Greg Corombos: Hi, I'm Greg Corombos. Our guest in this edition of Expert Insights is Andrew La Marca. He is the Director of Fraud and Compliance at Dun & Bradstreet. He's also a leading expert on business identity theft, which is a rapidly growing threat. Today we're going to explain what business identity theft is, how it often works, how to protect your business, and what to do if your business does become a victim. And Andrew, thank you very much for being with us.
Andrew La Marca: Thank you, Greg, it's a pleasure to be with you here today.
GC: We hear about personal identity theft all the time. A bad actor gets your social security number or some other sensitive data and opens accounts in your name. And before you know it, you're bankrupt and all sorts of other financial nightmares. But what exactly is business identity theft?
ALM: Great question, Greg. And really no different than exactly what you stated. Just flip the actual victim around. So, I view it as the same thing, right? A business has its own identity. A bad actor can leverage that business identity for illicit gains. And Dun and Bradstreet usually sees business identity theft…Oftentimes, we find an individual at the business, whether it's a small to medium sized business, or even an officer at a fortune 500 company, is also a victim of identity theft. That bad actor will learn and study the information about that individual or the officers of the business. They then will sometimes make changes and/or compromise a business registration at the registrar or Secretary of State level. These changes could be adding/deleting principals, changing the address. Maybe reactivating the company if it was dormant for a period of years. Then they, the bad actors, will go ahead and attempt to associate [it] to a DUNS number. And then they go shopping. When we say go shopping — whether that's credit, goods, or services — and then the debt is then left underneath that good company name.
GC: Let's dig into that a little bit further. What information most of all is compromising to me and helpful to the bad actor?
ALM: What's helpful to the bad actor is a lot of the data… So, there's a lot of data out there already on a business, right? Several Secretaries of State that come to mind have a lot more information than others. So as a bad actor, I can study and learn about the history of a business. Who are the officers? What was their previous address? Maybe it was a business that was operating from a residential address. Maybe it was the officers’ home address? So to know enough information about that business, gives them a leg up to be able to know “what else do I need to find out about that business”. Right? Maybe who are their vendors and who are their clients? Who are their suppliers, that they can go ahead and target, whether it's business email compromised, whether it's a bill-to, ship-to scam, or whether there's a straight compromise in a business registration. I'm going to be committing a bust-out fraud through it. All could be the end game. But what they're doing is they're learning enough information about that business and its owners to then be able to transact as that business.
GC: How big of a problem is this becoming nationwide or worldwide?
ALM: It's a global problem, Greg. You know, fraud is not just U.S.-focused, you know. And that's just business and consumer base, right. But in the context of business identity theft, it's a global problem. In 2018, Dun and Bradstreet observed a 26% increase in business identity theft. That's where our team of Certified Fraud Examiners had identified businesses that were indeed victims of identity theft, and we've confirmed it. In 2019, we saw a 106% increase from 2018. And then in 2020, following along with the COVID-19 pandemic, we saw a 254% increase in business identity theft. And those numbers have slowed, obviously, because the availability of funds has diminished here. But we are still seeing numbers that are well over 2018, 2019 numbers. And we're kind of level setting here as far as what the new normal looks like.
GC: So while some people used the pandemic time to figure out how to cook better or take up a new hobby, these people spent time trying to figure out how to rip everybody off. Due to your research, it looks like the U.S. is far and away the most common place where this happens. Is that because we're a target rich environment and all the businesses and successful establishments that we have? Or is there something we're not doing that makes us more vulnerable?
ALM: The data that we're displaying here about businesses in the U.S. is that's where a large focus of our Certified Fraud Examiners is. But specifically, going back to what we previously were just speaking about, how it's a global problem. But to your question specifically, you have the availability of data. There is a lot of open data at state levels, even data aggregators, that display business information that make it easy to start a business, to make changes to a business registration, and then to transact underneath that business. And, it just makes it easier for fraudsters to be able to do it. It's also more appealing. Business fraud is harder to catch. And it's also 10 times more costly to organizations. You think of a business. They're likely going to get approved for a purchase order for $50,000, $100,000. It's normal to transact in those volumes. From a consumer to get a $50,000, $100,000 credit card at the get go, it's harder, right? So you have a lot more data available. And it's easier to commit business identity theft, and it's easier to get away with it.
GC: Last question on the frequency of this. It also appears, from your data. And this again, may just be the clients that you have. But it seems like Florida is by far and away the state where this happens most often. Any particular reason for that?
ALM: Our belief here is, Greg, is that the data that is available about businesses in Florida is one of the drivers behind why we see the most victims of identity theft. You could go to the Secretary of State's website and be able to know and see every single filing that took place for a business. You know, who filed it, when they filed it, how they filed it. Sometimes going back years and years and years. They even populated telephone numbers. So a bad actor can study that, can download that. They then can maybe even alter those Secretary of State documents and submit them as proofs of rights. So you have the availability of data to be able to be used and leveraged to commit business identity theft. And you see that for all the organizations that have filed for a business in that state.
GC: We're speaking with Andrew La Marca. He's the Director of Fraud and Compliance at Dun & Bradstreet. He is also a leading expert on business identity theft. And Andrew, how does the business owner even find out they've been compromised?
ALM: Yeah, it could vary. It could really get really bad. You could have law enforcement contact you, and say, hey, you know, what's going on here? Several people found out, as it's published in the news, that [they] were victims of identity theft through government relief programs. They had liens placed against their individual identities, and they didn't know anything about what was going on. So you could find out from a lien. You can find out from law enforcement. You could find out from bills maybe starting to be received at your operating address. You could also be looking at your Secretary of State filing, and when you're doing your annual report, if your state requires it, you might notice there's been a change. The state might tell you. Your clients, your vendors, your suppliers might tell you. So it could come from various sources. And it can even come from Dun & Bradstreet as we have a team of Certified Fraud Examiners that goes ahead and alerts all of our clients of companies that we indeed confirm as victims of identity theft as well.
