You know how important it is to protect your personal identity. You safeguard your Social Security number, shred sensitive documents, and regularly check your credit report to avoid becoming a victim. But are you taking similar precautions with your business’s identity? You should be.
According to the National Cybersecurity Society’s 2018 report, Business Identity Theft in the U.S., business identity theft is a growing problem. The report cited several examples of the issue, including:
- The fraud department at a large U.S. financial institution indicated they’d seen a 200% increase in fraudulent wire transfers due to compromised business emails.
- In 2015, the Treasury Inspector General for Tax Administration reported that the United States had identified 233 business tax returns filed using suspicious federal employer identification numbers (EINs), claiming $2.5 million in fraudulent refunds.
- In 2018, Dun & Bradstreet reported a significant increase in business identity theft in 2017 — up 46% year over year, the most substantial increase in any year since tracking began in 2005.
Despite these sobering statistics, many small-business owners are unaware of the magnitude of the threat or aren’t sure what to do about it.
What Information Are Business Identity Thieves After?
Business identity theft comes in many forms, so the types of information thieves are after vary. The National Cybersecurity Society report identified five main types of business identity theft:
- Financial Fraud. A thief obtains a new line of credit, loan, or credit card using a stolen EIN. They may also file fraudulent property liens claiming the business owes huge sums of money.
- Tax Fraud. A thief files a fraudulent tax return using a stolen EIN to obtain a tax refund from federal or state governments.
- Website Defacement. A thief manipulates a business’s identity on the Internet to redirect traffic to another website and steal customer data. The hacker may demand a ransom before the company regains control of its website.
- Trademark Ransom. A thief registers a business name as an official trademark and demands a ransom to release the trademarked business name.
- Business Email Compromise. This scheme targets businesses that regularly perform wire transfers. A thief hacks into a business owner or executive’s email and sends an email to the finance team asking for a last-minute wire transfer to a bank account controlled by the fraudster.
A business’s EIN is one way identity thieves can defraud a company or the government, but it’s far from the only piece of information thieves use to perpetrate business identity theft. Much of the data used by thieves is readily available via a business’s website, social media accounts, or in public records. That makes it all the more important for companies to recognize the risks posed by business identity theft and take the necessary precautions to prevent financial loss and other damages.
Why Businesses Are Prime Targets for Identity Theft
Criminals commit business identity theft for the same reason they commit consumer identity fraud: financial gain. But even small businesses typically operate on a larger scale than individual consumers do, making companies a bigger target. Consider the potential benefits from a criminal’s perspective:
- They Have Potentially More Money. Businesses maintain larger bank account balances and may have higher credit limits than individual consumers.
- It’s Easier to Avoid Detection. Businesses enjoy flexible payment terms that allow them to receive the goods or services they order and pay for them within 10 to 30 days after receipt of the invoice. This gives thieves a larger window of opportunity to avoid detection.
- There’s Less of a Red Flag. Businesses tend to place large orders. If you tried to buy 10 laptops with a personal credit card, the credit card issuer might flag the transaction as suspicious. However, it’s not unusual for an established business to place large equipment orders, so the same transaction might go unnoticed.
- There’s Less Security. Small businesses don’t have the sophisticated security and oversight procedures that a large corporation has.
How to Prevent Business Identity Theft
The good news is that businesses can reduce the threat of business identity theft and minimize their losses by following these simple and practical steps.
1. Protect Your EIN as You Would Your SSN
There are many circumstances in which you must give out your business EIN, such as to open a bank account, for tax and wage reporting, and to complete W-9 forms. However, keep in mind that thieves can use this number to commit several business identity theft schemes. Try to limit disclosing your EIN unless it’s absolutely required, just as you would protect your Social Security number.
2. Secure Business Records and Documents
Although many identity thieves work online, identity theft also occurs offline. Maintain only the records necessary to operate your business and shred any physical document that’s no longer necessary. Try to limit the amount of mail and paper with financial information printed on it, since intercepting mail or rummaging through garbage is a common tactic of thieves looking to steal sensitive information. Sign up for electronic bank and credit card statements whenever possible.
Keep all business records in a secure location, preferably stored digitally on the cloud rather than on a physical computer, external hard drive, or easy-to-steal flash drive. If you maintain paper records, secure them in a locked fire-resistant cabinet and limit the number of people with access to them.
3. Regularly Check Your Company’s Credit Report
Did you know your business may have a business credit report and credit score, even if you’ve never applied for a business loan? The three major business credit bureaus — Dun & Bradstreet, Equifax, and Experian — each have their own business credit scoring models. And unlike individual credit, anyone can view your business credit report without your permission or knowledge.
Regularly check your business credit report. If you find an error or any fraudulent accounts, contact the credit agency that generated the score and dispute it.
4. Consider Enrolling in a Credit Monitoring Service
If you’re worried that your business credit has been compromised, consider enrolling in a credit monitoring service so you’ll be alerted when your business credit report or credit score changes. Dun & Bradstreet offers CreditMonitor™, Experian offers a business identity protection service called Business Credit Advantage, and Equifax offers Business Credit Monitor. Both of these services charge a fee, but the peace of mind could well be worth the cost.
