Business identity theft – what can US companies do to protect themselves?

Business identity theft has become a growing issue among US-based enterprises, with the number of incidents hitting record high numbers in the past few years, recent figures gathered by the National Cybersecurity Society (NCSS) indicate.

A 2018 report by the cybersecurity awareness and advocacy non-profit cited data from Dun & Bradstreet, which showed a 46% rise in corporate identity theft from 2017 – the highest yearly increase ever recorded at that time since the market intelligence firm started tracking cases in 2005.

The following year, however, Dun & Bradstreet’s High Risk and Fraud Insight (HRFI) team reported a 100% spike in business identity theft and estimated that incidents would jump a whopping 258% during the height of the pandemic in 2020.

And small businesses run the most risk for such incidents, according to Mary Ellen Seale, founder and chief executive officer of NCSS.

Read more: How can small businesses protect themselves from cyber threats?

“Small business identity theft – stealing a business’s identity to commit fraud – is big business for identity thieves,” Seale told global information services provider Wolters Kluwer in an interview. “Unlike larger corporations, small businesses don’t always have the required security controls in place to detect and deter fraudulent activity, which can make them easier targets.”

She added, however, that “large and small businesses alike” suffer from a “general unawareness… of the magnitude of the threat and the devastating effects that business identity theft can have” on their operations.

What is business identity theft?

In its report, the NCSS defines business identity theft, also called corporate identity theft as “identity theft committed with the intent to defraud or hurt a business by creating, using, or attempting to use a business’s identifying information without authority.”

The non-profit classified such incidents into four main types:

• Financial fraud: This involves obtaining new lines of credit, loans, or credit cards in the business’s name and filing fraudulent uniform commercial code (UCC) financing statements.
• Tax fraud: This includes filing fraudulent returns using tax subsidies and obtaining refunds through the federal or state governments.
• Website defacement: This involves manipulating a business’s website to redirect traffic to another website and steal customer data.
• Trademark ransom: This is the act of registering a business’s name or logo as an official trademark and demanding a ransom to release them from the trademark.

Personal finance resource website Money Crashers noted, however, that much of the data used by identity thieves is readily available – via a business’s website, social media accounts, or in public records – making it crucial for companies to understand the risks posed by business identity theft and take the necessary precautions to prevent financial losses and other damages.

Read more: Biggest cybersecurity challenges to watch out for in 2022

Why are businesses targeted by identity thieves?

Because businesses are required by the law to publish certain sensitive company details such as financial statements and stakeholder information, which may include key identifiers – employment identification numbers (EIN) and sales tax numbers, for example – cybercriminals can often capitalize on the abundance of information available to steal data, according to Wolters Kluwer.

Money Crashers added that identity thieves are shifting their targets from consumers to businesses as the latter “maintain larger bank account balances and may have higher credit limits”

“Criminals commit business identity theft for the same reason they commit consumer identity fraud – financial gain,” the firm explained. “But even small businesses typically operate on a larger scale than individual consumers do, making companies a bigger target.”

How can businesses protect themselves against identity theft?

Despite increasingly becoming prime targets for identity theft, businesses can still adopt a range of measures to avoid falling victim to one. Here are some practical strategies companies can implement, according to experts.

1. Regularly check and monitor your business’s credit report

Doing so enables companies to spot errors and fraudulent accounts, so they can contact the credit agency immediately and file a dispute.

“Suspicious activity, including inquiries or new accounts you don’t recognize, maybe a sign of fraud,” wrote Gerri Detweiler, education director for Nav and who herself was a victim of business identity theft, in an article for Forbes. “Since credit bureaus don’t share information with each other except in very limited situations, you’ll want to check and monitor your credit with each of the major… commercial credit agencies such as Dun & Bradstreet, Equifax, and Experian.”

2. Make sure business records and documents are secure

Money Crashers advised businesses to keep only records that are essential for the company’s operations and “shred any physical document that’s no longer necessary.” It added that all business records must be kept in a secure location – preferably stored digitally on the cloud rather than in a physical storage such as a hard drive or flash drive. Paper records, meanwhile, must be secured in a locked fire-resistant cabinet that can be accessed only by a limited number of people. 

