Serbian Certificate Mill’s AB Mimics Official IAS Website, Logo to Sell Fake Certifications

A new fake certification body has popped up, this one being ICO Certi, suspected to be from Serbia but using a postal address from London to hide their origins.

ICO Certi sells a “cloud-based” documentation template kit, but then goes one step further and includes a final certificate, thus certifying their own work. Their services include ISO 9001, ISO 14001, ISO 45001, and the information security standard ISO 27001, raising suspicion about what, exactly, they do with your data after they get it.

The London address for ICO Certi resolves to a “virtual office” address but we found traces of their operations in Serbia and India. 

The company claims two accreditations. The first is by “IAACB”, which is a known fake accreditation body, but the “IAACB” claimed by ICO Certi appears to be a different one entirely, and one which doesn’t even exist.

The other accreditation is from the “International Accreditation Services for Certification,” or IASFC. This one is particularly interesting because it has a website that attempts to outright steal the logo and overall look of the actual accreditation body, IAS.

IASFC utilizes what appears to be a fake phone number, and the office address for NXenter, a web developer in New York’s “Koreatown.” Through a series of links, I eventually tracked the owner of NXEnter — and thus, maybe, IASFC and ICO Certi — to one Hamid Mahmood, who runs a self-promotional website called “Hamid the Pro.” Oh, and he insists he graduated from Harvard.

Meanwhile, the IASFC website claims to have a “register” detailing the “103 conformity assessment bodies” and that it has accredited in “180 countries,” but the webpage never actually presents any search function; in short, the register doesn’t exist. So you can’t verify that they’ve ever accredited anyone, nor is there any listing of staff or people working there.

Then there’s the web design, presumably by “Hamid the Pro.” Not only is the IASFC name similar to that of the actual accreditation body IAS, but the logo and web design are also nearly identical:

While I think a little schadenfreude is suitable here — the real IAS has built its empire on offering low-cost, bottom-of-the-barrel services, while using a name that is confusingly similar to the International Accreditation Forum (IAF), and is now being undersold by someone willing to go even lower — it still sucks. Someone from Serbia on LinkedIn wrote me and wanted me to file a complaint against the real IAS, because they were that confused between the two. It really is confusing, and only full-time accreditation nerds like me are likely to spot the difference.

So those shopping for cheap certifications from ICO Certi, fair warning: it appears to be an entirely fake operation bolstered by some mediocre websites, but without a single verifiable human being running any of it. Other than the Harvard grad website guy, of course.

---

UPDATE 14 March 2021: I received a curious, unsigned email from ICO Certi, trying to extort me. It offers me a partnership (“We can also cooperate with you. We selling all the world ISO Toolkits.”), but then threatens to sue me if I don’t agree. It’s a crime to threaten legal action against someone if they don’t accept your unsolicited demand for a partnership.

The email also claims that ICO Certi is owned by “Global Invest Holding” in the UK, and again repeats its address, not knowing that we already exposed it as a “virtual office” postal services company.

UPDATE 13 October 2021: I have now received an email from one company called Global Invest Holding in the UK, saying, “Global Invest Holding LTD is not owner of ICO Certi, and don’t know what is this.” So this appears to be another falsehood by ICO Certi.