Stamping Out Engineering Fraud

To view the figures and tables associated with this article, please refer to the flipbook above.

As professional services are now being sold on online marketplaces, a new form of professional fraud is emerging. Licensed engineers are discovering that their names, license numbers, and professional identities are being used without their knowledge to produce and stamp design documents. While digital signatures and electronic authentication laws exist, inconsistent adoption and enforcement have left significant gaps in the system. This article explores a real-world case of engineering impersonation, examines why current safeguards are falling short, and argues that protecting the public and the industry will require more than technology alone.
Last year, someone at my firm brought a website to my attention. It was a gig-economy website specifically for professional services. Unlike platforms like TaskRabbit, which connects people with gig contractors willing to assemble furniture or mount a TV to a wall, this service aims to connect people and companies with professionals willing to do “white-collar” freelance work like programming, graphic design, digital marketing, or architecture and engineering services.

The colleague who brought this to my attention had discovered that his license was being fraudulently used to sign and seal structural drawing and calculation packages. He found this out when he received a call from a contractor trying to get a question answered about project documents. For a project that my colleague knew nothing about.

This wasn’t a case where they had lifted my colleague’s signature and seal from a set of drawings. The scammer simply obtained his name and license number from the state board’s website, made their own digital stamp, and added a messy signature that had no resemblance to my colleague’s.

When the contractor attempted to get a hold of the individual he thought he hired, and could not reach anyone through the website he had originally used, he went to Google and found the name he was looking for on our company website and found the real engineer instead. After the initial confusion and concern, they reached out to the local authority having jurisdiction and the state board to report the issue.

After the board’s investigation, it was determined that the homeowner, the contractor, and my colleague were all victims of fraud (i.e. it was not determined that the contractor was complicit or had reason to know that he was procuring illegitimate engineering services). By the time the investigation started, the scammer no longer had an account or persona on the platform. My colleague eventually found out that this scammer had fraudulently used his license number for a couple of other projects before disappearing. It is possible that the actual number of projects completed with his license number could be much more than what was discovered.

Unfortunately, this is not a unique story, and it’s something that states are being watchful of and are putting out communication about. Code officials that I work with in Ohio reported similar stories. The Alabama State Board for Licensure for Professional Engineers and Land Surveyors has a Fraud Alert notification on their home page. The notification highlights the rise in online scams where individuals impersonate licensed engineers and provides tips for identifying warning signs of fraudulent practices. The Oregon State Board of Examiners for Engineering and Land Surveying’s latest newsletter includes a “Protect the Public & Be Aware” notification describing this issue, and providing recommendations for engineers.

A technology solution already exists: Require the use of digital signatures by designers to confirm documents are valid and require the use of a trusted certificate authority to confirm the person signing and sealing the documents are who they say they are. In fact, almost all states already have laws like the following in the Ohio Administrative Code:

Rule 4733-23-01 Paragraph D
Plans, specifications, plats, reports and all other engineering of surveying work product bearing a computer generated seal and electronic signature and date shall have an electronic authentication process attached to or logically associated with the electronic document. The electronic signature must be unique to the person using it; capable of verification; under the sole control of the person using it; linked to a document in such a manner that the electronic signature is invalidated if any data in the document is changed.

Some states are more explicit regarding digital signature requirements, and some are more vague, but in general, states require that electronic or digital signatures meet some combination of the following requirements.

Digital signature technology is not new, and the Ohio law referenced above requiring the use of digital signatures is nearly 20 years old. However, except for a few states, this technology is still not universally adopted in practice, nor is the law universally enforced by building departments.
Any individual can self-sign their own certificate to create a digital signature, but this alone wouldn’t prevent someone from using someone else’s identity to digitally sign a document. You still need to ensure that the person signing the document is actually who they say they are.

One way for this technology to work is to require identity verification through a trusted Certificate Authority. Purchasing these certificates from a Certificate Authority can cost anywhere from $90 to over $700 per year per certificate depending upon the Certificate Authority and type of certificate required. While this might be expensive, I don’t necessarily believe the barrier to adoption is the cost.

