As part of its continuing inquiry into digital intermediaries and public data usability, the Southwest Public Policy Institute (SPPI) conducted a real-world emulation of a common data aggregation process to assess the security and accessibility of the Rio Rancho Regional Chamber of Commerce’s (RRRCC) online membership directory.
Introduction
This report, Access Granted, examines the widespread public availability of chamber of commerce membership directories, specifically focusing on the Rio Rancho Regional Chamber of Commerce, and the mischaracterization by Rio Rancho Chamber CEO Jerry Schalow, who inaccurately portrayed third-party data aggregators as phishing scammers. Through a real-world emulation using basic artificial intelligence tools, the Southwest Public Policy Institute demonstrates how easily unsecured member data can be scraped and repackaged for resale.
Despite public warnings issued by chambers and amplified by organizations like the Better Business Bureau, the reality is far more mundane: these directories are poorly secured, built on outdated infrastructure, and exposed to basic automation. Rather than taking responsibility for these failures, chambers have scapegoated digital intermediaries who simply offer convenience, not deception.
This report aims to clarify the difference between malicious cybercrime and legitimate market activity, while calling for a more informed and technologically competent approach to data governance in public-facing institutions.
A Manufactured Crisis
The Rio Rancho Regional Chamber of Commerce (RRRCC) is not alone in its overreaction. Across the country, chambers of commerce have issued near-identical warnings about third-party solicitations offering member lists for sale. These alerts, often heavy on fear and light on facts, have been amplified by none other than the Better Business Bureau (BBB), an organization with a long and troubled history of posturing as a public watchdog while operating as a pay-to-play credentialing scheme with questionable accountability.
In a May 2025 article, Moody on the Market reported that the BBB of Michigan had issued a public warning to businesses about “phishing scams” involving chamber lists, citing examples in Livonia-Westland and Traverse City. The BBB flagged email domains such as @leadfocusdata.net as suspicious, declaring them unreliable while offering no substantive evidence of fraud, theft, or technical compromise. Most notably, Traverse Connect, one of the chambers involved, publicly confirmed that their member list is available to the public, meaning any “scam” involved merely repackaging what was already free.
The use of unfamiliar or alternate email domains is not, in itself, evidence of deception. In fact, it is a common and accepted practice in digital communications and email marketing. Even SPPI operates multiple domains, such as southwestpolicy.com, southwestpolicy.org, nmeducation.us, and nmenergy.us, to support issue-specific campaigns and email deliverability. This approach enhances segmentation, improves inbox placement, and allows organizations to manage reputational risk across distinct outreach efforts. To suggest that an email is fraudulent solely because it originates from a non-primary domain is both technically uninformed and dangerously misleading.
This trend reveals a deeper issue: a growing discomfort among legacy institutions with the very notion that public data can be efficiently aggregated, repurposed, or sold. Rather than acknowledge the porous and outdated infrastructure of their own digital operations, chambers of commerce, egged on by the BBB, have opted to create a moral panic around what is, in reality, a benign market function.
SPPI categorically rejects the framing of these solicitations as phishing. As outlined in our research and reinforced by real-world tests, what’s occurring is not deception, but disintermediation: third-party vendors are filling a service gap that chambers either cannot or will not address. Selling curated, spreadsheet-ready business directories is not cybercrime: it’s capitalism.
If these organizations are concerned about data being reused, the solution is not to demonize aggregators or redefine phishing to fit a narrative of incompetence. The solution is basic digital hygiene: secure the data, implement access controls, and modernize web standards. Anything less is simply misdirection.
What Phishing Really Is
To be clear, phishing is a serious cybercrime. It involves impersonation, deception, and manipulation, often through emails, phone calls, or text messages, with the intent of tricking individuals into divulging sensitive personal information, such as passwords, banking details, or Social Security numbers. This stolen data is then used to access accounts, commit identity theft, or conduct financial fraud.
Common phishing tactics include:
- Emails with urgent language demanding account updates or threatening suspension.
- Hyperlinks that disguise malicious destinations under seemingly legitimate URLs.
- Attachments containing malware or ransomware payloads.
- Spoofed senders that closely resemble trusted contacts or institutions.
For example, the first successful phishing lawsuit in the U.S. targeted a teenager who built a fake AOL login page to steal user credentials and withdraw money from victims’ accounts. Today, phishing has evolved into even more sophisticated forms like vishing (voice phishing) and smishing (SMS phishing), but the core ingredients remain the same: deceit, impersonation, and unauthorized access to sensitive data.
By contrast, what is being described in these chamber alerts is not phishing. No one is impersonating the Chamber. No one is seeking login credentials, payment details, or personal information through fraud. These are commercial solicitations offering access to aggregated business data, data that chambers themselves have made publicly available online.
To call this phishing is not only wrong: it’s reckless. It erodes public understanding of legitimate cybersecurity threats, and in doing so, weakens the very efforts needed to protect consumers from real digital harm.