“Although many identity thieves work online, identity theft also occurs offline,” the firm noted. “Try to limit the amount of mail and paper with financial information printed on [the documents], since intercepting mail or rummaging through garbage is a common tactic of thieves looking to steal sensitive information. Sign up for electronic bank and credit card statements whenever possible.”

Read more: IBM: The “hidden” costs of data breaches severely hurt businesses

3. Educate employees about best cybersecurity practices

Understanding fraud protection and cybersecurity practices should start from the top down, according to Oregon-based Q5id. The identity and access management services provider added that once a company has internal controls in place, the next step should be to train employees on the best practices for preventing and dealing with cybersecurity threats and fraudulent activities.

“Some of the most essential identity theft-prevention practices to teach should involve business protocol implementation, fraud identification, password management, secure internet browsing, email phishing, and how to report cyberattacks,” Q5id noted.

4. Do not post sensitive information online

Money Crashers advised businesses to be conscious about what information they share online as even “seemingly innocuous information about projects you’re working on or initiatives in your business can put your company at risk.”

“Hackers scan social media for information they can exploit to fool employees into handing over valuable company data or initiating a wire transfer,” the firm warned. “Employees are much more likely to be tricked by a phishing email that sounds authentic because the criminals who wrote it included all sorts of information they found on social media.”

Read more: The benefits of a strong cyber threat intelligence program

5. Stay on top of computer network security updates

According to Q5id, one of the best ways businesses can protect themselves against cyberattacks, including identity theft, is by staying on top of network upgrades. They should also encrypt and conduct regular back-ups of all data and install a robust firewall with anti-malware. Companies can likewise explore automated fraud screening systems to spot any unusual purchases, purchasing locations, and spending made under the business’s name.

6. Stay vigilant

According to Fundera, a financial resource website for small businesses operated by NerdWallet, one of the keys to preventing business identity theft is to “always be prepared.”

“This means regularly reviewing and reconciling all account statements, credit reports, and business registration information for both active and closed accounts,” Fundera added.

Detweiler also advised companies to act quickly once they notice suspicious activity.

“Place a fraud alert,” she recommended. “File a police report. And keep good records – you may find that you need them later on.”

7. Invest in cybersecurity insurance

A cyber insurance policy helps cover for the financial losses resulting from a cyberattack and, in an increasingly digital business environment, it pays for companies to have one. Coverage can also include claims made by individuals or groups that may have been harmed because of a business’s action or inaction.

Read more: Top 10 cyber insurance providers in the US in 2022

According to Fundera, annual premiums can range between $1,000 and $7,500 and help pay for “the steep costs that come with data and identity theft.”

“Most businesses close permanently after a data breach because they can’t afford to pay high recovery and rebuilding costs,” the firm said. “Cyber liability insurance can help prevent this.”

What should businesses do if they fall victim to identity theft?

In a business identity theft resource guide posted on its website, the Colorado Secretary of State laid down the steps companies should follow if ever they fall victim to identity theft or fraud, adding that the information provided can apply to business owners in every state. Here’s what businesses should do, according to the guide.

1. Go to the Secretary of State’s website and correct any fraudulent information by filing a statement of correction. You have the option to attach additional information, including a written explanation of events. Be sure not to include any personal identifying information when attaching documents.
2. Immediately contact your bank and credit card provider and report the theft.
3. Contact credit reporting agencies and speak with their fraud departments to report the crime and view your business credit report.
4. Compare your EIN with the EIN of the business and report any differences to the credit reporting agencies.
5. Contact your business creditors, billing companies, and creditors where fraudulent accounts were opened and notify them of the criminal activity. Request copies of all documentation used to access the account.
6. Document contacts, including names, titles, phone numbers, and extensions. Include the names and numbers of all law enforcement officers you contact. If you are transferred several times, ask the person you eventually speak with for a direct phone number.
7. Follow up all calls with a letter (with a return receipt). Follow up and make sure that agencies or institutions have received all documents that they need to assist you.
8. Maintain information. Do not throw away files related to identity theft. Keep all notes, correspondences, printouts of emails, copies of reports, and other documents in a secure and accessible file.
9. Check your credit report.

With the threat of business identity theft growing, it is crucial for all businesses, regardless of size, to understand the real risk that identity theft poses and take the necessary precautions to prevent serious financial loss and other potential damages.