Identity/biometrics/technology marketing and writing services
Imagine if we didn’t have identity verification and authentication.
I could walk into a luxury car dealership and buy a car, telling the salesperson that my name is Bill Gates. I could buy the car, and Gates would get the bill.
Sounds great…until someone impersonates YOU and gets YOUR money.
Six identity factors. One Bredemarket ebook. Total identity protection. Purchase “Proving Humanity: The Six Factors of Identity Verification and Authentication.”
Do you remember ViVi Contras Belleville Brown 429, the long-winded scammer who contacted me at length about a position at “the intersection of Global Supply Chain and Systemic Accountability”?
Well, I guess I’m not the only candidate she targeted. I just received an email that read, in part, as follows. (I’m hiding the identity of the emailer to spare them from other scammers.)
“I received a very similar ‘contact’ from Vivi Brown trying to solicit my employment interest in the same AI/Energy Structure start-up. Oddest ‘interview’ procedure I have ever seen. No concrete job descriptions, organization structures, identification of Founders, etc. All communications mandated on WhatsApp (encrypted). Very verbose ‘corporate speak’ exchanges. When I asked if this was AI, they obviously denied that it was. Answers to background questions don’t necessarily add up. Company startup name given to me was “ARCLight’, and their interest in me reportedly ties to my mgt experience in Energy Structure Development. Numerous pictures (AI driven ?) of the young Vivi Brown have been forwarded with ‘feel good’ influence peddling formats, mixed in ‘business’ answers to my structure comments/questions. It looks like the AI derived Vivi was created as an Influencer on EezyCollab (“catfishing”?).”
I never encountered the WhatsApp red flag since I applied my KYB Fraud Failure flag early on, but I’m not surprised.
As for EezyCollab (which was NOT part of the scam, but may have been used by the scammer), it “connects AI products with the right creators across global markets — powered by an AI platform of 100M+ creators, direct pricing, and end-to-end delivery.” Plus its founder Yiki Chen is a marketer and vibe coder who has been vibe coding since 2021. Groovy.
Returning to Vivi, I found the website https://www.shvivi.com/#home for A.R.C (sic) Insight. (Not ARCLight.) It includes insights such as the following:
“Vivi Brown’s profile was not built through display. It was formed through consistency, disciplined judgment, and the gradual development of capability — producing a rare combination of written clarity, operational steadiness, and long-range strategic calm.”
Yes, written clarity.
This afternoon I received an email from the very verbose ViVi Brown.
It began with the standard “I hope this email finds you well.” Then the pitch begins.
“I came across your profile on LinkedIn and noted your public contact information, which is why I am reaching out to you directly.”
I couldn’t find Brown’s own LinkedIn profile, by the way. The pitch continues.
“I am currently the Founder of a San Diego-based startup, primarily responsible for managing and assisting our team in establishing connections with industry leaders like yourself. Our company is backed by TPG Capital, with business sectors encompassing Artificial Intelligence, Energy Systems, Semiconductors, and Algorithmic Platforms.”
Now this sounds impressive. TPG backing, multiple high-tech business sectors. It’s a little odd that Brown didn’t mention her company name, but I knew I could deduce it from her corporate email address.
Unless someone is an independent consultant, there’s no need to use a Gmail address that doesn’t have your name and ends in a number. Especially if you are the Founder (and, as we will see, other things) of a TPG-backed multi-sector high tech firm.
Brown continued her pitch, which went on and on and on. Paragraph after paragraph of corporate-speak, such as a reference to “the intersection of Global Supply Chain and Systemic Accountability.” Because obviously my LinkedIn profile screams global supply chain.
Translating corporate-speak to English, apparently ViVi Contras Belleville Brown 429 wants to chat about a Global Strategic Operations Partner position. And to get to know me via a deeper conversation.
She then closes her email with a signature block listing her positions (but again not her company name).
So she is the Founder, the CEO, the Managing Partner, the Chief Revenue Officer…and the Project Lead? That’s more job titles than I have at Bredemarket—even when you include “Senior Nespresso Operator.”
I don’t know what 429’s scam is. Data harvesting? Identity theft? Financial fraud? For all I know it may be a romance scam. (Run by a 40 year old guy.)
I knew I was going to write about this scam email in the Bredemarket blog and on LinkedIn. Employment fraud is a hot topic on both platforms. But how should I respond to the scammer?
My usual “As an anti-fraud professional, I require that you please provide your corporate email address” would take too much time. So I aimed for surprising brevity:
KYB Fraud Failure
This is not a comment on the corrupt nature of politics, but a question.
