REDUCING THE RISK OF BUSINESS IDENTITY THEFT
Darrell Smith CFE, ARM, CIM, FCSI
Most of us are familiar with personal identity theft, where an individual has their identity stolen, but business owners may not be as familiar with Business Identity Theft. Business Identity Theft is not the theft of customer’s personal information, but is someone assuming the identity of the business, that has no right to, for illegal purposes. The purpose is to gather information on the company and then submit fraudulent business records and tax filings, causing significant financial losses to the company and defrauding their creditors, suppliers and financial institutions.
Corporate Identity Theft is not just about corporations, but include non-profits, government, small & medium enterprises, partnerships and sole proprietorships.
Businesses are targeted for many reasons, including;
- More complex financial affairs than an individual, numerous people involved and less chance of being discovered.
- Businesses have large cash balances in the bank, making it more profitable for the fraudster.
- Easier to open up a business bank account and get credit, than opening an individual account.
- Higher credit limits and less collateral required.
- A lot of business information is public such as HST tax numbers on invoices, licensing, permits, and loans secured by assets through Personal Property Security Searches. Also anyone can request a credit report from the credit agencies on a company.
In a 2012 survey by Javelin Strategy Research Report, 75% of data breach reports took place in businesses with fewer than 100 employees…
While there are numerous scams involving Business Identity Theft, the following are some of the most common;
1. Fraudulently Change Your Business Registration Information: All business registrations in Nova Scotia are filed with the Registry Of Joint Stocks and when a company wants to submit a change to their registration, they fill out a form with the changes, sign it and send it either by mail or electronically. The Registry updates the information without verifying the changes, and most Provinces and States do the same. This allows a fraudster to change your corporate information, such as adding a new director, changing the corporate mail address or designating another name as the corporate secretary/treasurer. Then all they have to do is print off a copy and take it to the bank and open an account with the information or have mail delivered to the changed address.
Changing the business registration information could allow them to purchase assets in the company name, sell company assets, get access to bank accounts and credit lines, and get credit cards issued.
2. Cyber Crime: The main technique here is Phishing, which is when the cyber criminals send out thousands of emails that look like they are from a legitimate financial institution. It is usually an urgent message saying something like “we have detected unauthorized use of your account,” “detected a security breach,” or “too many log in attempts,” or some other reason. The web site looks legitimate and the email address is usually very close to the actual financial institutions address. The email instructs you to click on the link which will take you to the site and get you to reset your password and or enter your account number. No financial institution will ever send you an email saying there is a problem with your account.
3. Obtain Loans and Credit using the business owner’s personal information. Just like personal identity theft, the purpose here is to obtain the owners personal information and then either conduct business in the business name or to obtain credit and other assets or open bank accounts by using the owner’s information. Think about how easy it would be for someone to walk into a bank, with your full name, address, date of birth, Social Insurance Number, employer and open up an account or to apply for a credit card on line.
Here are some TIPS to help you prevent Business Identity Theft;
Ø Review you banking agreement. Before you are a victim of Business Identity Theft, know your banks policies on liability for fraud on your bank accounts. Ø Reconcile your bank account daily. By using online banking you can log onto your account and review balances and transactions. Report any discrepancies to your bank immediately.
Ø Use a secure computer, that only you have access to, for your business banking. The computer must have anti virus and anti spy ware software protection. Use passwords that are at least eight characters long and change them monthly. Do not access your bank accounts through public internet or Wi-Fi spots and don’t use your smart phones to log onto your business bank accounts.
Ø Educate all your staff on Phishing scams on line, and by telephone calls requesting information over the phone. I know of a situation where the administrative assistant gave out information over the phone, to what they thought was a legitimate call, by a vendor wanting to deposit the funds electronically. Resulting in losses to the company.
Ø Protect all your business documents and information. Keep all financial and confidential information locked up and in a secure location. I worked on an investigation where the cleaners would come in at night and one of them would go to the receptionist computer, log on and down load confidential information and sell it to their competitor.
Ø Shred all unneeded documents that have confidential or financial information on them. I prefer a shred company that supplies the onsite shred boxes and empties them on a regular basis.
Ø Check your business registration information regularly. This can easily be done by going to Registry of Joint Stocks website www.rjsc.gov.ns.ca and entering your business name.
Ø Check your business credit reports at least once a year and more frequently if you suspect something. Reports can be obtained from Trans Union and Equifax and Dunn & Bradstreet.
Ø Have high quality computer virus and spy ware software.
Ø Train all your employees on Business Identity Theft prevention. This should be part of new employee training and orientation and make it a topic at staff meetings. Ø Be aware of large orders from new customers or a new company. Do your due diligence by asking. Does the order make sense? Does the order information raise a red flag? Such as overseas address or a PO Box. If you are not sure call the customer or email for additional information.
If in doubt, hold the order back. It is better to delay an order from a new customer than to ship goods and not get paid for them. One results in a potential loss of a customer the other is a loss of inventory or cash.
In closing keep in mind that cyber crime operates anonymously, the fraudsters don’t wear masks and rob banks. They conduct their crimes from the comfort of their own homes, they are very good with computers and many are well educated, they know the chances of getting caught are slim. All organizations should make Business Identity Theft part of their risk management program. Talk to your insurance broker to see if you have coverage for Business Identity Theft.
Visit our site for additional blogs at: www.eastcoastfraud.ca