I think the lack of adoption is because the process is complicated. It requires the recipient of the digitally signed documents to agree that the Certificate Authority is trusted. That means the recipient has to have the appropriate root certificates installed on their computer. While some root certificates are pre-installed on most computers, others may require a manual user installation. This may require the plan reviewers at the building department to both have the authority and the capability to manually install a root certificate into their computer’s trust store.

Alternately, to avoid requiring staff to install root certificates on their computers, authorities having jurisdiction (AHJ) could simply dictate which Certificate Authorities, and types of certificates are permitted. In either case, this can create some additional confusion if different states and AHJs adopt different requirements.

Assuming all parties can get on board with similar standards and enforcement for digital signatures, a valid signature on the document will have a have a green checkmark or similar symbol that indicates that signature is valid. Clicking on the signature will provide additional meta-data validating when, where and by whom the document was signed.

Working with digitally signed documents still has its challenges. Changes made to the document after a digital signature is applied will remove the green checkmark and replace it with a warning symbol letting the user of the document know that the document has been modified.

odifications that trigger this warning might include combining PDFs from different disciplines into a single document, or the application of an additional digital signature by another licensed professional, or the application of a stamp by the AHJ itself. Despite state law that required the use of digital signatures for electronic plan submittal, in one case an AHJ’s own electronic submittal instructions actually prohibited the use of digital signatures specifically because it interfered with how the AHJ internally processed PDFs after they received them.

Design firms that work in municipalities and states such as Florida that do enforce their own digital signature laws have managed to make it work. It isn’t a simple or straightforward solution, but it can work if all parties agree to implement it.

I believe two things have occurred in recent years that have resulted in the recent surge in engineering fraud.

To give you an idea of what’s out there, one freelancer on one of these sites, whose bio indicates they are from the UK, offers architectural and structural engineering stamps! Their instructions and online order form state the following:

You can compare their packages in Fig. 1. It costs $100 for stamping up to five pages, and $500 for stamping up to 20 pages with expedited delivery and additional revisions.

Rule 4733-23-01 paragraph B of the Ohio Revised Code states that “Each registrant is charged with the safeguarding of their personal seal.”

Had my colleague only ever produced work using digital signatures and ensured that his personal seal and digital signature were adequately safeguarded, it would not have prevented the fraudulent use of his license number (which is publicly available on the state’s license lookup website). The building department that permitted these documents, like most others in the state, was willing to accept drawings that didn’t meet the state’s digital signature requirements.

I don’t think the problem is the lack of safeguarding of engineer’s seal, or necessarily the lack of a digital signature. The problem is some individuals are willing to defraud others by offering plan stamping services. In some cases, we are asking the general public to be able to identify legitimate engineers from people offering plan stamping services and committing fraud.

In my colleague’s case, the public was put at risk because their contractor hired an “engineer” that the contractor didn’t know and didn’t verify was licensed and qualified to do the work they offering to perform. This fraud was committed before plans were issued for permits. Some level of research and vetting could have prevented this fraud well before it would be identified by a lack of a digital signature on the permit plans.

That is exactly what Engineers Nova Scotia is proposing. Engineers Nova Scotia created a public social media campaign titled “Verify Before You Hire” (Fig. 2). As part of Engineers Nova Scotia’s “Verify Before You Hire” program, members of the public are encouraged to contact the regulator before hiring an engineer to confirm that the individual is properly licensed. Where necessary, Engineers Nova Scotia can also verify the registered engineer’s contact information, allowing the public to confirm that they are dealing with the licensed professional. There has been national interest from Engineers Canada, and internal discussions are underway regarding the development of a national fraud awareness campaign. The goal of this program is not only to protect the public from risk associated with work being performed by unregistered and potentially unqualified engineers, but also to protect the public from the costs associated with being defrauded before plans are submitted for review.

The engineering and architecture community has some catching up to do in order to be compliant with state laws requiring digital signatures and seals on drawings and documents. Consistent digital signature workflows and enforcement is necessary when operating completely digitally with unfamiliar consultants. But submitting documents for permit is the last step in the fraudulent impersonation of an engineer or architect. Catching fraud at this point protects the public from a potentially unsafe design provided by an unlicensed individual. Stopping fraud before the unlicensed individual is hired would protect the general public and the consumer. ■

About the Author

Marshall Carman, PE, SE is a structural engineer in Cincinnati, Ohio. He currently serves as Technical Director for Schaefer.