Identity theft is a serious problem—not just for individuals, but for businesses as well. Last year almost 16.7 million individuals were victims of identity theft. There was also a 46 percent increase in the number of reported cases of business identity theft, according to the National Cybersecurity Society (NCSS).
“Small business identity theft—stealing a business’ identity to commit fraud—is big business for identity thieves,” says Mary Ellen Seale, CEO of NCSS.
Unlike larger corporations, small businesses don’t always have the required security controls in place to detect and deter fraudulent activity, which can make them easier targets. There is also a general unawareness, among large and small businesses alike, of the magnitude of the threat and the devastating effects that business identity theft can have.
What information are business identity thieves after?
Business identity thieves focus on stealing key business identifiers and credentials—such as officers’ names or your federal tax employer identification number—in order to manipulate or falsify state business filings and impersonate the business in other ways. Armed with this information, criminals can open a line of credit, obtain better terms with vendors, or apply for a loan. And, business credit cards, with credit limits of up to $100,000, provide another avenue for thieves to make purchases at the expense of small businesses.
Stealing a business identity or creating a new one is easy
Criminals can capitalize on the abundance of information made available to the public online. Businesses are required by law publish sensitive details which may include financial statements, stakeholder information, and key identifiers such as employee identification numbers, and sales tax and business numbers.
This information and more can also be purchased legally through the internet. Often times, an application for a line of credit is approved based on public and re-cycled information found on the web.
How identity thieves operate
Today, criminals are finding more sophisticated ways to impersonate and defraud businesses. While emulating a company’s letterhead, or sending fake correspondence are commonly used methods, other more advanced tactics are continuing to emerge. Some of these include
Phishing scams—e-mails that look and sound official, and often contain graphics stolen from the company from which the message claims to originate; these try to get staff to click through so that they can gather information.
Hacking into an executive's email and sending fake emails to the finance team asking for a last-minute wire to a foreign bank account
Planting an unsecured Wi-Fi hotspot in or around an office with the expectation that an employee will connect to it by mistake. This leaves their system vulnerable and makes proprietary information visible.
Stopping business identify theft
Most states have criminal statutes that only recognize identity crimes against individuals. In 2006, California became the first state to establish identity theft laws that officially recognized crimes targeting business entities. Effective October 2015, Florida implement new law that provides businesses the same protection as individuals when it comes to identity theft.
So, what does this mean in terms of managing the investigation and prosecution of inter-state and business identity crimes that fall under federal jurisdiction? As is the case with state laws, the statutory language contained in federal identity theft laws does not include business entities, making it extremely difficult to prosecute inter-state crimes.
As it appears the threat of business identity theft is not going away anytime soon, it is important that businesses, both small and large, recognize the real risk that identity theft poses, and take the necessary precautionary measures to prevent serious financial loss and other damages.