By Rachel Kronenfeld, Hg’s Manager of Investigations

In business, one often hears the classic query: “How did you hear about us?”  The ways in which people find a business have expanded over time, from word of mouth, the media, company websites, social media, or a phishing email. While all these forms of advertisement can be used to market a legitimate business, they can just as easily be used to market fraudulent businesses, even shell companies.

When a client comes to you wanting to know whether a business is legitimate, they may have an abundance of identifiers to provide you or maybe just a parcel of information, such as a friend’s recommendation, or a business card swapped on a flight between two seat mates. To help answer the questions about a real, or not real, enterprise, the investigative instinct is to gather more identifiers, ask more questions, and understand the purpose of the company for their investigation. Yet, sometimes that ready data isn’t available. To solve for lacking given information—and to stretch our critical research ability—we offer a fresh approach.

This approach reviews a variety of ways in which, despite being given limited information, you may be able to quickly determine if a company is a truly established business. Granted, when going into an investigation, the more information had ahead of time will allow for quicker fact checking. However, researchers are accustomed to working with little information, smaller budgets, and impossible deadlines.

In this 4-part series, we present four research routes when conducting due diligence investigations with little data on hand: Email, company website, social media, and business name. The following vet-by-data approach, handled by professionals, will give you an advantage to researching your client’s potential new lead. Last week we offered a Social Media checklist. This week, we provide the Business Name checklist to help you determine the possible legitimacy of a correspondence.

Business Name

Likely the most common identifier an investigator will receive is a business name. All businesses should be officially registered with local, state, or federal authorities. To determine if a business is registered, start by checking the Secretary of State filings if a United States company, or the equivalent, easily accessible public-record corporate registries if outside the United States. If a corporate registration search outside the United States is not a quick and easy one, you may choose to start your investigation elsewhere. If you are not sure in which state a U.S. company is registered, you can try some of the many free business search engines, such as or, to get an idea.

If you do have an idea what state the company is in, check and use its free search by state to locate the business filings. Don’t forget to consider fictitious business names. The name your client gave you is not necessarily the legal name of the company. Several states do have databases for searching fictitious business names, just one way to quickly determine the legal business name. If you can’t seem to find any business registration, additional due diligence can include searching the business with the Better Business Bureau (BBB) or credit report companies, such as Dun & Bradstreet. Further, some industries have regulatory bodies which require them to have certain licenses or certifications—often of public record. Naturally, if you find the company is not registered with any of the above, they are not a legitimate business.

If you do find that the company is properly registered, additional due diligence is still highly recommended. Why? Because unfortunately we have all seen a business legally registered, but not legitimate. Legal companies—or perhaps only certain people employed with those companies—can very well still be fraudulent.

In Sum

When performing due diligence on company legitimacy, remember that some red flags, such as those discussed in this article, may be more conclusive than others. The email text reported by several others as being a scam, or the business located at an empty lot with no contact information are some examples. Other red flags are not as conclusive, such as the possible fake social media reviews and followers. Keep in mind that this method may not always work. When conducting any investigation, it is always best to have several key findings, or the same key finding across several sources, before conclusions are made. If you are allotted the proper amount of time to conduct your research, full due diligence is recommended, which would require a much deeper research dive. While investigators love having an abundance of information to work with, we should not become reliant on having access to this information. It is important to stop to think about all of the information you can obtain from one piece of information.

Are you an analyst or investigator looking for advanced training on due diligence? If so, check out Hg’s webinar series, where you can attend live sessions and receive CEUs or watch previously recorded sessions to beef up your OSINT skills.


Are you interested in working with a company but unsure if it’s legitimate? As veteran investigators in due diligence, Hg understands the business world and the legal and regulatory frameworks in which corporations and privately held companies operate. Our skilled analysts excel at exposing financial risks, reputational issues, criminal activity, and legal actions detrimental to your personal and business stability. Learn how our team can arm you with the data you need.


Rachel Kronenfeld joined Hetherington Group in 2016 and is Hg’s Manager of Investigations and lead investigator. As a skilled and diverse analyst, she monitors current events and information on the Internet, identifies security threats, and conducts online risk assessment analyses for Hg’s clients. Ms. Kronenfeld conducts trainings for investigators and is a contributing writer to Hg’s newsletter, Data2Know. Her professional research specialty is Open Source Intelligence (OSINT) techniques.