking is taking effect? Have asked them to re-open ticket and answer the original questions Doesn't look like they'll respond, will speak to registrar instead
- The developer and hosting provider associated with the domain name has responded although they've largely washed their hands of any and all involvement. Will keep an eye on any other domains hosted by this firm in case of "phoenix".
Notified relevant government bodies of initial incept
- Apply for corrections to the domain name registration services as and when information is uncovered - now moving this forward
- IoM IC actions appear to have removed EPG website - even if it is temporary whilst corrections are being made
Attempt to contact the referenced client from the EPG website if other routes fail
- The IoM Information Commissioner has already identified that this is not the individual described on the website
- IoM Office of IC completed investigation
- ASA closed their investigation as the website had already been shut down