Darrell Smith
Darrell Smith, East Coast Fraud & Risk Management Group

Most of us are familiar with personal identity theft, where an individual has their identity stolen, but business owners may not be as familiar with business identity theft. Business identity yheft is not the theft of a customer’s personal information, but is someone assuming the identity of the business, that has no right to, for illegal purposes.

The purpose is to gather information on the company and then submit fraudulent business records and tax filings, causing significant financial losses to the company and defrauding their creditors, suppliers and financial institutions. Corporate identity theft is not just about corporations, but includes non-profits, government, small & medium enterprises, partnerships and sole proprietorships.

Businesses are targeted for many reasons, including:

  • More complex financial affairs than an individual, numerous people involved and less chance of being discovered.
  • Businesses have large cash balances in the bank, making it more profitable for the fraudster.
  • Easier to open up a business bank account and get credit, than opening an individual account.
  • Higher credit limits and less collateral required.
  • A lot of business information is public such as HST numbers on invoices, licensing,    permits, and loans secured by assets through Personal Property Security Searches. Also, anyone can request a credit report from the credit agencies on a company.

According to a 2012 survey by Javelin Strategy Research Report, 75% of data breach reports took place in businesses with fewer than 100 employees.

While there are numerous scams involving business identity theft, the following are some of the most common:

  • Fraudulently changing your business registration information: All business registrations in Nova Scotia are filed with the Registry Of Joint Stocks and when a company wants to submit a change to their registration, they fill out a form with the changes, sign it and send it either by mail or electronically. The Registry updates the information without verifying the changes, and most Provinces and States do the same. This allows a fraudster to change your corporate information, such as adding a new director, changing the corporate mailing address or designating another name as the corporate secretary/treasurer. Then all they have to do is print off a copy and take it to the bank and open an account with the information or have mail delivered to the changed address. Changing the business registration information could allow them to purchase assets in the company name, sell company assets, get access to bank accounts and credit lines, and get credit cards issued.
  • Cyber Crime: The main technique here is phishing, which is when the cyber criminals send out thousands of emails that look like they are from a legitimate financial institution. It is usually an urgent message saying something like “we have detected unauthorized use of your account,” “detected a security breach,” “too many log in attempts,” or some other similar reason. The web site looks legitimate and the email address is usually very close to the actual financial institution’s address. The email instructs you to click on the link which will take you to the site and get you to reset your password and or enter your account number. No financial institution will ever send you an email saying there is a problem with your account.
  • Obtaining loans and credit using the business owner’s personal information:  Just like personal identity theft, the purpose here is to obtain the owner’s personal information and then either conduct business in the business name or obtain credit and other assets or open bank accounts by using the owner’s information. Think about how easy it would be for someone to walk into a bank, with your full name, address, date of birth, Social Insurance Number, and employer and open up an account or to apply for a credit card online.

Here are some TIPS to help you prevent Business Identity Theft:

  • Review your banking agreement. Before you are a victim of business identity theft, know your bank’s policies on liability for fraud on your bank accounts.
  • Reconcile your bank account daily. By using online banking you can log on to your account and review balances and transactions. Report any discrepancies to your bank immediately.
  • Use a secure computer, that only you have access to, for your business banking. The computer must have antivirus and anti spyware software protection. Use passwords that are at least eight characters long and change them monthly. Do not access your bank accounts through public internet or Wi-Fi spots and don’t use your smart phone to log onto your business bank accounts.
  • Educate all your staff on phishing scams online and via telephone calls requesting information over the phone. I know of a situation where the administrative assistant gave out information over the phone, to what they thought was a legitimate call by a vendor wanting to deposit funds electronically, resulting in losses to the company.
  • Protect all your business documents and information. Keep all financial and confidential information locked up and in a secure location. I worked on an investigation where the cleaners would come in at night and one of them would go to the receptionist computer, log on and download confidential information and sell it to their competitor.
  • Shred all unneeded documents that have confidential or financial information on them. I prefer a shred company that supplies the onsite shred boxes and empties them on a regular basis.
  • Check your business registration information regularly. This can easily be done by going to the Registry of Joint Stocks website at www.rjsc.gov.ns.ca and entering your business name.
  • Check your business credit reports at least once a year and more frequently if you suspect something. Reports can be obtained from Trans Union and Equifax and Dunn & Bradstreet.
  • Have high quality computer antivirus and spyware software.
  • Train all your employees on business identity theft prevention. This should be part of new employee training and orientation and make it a topic at staff meetings.
  • Be aware of large orders from new customers or a new company. Do your due diligence by asking: Does the order make sense? Does the order information raise a red flag, such as an overseas address or a PO Box? If you are not sure call the customer or email for additional information. If in doubt, hold the order back. It is better to delay an order from a new customer than to ship goods and not get paid for them. One results in a potential loss of a customer; the other is a loss of inventory or cash.

In closing keep in mind that cyber crime operates anonymously; the fraudsters don’t wear masks and rob banks. They conduct their crimes from the comfort of their own homes, they are very good with computers and many are well educated. They know the chances of getting caught are slim.

All organizations should make business identity theft part of their risk management program. Talk to your insurance broker to see if you have coverage for business identity theft.

Darrell Smith is the Managing Director of East Coast Fraud & Risk Management Group. He has over 20 years’ experience providing fraud detection and prevention programs  to a wide variety of corporate, government and non-profit clients. He is a graduate of Mount Saint Vincent University and is a Certified Fraud Examiner. He can be reached at (902) 430-3664 or dsmith@eastcoastfraud.ca.