5. File Your Annual Report on Time
Most states require all businesses registered in the state to submit an annual report providing the names and addresses of directors or managing members, as well as the company and registered agent address. You typically update this once a year through your state’s website.
Missing an annual report deadline sends a message to potential identity thieves that you aren’t paying attention. A fraudster may pay a small fee to file a change in your business’s officers or directors. With their own name on file as president or secretary, they appear authorized to act on behalf of your business to third parties. They may make purchases in your business’s name, open or access your business bank accounts, or take out loans or credit lines.
They may also file a change of business address and registered agent. The registered agent is authorized to receive legal documents and notifications on your behalf. This change puts the thieves in control of important mailed notices and statements, so you won’t be notified if your business is victimized.
6. Check Your Secretary of State’s Website Regularly
Stay on top of any changes to your business registration by regularly checking the information provided on your Secretary of State’s website and signing up for alerts if they’re available. That way, you can look for any unauthorized changes and immediately report them to the proper authorities.
7. Make Sure Your Tax Returns Are Timely & Complete
The IRS is stepping up their efforts to identify fraudulent tax returns by looking out for filing inconsistencies or missing information. When you file your federal income tax return, be sure you include complete and accurate information on:
- Filer’s Name and Social Security Number. This is the name of the partnership representative or person signing the return. It will help the IRS verify whether the signer is a legitimate employee or trustee of the company.
- Payment History. If you made estimated tax payments, include complete and accurate information on when they were made and the amount.
- Filing History. If your business also files Forms 940, 941, or other business-related returns, include the information for these as well. It’s another indication that your business is legitimate.
8. Educate Your Employees About Phishing
MediaPro’s 2020 State of Privacy & Security Awareness report found that only 17% of employees are “very confident” they can identify a social engineering attack, while 28% of employees admitted they lack confidence in their ability to identify a phishing email. If you have employees or independent contractors accessing your network or sensitive information online, they could be the biggest threat to your company’s security.
Train your employees to identify deceptive emails and avoid downloading strange attachments or clicking on links. Bad grammar and spelling used to be a red flag, but don’t count on that as a foolproof detection method anymore. With thieves becoming more sophisticated, it’s increasingly challenging to differentiate fraudulent emails from legitimate ones.
9. Require Dual Authorizations for Wire Transfers
If your company regularly makes wire transfers, put controls in place to protect against fraudulent transfers. Because these transactions occur quickly, even if you catch and report the fraud within hours, it’s frequently too late to stop the transfer or recover the money.
Make sure that any wire transfers require approval from two parties or multiple methods of authorization. For example, you might require that wire transfers requested via email are also verified over the phone before the transfer is approved. If you don’t use wire transfers, talk to your bank about blocking wire transfers from your account altogether.
10. Don’t Post Sensitive Information Online
You want your company’s website to be informative, but be careful about what you share online. Avoid posting confidential information, such as your EIN, on your site. Even sharing seemingly innocuous information about projects you’re working on or initiatives in your business can put your company at risk.
Hackers scan social media for information they can exploit to fool employees into handing over valuable company data or initiating a wire transfer. Employees are much more likely to be tricked by a phishing email that sounds authentic because the criminals who wrote it included all sorts of information they found on social media.
11. Stay on Top of Computer Security Updates
Regularly check for and install any security and firmware updates for your computer’s operating system, Internet browser, network printers, and other connected “smart” devices to ensure you have the latest versions. These updates often contain important designs to protect against identified vulnerabilities.
What to Do if Your Business Is a Victim of Identity Theft
If your business has already fallen victim to identity theft or fraud, resolving it will be a time-consuming process. The Colorado Secretary of State has a comprehensive Business Identity Theft Resource Guide with information applicable to business owners in every state. It recommends the following steps:
- Immediately contact your bank and credit card issuers.
- Notify the three main business credit reporting agencies — Dun & Bradstreet, Experian, and Equifax — and ask them to put a “fraud alert” on your file. This alert will notify creditors to contact you before opening new accounts in your name.
- File a report with local law enforcement.
- Contact your current creditors and billing companies to notify them of the identity theft.
- If your business name, address, list of directors and officers, or registered agent on file with the Secretary of State has been changed, file a statement of correction and notify the Secretary of State’s office that your business was the victim of identity theft.
- Document all of the calls you make and write down names, dates, departments, phone numbers, and notes for each conversation.
- Follow up with creditors and credit reporting agencies to ensure they have the information needed to place a fraud alert on your account.
- Don’t throw away your files. Keep your notes and correspondence in case you need them in the future.
- Continue to monitor your accounts and credit report.
In addition to the steps above, you can ask the IRS to place an alert on your account by filing Form 14039: Identity Theft Affidavit.
Business identity theft can happen to a business of any size, but it’s a particular risk for small-business owners. A single identity theft event can cause a significant loss of income, late payments, negative credit reports, delayed tax refunds, lost business opportunities, and a damaged company reputation.
That’s why it’s important to understand the risks, take steps to protect your business, and know what to do if it happens to you. You’ve worked hard to build your business, so you should work equally hard to protect it.
What are you doing to protect your business’s identity from theft?