Emulating the Scrape
Using publicly available tools and a basic AI-assisted Python script, SPPI demonstrated that any user with minimal programming experience could extract names, contact information, and business metadata from the Chamber’s member directory in minutes. The purpose of this exercise was not to redistribute data, but to show how easily third parties can automate access to information that is already public-facing and unprotected.
The basis for the script has been made available in a non-functional state as proof-of-concept.
import requests
from bs4 import BeautifulSoup
import csv
import time
base_url = "http://cca.rrrcc.org"
directory_url = f"{base_url}/AllMembers"
# Set up headers to mimic a browser
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
}
def get_member_links(page_url):
response = requests.get(page_url, headers=headers)
soup = BeautifulSoup(response.text, 'html.parser')
links = []
for a in soup.select("a.MemberListing"):
href = a.get("href")
if href and "/web/" in href:
links.append(base_url + href)
return links
def get_member_data(member_url):
response = requests.get(member_url, headers=headers)
soup = BeautifulSoup(response.text, 'html.parser')
business_name = soup.find("h1", class_="PageHeader")
contact_info = soup.find("div", class_="col-sm-8")
name = business_name.text.strip() if business_name else ""
details = contact_info.get_text(separator="\n", strip=True) if contact_info else ""
return {
"Business Name": name,
"Details": details
}
def main():
all_members = []
page = 1
print("Scraping directory pages...")
while True:
paged_url = f"{directory_url}?Page={page}"
member_links = get_member_links(paged_url)
if not member_links:
break # No more members on the next page
print(f"Found {len(member_links)} members on page {page}")
for link in member_links:
print(f"Scraping {link}")
data = get_member_data(link)
all_members.append(data)
time.sleep(0.5) # Respectful delay
page += 1
print(f"\nWriting {len(all_members)} members to CSV...")
with open("rio_rancho_chamber_members.csv", "w", newline="", encoding="utf-8") as csvfile:
fieldnames = ["Business Name", "Details"]
writer = csv.DictWriter(csvfile, fieldnames=fieldnames)
writer.writeheader()
writer.writerows(all_members)
print("Done! File saved as rio_rancho_chamber_members.csv")
if __name__ == "__main__":
main()The Rio Rancho Regional Chamber of Commerce’s own public statement confirms that its member data is not sold, but also not secured. While the Chamber claims to prohibit mass downloads or bulk access, no meaningful technical controls back that claim. At the time of testing, the member directory was accessible via an antiquated and outdated HTTP setup lacking basic protections like HTTPS and HSTS (HTTP Strict Transport Security), exposing users to unnecessary cybersecurity risks, making the site vulnerable to man-in-the-middle attacks and web scraping. Moreover, there were no CAPTCHA protections, robots.txt directives, login gates, or anti-bot frameworks in place: these are tools that any organization serious about access control would have implemented.
Despite this, the Chamber sent a warning to its members on June 20, 2025, accusing a data vendor, Lead Focus Data, of perpetrating a “phishing scam” for offering access to a compiled version of the same membership list. The Chamber further implied criminal behavior, citing domain irregularities and reports from other chambers, while ignoring the most obvious explanation: that its own public website had simply been scraped.
The truth is far less scandalous. Buyers of these lists are not purchasing stolen data; they are purchasing convenience. The scraped list is a mirror of the same public information the Chamber makes freely available, but now delivered in spreadsheet-ready format, suitable for analysis, email segmentation, CRM uploading, and more. In this sense, data brokers, lead generators, and digital intermediaries are providing a value-added service, not committing fraud.
This mirrors the core thesis of SPPI’s latest white paper, Swipe Right: How Comparison Shopping Tools and Lead Generators Revolutionize Consumer Access to Products and Services. In that report, we argue that these intermediaries play an essential role in the digital economy by lowering search costs, facilitating transparency, and improving consumer and business outcomes alike.
Conclusion
The Chamber’s mischaracterization of this situation, conflating basic list aggregation with phishing, is both technically inaccurate and economically reckless. It diverts attention from the Chamber’s own failure to secure its directory and instead scapegoats digital actors that function legitimately within a free market.
We therefore offer the following conclusions:
- Together with other chambers across the country, the Rio Rancho Regional Chamber of Commerce’s member directory is public-facing, unsecured, and trivially scrapable.
- The so-called “phishing” operation was likely a standard data aggregation, sales, and marketing process, not a fraudulent or deceptive scheme.
- The Chamber’s public statement reveals a fundamental misunderstanding of cybersecurity, marketing technology, and public data practices.
- If the Chamber does not want third parties accessing or reselling its member list, it has full technical capacity to prevent it—and has simply chosen not to do so.
Until that changes, chambers of commerce across the country must stop blaming third-party data providers for exploiting vulnerabilities they refuse to fix. The responsibility for securing member data rests with the organizations who host it, not with the market innovators who repackage it.
The real problem isn’t that someone compiled the list—it’s that the Chamber left the door wide open, then blamed the messenger when someone walked through it. These chambers should do their homework, and their first assignment should be to look in the mirror.