Apparently people in Kennebunk, Maine are receiving emails from their “Board Commissioners.”
“The email claims the permit is ready and approved, but that the “Board Commissioners” just needs a payment of $4,000 via wire transfer to finish it.
“Lee Feldman, deputy director of community development for the department, said Thursday that the email also named a former board member to try to bolster its apparent legitimacy.”
But Kennebunk citizens are smart, and one reported the scam attempt.
Know Your Locality.
Last year I wrote about a biscuit and a football, but I wasn’t talking about the snack spread on game day.
I was talking about the tools the United States President uses (as Commander-in-Chief) for identity verification to launch a nuclear attack.
But sometimes you have to pass the football. If the President is temporarily or permanently incapacitated in an attack, the Vice President also has a football and a biscuit. Normally the Vice President’s biscuit isn’t activated, but when certain Constitutional criteria are met it becomes operative.
Other than this built-in redundancy, the system assumes one football, one biscuit, and one President.
If you’re a cybersecurity expert, you know this assumption is the assumption of a fool.
And most of us will never know the answer to this question, but how do government cybersecurity experts prevent this?
What if TWO fraudsters go after a real person at once?
These are the no-good characters from my Bredemarket blog post earlier today, “Why is Educational Identity Important?” That post quoted from 1Kosmos and Fischer Identity:
“Higher education institutions are increasingly targeted by identity fraud schemes, including “ghost students,” synthetic identities, and financial aid fraud.”
Don’t let these fraudsters rip your university off.
When you’ve been around long enough, zero trust is an attitude, not a technology. Which is how I reacted when I received an email from Substack yesterday and questioned whether it was REALLY from Substack.
How many of you received this email yesterday?
Hello,
I’m reaching out to let you know about a security incident that resulted in the email address and phone number from your Substack account being shared without your permission.
I’m incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came up short here.
What happened. On February 3rd, we identified evidence of a problem with our systems that allowed an unauthorized third party to access limited user data without permission, including email addresses, phone numbers, and other internal metadata. This data was accessed in October 2025. Importantly, credit card numbers, passwords, and financial information were not accessed.
What we are doing. We have fixed the problem with our system that allowed this to happen. We are conducting a full investigation, and are taking steps to improve our systems and processes to prevent this type of issue from happening in the future.
What you can do. We do not have evidence that this information is being misused, but we encourage you to take extra caution with any emails or text messages you receive that may be suspicious.
This sucks. I’m sorry. We will work very hard to make sure it does not happen again.
– Chris Best, CEO of Substack
My jaded reaction?
“Yeah, right.”
Yes, the email came from “Substack Standards & Enforcement” at security@substack.com, but such emails can be faked, and a few months ago I received an email processed by Substack’s servers that was NOT sent by the Substack account owner.
So last night I went to Substack’s own Substack account @substack to see what it said about the matter.
At the time…nothing.
As far as I was concerned, my email and phone number MAY have been breached, or maybe not. Perhaps some nefarious actor was trying to make Substack look bad.
So I forgot about it.
This morning I revisited the issue to see if any reputable organizations had written about it. Not finding a Washington Post article, I turned to TechCrunch. (I’ve been reading TechCrunch since the Arrington days.)
Newsletter platform Substack has confirmed a data breach in an email to users.
So TechCrunch relied on the same information I had. There was no indication that TechCrunch had reached out to Substack directly to confirm the authenticity of the email.
Then again, TechCrunch printed its article at 6:55 am PST, and it was still up an hour later at 8 am. If the email had been a scam, Substack would have contacted TechCrunch immediately.
So I guess the story is legit.
The story goes well beyond Substack, since sites are breached all the time. As far as I’m concerned, the issue isn’t “if,” but “when.”
(And yes I’m looking at you, all Workday-using sites that set the app to require account creation. How will you respond when a jobseeker asks you how you will protect their data WHEN your site is breached?)
There are three ways to inform your users of a breach.
[Bitdefender] surveyed over 400 IT and security professionals who work in companies with 1,000 or more employees. Bitdefender found that 42% of IT and security professionals surveyed had been told to keep breaches confidential — i.e., to cover them up — when they should have been reported.
Perhaps even more shockingly, 29.9% of respondents admitted to actually keeping a breach confidential instead of reporting it.
How will YOUR firm respond when you are breached?
