By now, most of us are aware of the risk of personal identity theft that results in the misuse of credit card and social security numbers, banking information, or more ominously, medical identities.
Business identity theft is a growing concern that is intended to defraud or hurt a business by creating, using a business’ identifying information without authority. Criminals pose as owners, officers, or employees of a real or fake business to illegally obtain cash or loans or make purchases. In other words, business identity theft is designed to impersonate the business and take fraudulent actions.
For example, criminals may use employer ID numbers or a business owners’ social security number to establish temporary office space and/or merchant accounts in a business name, or file fake documents with the Secretary of State’s office to change the business’ registered address or the names of directors or officers, and then open lines of credit and bank accounts or bill customers for money owed
In fact, there has been a recent rise of business identity in general and a more recent rise due to the pandemic. As of June 2020, Dunn & Bradstreet reported a 100 percent rise in 2019 compared to 2018, and an estimated a 258 percent increase in 2020. https://www.dnb.com/perspectives/small-business/prevent-business-fraud-during-covid19.html
Why go after businesses? Isn’t it easier to target individuals?
One might think that businesses would be more sophisticated than individuals and have controls in place to catch fraudulent activity. But businesses are attractive targets for many reasons.
First, compared to individuals, businesses may have larger bank account balances, easy access to credit and higher available limits. Business transactions may also receive less banking scrutiny. For example, a purchase of 50 laptops might raise a red flag on a personal credit card but not on a business account.
Business information is also readily available and may be afforded less regulatory protection. For example, employer ID numbers may not be as well protected as social security numbers. Moreover, business registration information is public. Criminals particularly target dissolved or inactive companies because no-one is paying attention. Wrong-doers can easily use this information to create a shell corporation with a virtual or fake office location, website, and phone number. In addition, because business credit reports are meant to foster and promote commerce, they can be obtained by anyone and not just the business itself. These reports contain self-reported information which makes them easier to manipulate.
Finally, business may have disgruntled or negligent employees with direct access to financial information and the ability to hide their actions. These employees may be subject to phishing attacks, especially now with so many working remotely, or may be careless in discarding information.
Why are small businesses especially at risk? Are large companies off the hook?
Compared to large companies, small businesses may have fewer security controls with employees who have easy ready access to business information. Small businesses also tend to lack financial controls such as segregated duties, check authorization requirements, and audit protocols. Small businesses also lack name recognition. Thus, it is easier to pretend to be XYZ Corporation than it would be to pretend to be General Motors or Amazon.
But large companies should not be complacent. Companies that have grown quickly by acquisition may have varying levels of control and dormant corporate names that are ready for compromise. Larger organizations may also have bulk purchasing practices that allow criminals to make purchases while avoiding fraud detection systems. In addition, they may require vendors to agree to invoicing and payment terms that defer payments which provide thieves with an opportunity to order and receive products and services and avoid early detection.
So, how can companies protect themselves against business identity theft?
From a privacy and security perspective, companies should use the same tools that are used to protect customer and employee data:
Antivirus software that is updated as necessary
Secure networks and encryption for sensitive information
Strong passwords and multi-factor authentication
Limited access to sensitive business information along with role based access procedures.
Controlled physical access to facilities
Locked cabinets and clean desk policies for paper records
Proper disposal of sensitive business information through shredding.
Training and awareness campaigns
An up-to date cybersecurity response plan
From a finance and business perspective, companies should consider the following steps:
Regularly obtain and monitor business credit reports from Experian, Equifax, TransUnion, and Dun & Bradstreet.
Check business filings with your Secretary of State’s office at least annually.
Implement procedures to monitor accounts and bills and watch for missing bills and statements.
Monitor IRS notices that may pertain to fictitious employees, closed or dormant businesses, and amended tax returns.
What should I do if my company is a victim of business identity theft
Despite our best efforts, things happen. If you know or suspect that your company is a victim of identity theft, there are a number of actions that you can and should consider:
Conduct an investigation to determine what happened and take steps to remediate any damage. Make sure to involve the appropriate personnel or departments including Legal, Compliance, IT, Security, HR, Operations, and Finance. Consider attorney-client privilege issues as you would with any investigation or data breach.
Review insurance policies for coverage, especially if a cyberattack was involved. Make sure to report the matter to your carrier on a timely basis.
Report the theft to your financial institution and any other financial institution involved
Place a fraud alert on your business credit reports (see list of companies above.)
Consider government reporting which may include:
Filing a police report
Submitting a complaint with the Federal Trade Commission at https://www.identitytheft.gov/
Reporting the theft to the IRS and your state revenue department
Correcting business records on file with the Secretary of State’s office as necessary
Filing a complaint with FBI’s Internet Crime Complaint Center if a cyberattack, business email compromise, or ransomware was involved. https://www.ic3.gov/