Protecting against business identity theft
This article covers: |
Each year, business identity theft can be blamed for millions of dollars in losses to large and small businesses alike, though small businesses are often more vulnerable to this type of risk. Unlike larger corporations, small businesses don’t always have the required security controls in place to detect and deter fraudulent activity, which can make them easier targets. There is also a general unawareness, among large and small businesses alike, of the magnitude of the threat and the devastating effects that business identity theft can have.
What is business identity theft?
Many tend to associate identity theft with the theft of a Social Security number or credit card information. Business identity theft occurs when criminals assume the identities of business owners, officers, or employees to fraudulently obtain cash, credit, and loans, leaving the victimized business with the debts. Another example of business identity theft is when a fraudster files bogus business tax returns with the IRS to receive refundable business credits.
Apart from the direct costs associated with business identity theft, businesses may also have to deal with legal consequences, such as defending their patents, copyrights, trademarks, or other intellectual property in court.
What information are business identity thieves after?
Business identity thieves will use key business identifiers and credentials — such as officers’ names and other personal information or your federal tax employer identification number — in order to manipulate or falsify state business filings and impersonate the business in other ways. Armed with this information, criminals can open a line of credit, obtain better terms with vendors, or apply for a loan. And, business credit cards, with credit limits of up to $150,000, provide another avenue for thieves to make purchases at the expense of small businesses.
We keep compliance simple
Stealing a business identity or creating a new one is easy
Criminals can capitalize on the abundance of information made available to the public online. State laws require the public disclosure of proprietary business information. This might include annual reports, management and personnel information (including names and addresses), employee identification numbers (EINs), and sales tax and business numbers.
This information and more can also be purchased legally through the internet. Often, an application for a line of credit is approved based on public and recycled information found on the web.
Identity thieves are also leveraging the latest advancements in artificial intelligence (AI), such as large language models (LLMs), to enhance and automate their efforts.
Examples of tactics used by identity thieves
Today, criminals are using more sophisticated ways to impersonate and defraud businesses. While emulating a company’s letterhead, or sending fake correspondence were commonly used methods in the past, other more advanced tactics are continuing to emerge. Examples include:
- Phishing/spear phishing. Emails and text messages that look and sound authentic (such as an email supposedly from your bank asking you to verify your account information) and often contain graphics stolen from the company from which the message claims to originate; these try to get staff to click through so that they can gather information. There is also “spear phishing”, a more targeted approach where messages are specifically tailored to an individual or groups within a company. Criminals are increasingly using AI to make their phishing scams more convincing.
- Data breach. Criminals may gain access to sensitive information through human error, outdated software, and other security vulnerabilities.
- Malware and ransomware. Either may be introduced through phishing emails, download from malicious websites, software vulnerabilities, an infected USB drive, or other means.
- Impersonation. Criminals may pose as an executive by gaining unauthorized access to an executive's email (hacking) or by spoofing their email address. They will then send a message to the finance team asking for a last-minute wire to a foreign bank account. Another tactic is to make changes to a business registration at the registrar or Secretary of State level. Criminals might add or delete principals, change an address, and so on. From there, they can set up a line of credit or engage in other fraudulent activity.
- Unsecured Wi-Fi: A bad actor may plant an unsecured Wi-Fi hotspot in or around an office with the expectation that an employee will connect to it by mistake. This leaves their system vulnerable and makes proprietary information visible.
- Dumpster diving: Dumpster diving remains a prevalent tactic employed by criminals. Identity thieves scour through personal waste and public refuse containers in search of confidential data.
Failure to dissolve introduces risk
Improper dissolution of a business increases the risk of identity theft. Criminals search for inactive or suspended corporations on government websites and can easily revive or reinstate them.
How to prevent and detect business identity theft
Take a proactive approach and educate yourself and your team to prevent business identity theft. Consider these steps.
Educate your employees about phishing
Phishing emails and text messages are used to gather personal information or install malware. Sophisticated phishing techniques make these communications hard to differentiate from legitimate ones. Make sure your employees know what red flags to look for when they receive an email or text. Examples include bad grammar and spelling, mismatches between an email sender’s name and address, strange attachments, and links to unrecognized sites. Phishing messages will often create a false sense of urgency in order to compel immediate action.
Stay on top of computer security updates
Companies should be installing the latest security programs designed to detect and prevent malicious computer hacking and cyber-attacks. They should also be taking steps to keep laptops and mobile devices secure.
File your annual report on time
Missing an annual report deadline can expose your business to risks, including identity theft. Many deadlines are tied to the date you formed your company, rather than coinciding with tax filing deadlines, making them easy to overlook. This is especially true if you operate in multiple states, each with its own due date, increasing the likelihood of missing one.
Check the Secretary of State website regularly
Stay on top of any changes to your business registration information by looking up your business on your Secretary of State’s website regularly or signing up for email alerts if available. This way, you can see if any unauthorized changes have been made (such as changing your business address) and immediately report and reverse the fraudulent activity.
Keep state-required information up to date
Most states require a filing if the company changes its name, method of management (for an LLC), number/types of stock authorized (for a corporation), or its registered agent. Many also require notification if the principal officers or business address changes. Keeping this information updated helps ensure you receive notifications from the state - and sends a message to would-be thieves that you are paying attention to the details.
Following IRS procedures to protect business
In an effort to fight the fraudulent tax return aspect of business identity theft, the IRS will be on the lookout for any filing inconsistencies or falsified information. Be prepared to provide the following:
- Name and SSN of the person signing the return: This will verify if the individual is a legitimate employee or trustee of the corporation
- Previous payment history: This return should be consistent with prior ones to reassure the IRS that this is not a random request made by someone looking to defraud the company
- Filing history: Be sure to complete all relevant tax forms and not solely the return. This helps prove that the person signing the return is a representative of an actual corporation and not just a singular person
Check your credit reports regularly
Whether through Dun & Bradstreet or a major credit bureau, you should be monitoring your credit activity on a regular basis to detect and address any suspicious changes. You can also request to receive email alerts from the top credit agencies.
Keep up with business identity theft trends
Technology changes and evolves quickly, so it’s important to be aware of the latest trends in business identity theft. Many states will also provide information, including alerts for recent scam-related activities, on their secretary of state websites.
Additional strategies to prevent business identity theft
- Encrypt sensitive files and emails with strong passwords.
- Educate your staff on cybersecurity best practices to enhance overall security.
- Safeguard your EIN (employer identification number), account numbers, and other sensitive information. Employ access control to manage who can view sensitive information.
- Consider placing fraud alerts on your business bank and merchant accounts to detect and prevent unauthorized activities.
- Shred or destroy sensitive data on old hardware.
What to do if your business identity has been stolen
If you suspect that your company has fallen prey to business identity theft, prompt action can mitigate the extent of harm to your business. Here are some initial steps you should take.
- Inform your bank, credit card issuers, and other creditors of potential business identity theft and inquire if they have received any anomalous charges or orders from anyone claiming to represent your business.
- Request copies of documents or emails used by the perpetrators to unlawfully access or create accounts under your business's name.
- Notify Dun & Bradstreet, Equifax, Experian, and other credit reporting agencies.
- Notify local and state law enforcement.
- Talk to your attorney and insurance company.
Conclusion
As the threat of business identity theft is not going away anytime soon, it is important that businesses, both small and large, recognize the real risk that identity theft poses, and take the necessary precautionary measures to prevent serious financial loss and other damages.
Read the related articles:
The rising risk of business identity theft: Why formal entity dissolution and withdrawal is a critically important safeguard