GC: Let's talk a little bit about ways to prevent yourself from becoming a victim. What tips do you have in that department? And is there a good way for business owners to keep tabs on whether or not someone is opening things in their name without their permission, obviously?
ALM: Have contact and communication with your vendors and suppliers. Make employee training a priority. Spreading the awareness of business identity theft is also a top thing that companies should be doing. But they should also be proactive. When we go out and we obtain credit on our personal credit…social security numbers, we're constantly monitoring our consumer credit report for accuracy or integrity to see what our scores [are] so we can celebrate that month. You know, how high did our score get this month? But businesses need to start doing that themselves for their own business credit reports. And that also looking at their annual reports of where they're incorporated in. Checking it early, checking it often, filing on time. If you may have filed your paperwork late, a bad actor could be watching and trying to jump in there ahead of you. Apply the appropriate level of friction, right, whether it's friction or frictionless. And then lastly, you know, and I just said it, but it's also being proactive. You have to be proactive. You can't be sitting there waiting. Go out there. Talk to who you do business with. Ensure that they have all the correct information. Watch your stuff, train your employees, and then lean to the experts who can help you and your businesses mitigate against this risk.
GC: From what you've seen Andrew, is this primarily the type of fraud that's perpetrated by outsiders, or is there a significant percentage that's done by people inside the company?
ALM: Dun & Bradstreet tends to see more coming from external influencers rather than internal influencers. It doesn't say that it doesn't happen, it’s just what we see is we see more coming from the outsiders who are leveraging the availability of data. Whether it's on the open web, or the dark web, or the deep web to help facilitate their schemes that commit this business identity theft.
GC: This might go beyond your purview. But obviously, business information is public. But are there things you would recommend either for state officials or some other level of authority in order to approve this, this you know, opening a new account or approve whatever the fraudster wants to do? It's got to go through more layers of security that hopefully that fraudster wouldn't be able to get through without exposing themselves as not the real business owner.
ALM: And I understand. There's a happy balance to play. You’ve got to find that happy medium. What makes the most sense for the state in order to generate revenue and have businesses be attracted to incorporate in their state. But I think it's also [at] the same time…is that people that are operating in their business and that state, they’re constituents. They also want to feel that their data and their businesses are protected, right? So find that happy balance, apply the right level of friction. Do you know who is coming into your front doors via your website? Are you looking at device fingerprinting? Are they coming in from a different country and filing for multiple businesses within your state? Do you have any anomalies? Are you looking at machine learning, artificial intelligence, regarding what is happening? And you can do that in real time by leveraging technology as well. So it's about finding that happy medium, and then also leveraging experts. And I'll make a plug here for Dun & Bradstreet. With a team of Certified Fraud Examiners, we absolutely can help states mitigate against business identity theft.
GC: Explain how you do that a little bit.
ALM: Yeah. So we have over 60,000 data sources that Dun & Bradstreet ingests as part of our data program. And we can identify signal data for when business may be active, inactive, or maybe victims of identity theft. And that team of Certified Fraud Examiners is looking for changes proactively and monitoring what is going on to try to identify if a business is indeed a victim of identity theft. So we can alert clients and states that business may be the victim of identity theft.
GC: Andrew, just a couple minutes left in our conversation here. We've talked about the scope of the problem. We've talked about how to prevent it as best as you can. But it still happens to some folks. So if you discover that your business has been compromised, what do you do? Who do you contact to start putting the pieces back together?
ALM: If you're a business that has been indeed a victim of identity theft, and maybe somebody…you've received a letter in the mail saying that you owe X dollars. Contact that company, let them know that you've been a victim of identity theft. You might want to engage outside counsel, if you haven't already, and maybe file a police report. Obviously file a report on ic3.gov, which is the FBI’s Internet Crime Complaint Center. It's a good way for the FBI to be able to track all that's going on. Let the business credit bureaus know. So that way clients of them can be alerted and know that if somebody else is transacting underneath your business, that they are doing their part to help mitigate against any future occurrences. And then also, from that point moving forward, be proactive as much as you can, and close the loop on any gaps, especially with training and security, the risks that a company might have.
GC: And lastly, and this probably varies from case to case, but are these things easy to trace and fix once you realize you've been victimized, or is it a logistical nightmare?
ALM: It can be. It depends upon the complexity of what has actually occurred. So it varies case by case very much.
GC: Andrew, where can folks learn more about what you do and maybe seek you out if they need that help?
ALM: Yeah, absolutely. So Greg, it was a pleasure to speak with you today. I hope the audience learned something. You can feel free to contact me on LinkedIn. My name is Andrew La Marca. You can also email me at [email protected] or you can even contact dnb.com or potentially your sales representative to get in contact with us and see how we can help you out.,
GC: Fantastic. A ton of good advice that will hopefully lead to fewer businesses and business owners being victimized. But also good advice on what to do if that does unfortunately happen. Andrew, fantastic conversation. Thanks very much for your time today. We really appreciate it.
ALM: Thank you, sir. Take care.
GC: Andrew La Marca is the Director of Fraud and Compliance at Dun & Bradstreet. He's also a leading expert on business identity theft. I'm Greg Corombos reporting for Expert Insights. For more information on this topic, please call CT Corporation at 844-787-7782
Why formal entity dissolution and withdrawal is a critically important safeguard to business identity theft
Nine tactics to guard your business identity
Business identity theft is a big threat to small business