I’ve previously noted that one possible sign of a scammer is when they don’t initiate a LinkedIn connection to you, but instead want you to initiate a LinkedIn connection to them. When a scammer is scamming, they can’t blow through a few thousand connection requests every day, so it’s better if the victims initiate the connection request themselves.
I immediately thought of this when I received an email from a Gmail account to one of my odd accounts entitled “Thinking of connecting.”
Um…why not just do it?
Here’s the text with the scammer’s alleged name changed:
“I saw your profile on LinkedIn and wanted to say hello. I’m Melania.
“I’ve always been interested in learning about different professional paths. This is just a friendly intro for the start of the week—no expectations on my end.”
Obviously I didn’t respond. Because I have no idea who the Gmail account holder REALLY is.
A day later, I received a second message that included the following:
“Things are actually pretty smooth and manageable on my end as the Operations Manager at Estée Lauder, so I’ve had some extra time to catch up with my network. I’d love to hear how your side of the world is treating you whenever you have a moment.”
Again, I didn’t respond. I didn’t even ask for “Melania’s” Estee Lauder email address (again, the emails are from a Gmail account).
Then we got to day three. Remember how Melania said she had viewed my LinkedIn profile? This was the next question she asked:
“Is it snowing where you are?”
Obviously she hadn’t read anything, and I was getting bored, so I blocked her from all email addresses.
When the United States was attacked on September 11, 2001—an attack that caused NATO to invoke Article 5, but I digress—Congress and the President decided that the proper response was to reorganize the government and place homeland security efforts under a single Cabinet secretary. While we may question the practical wisdom of that move, the intent was to ensure that the U.S. Government mounted a coordinated response to that specific threat.
Today Americans face the threat of fraud. Granted it isn’t as showy as burning buildings, but fraud clearly impacts many if not most of us. My financial identity has been compromised multiple times in the last several years, and yours probably has also.
But don’t expect Congress and the President to create a single Department of Anti-Fraud any time soon.
As Biometric Update reported, Congresspeople Bill Foster (D-IL) and Pete Sessions (R-TX) recently introduced H.R. 7270, “To establish a government-wide approach to stopping identity fraud and theft in the financial services industry, and for other purposes.”
Because this is government-wide and necessarily complex, the bill will be referred to at least THREE House Committees:
“Referred to the Committee on Oversight and Government Reform, and in addition to the Committees on Financial Services, and Energy and Commerce, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.”
Why? As I type this the bill text is not available at congress.gov, but Foster’s press release links to a preliminary (un-numbered) copy of the bill. Here are some excerpts:
“9 (9) The National Institute of Standards and
10 Technology (NIST) was directed in the CHIPS and
11 Science Act of 2022 to launch new work to develop
12 a framework of common definitions and voluntary
13 guidance for digital identity management systems,
14 including identity and attribute validation services
15 provided by Federal, State, and local governments,
16 and work is underway at NIST to create this guid
17 ance. However, State and local agencies lack re
18 sources to implement this new guidance, and if this
19 does not change, it will take decades to harden defi
20 ciencies in identity infrastructure.”
Even in the preamble the bill mentions NIST, part of the U.S. Department of Commerce, and the individual states, after mentioning the U.S. Department of the Treasury (FinCEN) earlier in the bill.
But let’s get to the meat of the bill:
“3 SEC. 3. IDENTITY FRAUD PREVENTION INNOVATION
4 GRANTS.
5 (a) IN GENERAL.—The Secretary of the Treasury
6 shall, not later than 1 year after the date of the enactment
7 of this section, establish a grant program to provide iden
8 tity fraud prevention innovation grants to States.”
The specifics:
But there are some limitations in how the funds are spent.
The bill is completely silent on REAL ID, therefore not mandating that everyone HAS to get a REAL ID.
So although the bill claims to implement a government-wide solution, the only legislative changes to the federal government involve a single department, Treasury.
But Treasury (FinCEN plus IRS) and the tangentially-mentioned Commerce (NIST) aren’t the only Cabinet departments and independent agencies involved in anti-fraud efforts. Others include:
These agencies are not ignored, but are funded under mandates separate from H.R. 7270. Or maybe not; there’s an effort to move Consumer Financial Protection Bureau work to the Department of Justice so that the CFPB can be shut down.
And that’s just one example of how anti-fraud efforts are siloed. Much of this is unavoidable in our governmental system (regardless of political parties), in which states and federal government agencies constantly war against each other.
Despite what Biometric Update and the Congresspeople say, we do NOT have a government-wide anti-fraud solution.
(And yes, I know that the Capitol is not north of the Washington Monument…yet.)
Bredemarket