Business Identity Theft: Risks and Prevention
Cyber criminals steal business identities, increasingly targeting recently defunct entities that perished in the pandemic. Business identity theft occurs when a company or individual presumes the identity of another company, often using the victim's Employer Identification Number (EIN) and state charter or registration number.
Unfortunately, it is not just faceless criminals perpetrating fraud. Internal business fraud is equally, if not more devastating, as employees with trust and account information can slowly but strategically steal, embezzle, bribe, cause insurance fraud, or perpetrate tax fraud.
Whether emanating from inside or outside of a company, common types of business fraud include the following:
1. Fraudulent business registrations/filings.
2. Stolen EINs for tax fraud (such as re-directing refunds).
3. Manipulating credit reports.
4. Banking fraud.
Scarier than the four examples listed above are when bad actors assume and misuse the identity of the business owners and officers; monitor and surveil physical business locations; commit intellectual property theft; and create shell corporations for theft rings.
During the early days of the COVID-19 pandemic, many cyber criminals assumed the business identities of actual medical supply companies to elicit sales of necessary personal protective equipment. Tricking customers into believing that the criminal supplied N95 masks, the criminals accepted purchase orders and payments and then disappeared. Customers would complain about the real company, which was victimized and mimicked by the criminal, creating legal fiascos and economic losses for the customers and victimized companies alike.
For over-confident readers, it is not difficult to find any entity’s EIN. Every state has an individual Secretary of State’s office, which either for free or a small fee, will provide any requesting party a copy of a company’s incorporation paperwork. Such records contain the names of founders and officers, as well as charter numbers, and dates of incorporation or formation. Additionally, tax returns for non-profit organizations are available online for free, which contain EINs. EINs belonging to for-profit organizations may be found in public records, such as publicly filed leases or property sales, as many recordation services only recently ceased requiring social security numbers and EINs on such filings.
Aside from just general money loss, additional risks associated with business identity theft are as follows:
Personal Liability: Prior to 2009, businesses could secure loans, leases, and lines of credit without personal guaranties from business owners and officers. Accordingly, cyber criminals will forge the personal guaranties using the names of the individuals found on state incorporation records.
Destroying Personal and Business Credit Scores: Once loans and lines of credit come due, or purchases are not fulfilled, bills will go into collection and negatively impact credit ratings. Further, reduced income caused by negative reviews fueled by unfulfilled purchases will worsen credit issues. Legitimate loans or lines of credit may then be exponentially more difficult to obtain.
Regulatory Consequences: Negative reports or complaints to local Better Business Bureaus or the inability to tender quarterly tax payments may create legal liabilities, fines, and interest payments.
Taken together, it is unsurprising that business failure may follow.
Here are 5 simple tips to prevent business identity theft, either as a direct or secondary victim:
Invest in a credit monitoring service for the business and each of its publicly registered officers. Alternatively, freeze credit when not necessary. Beginning in September 2018, federal law required Experian, Transunion, and Equifax to freeze and unfreeze credit for free.
Phishing and anti-fraud training for employees to enable them to identify potential threats and modern tactics used to perpetrate fraud.
Require guarantees for large orders and purchases when dealing with new entities. Therefore, when researching a company, you can cross-reference personal information against the business information (example: Is the COO of X Corp. really John Doe from Sacramento?). Think of this tactic as a manual, multi-factor authentication process.
Perform Thorough Credit Checks and insist on receiving a Dun & Bradstreet D‑U‑N‑S® Number.
Educate customers on what information you will never seek from them and advise them to contact your business through specific telephone numbers if they suspect fraud.