Compared to how much we think about the problem of personal identity theft, business identity theft can seem almost like an afterthought—but it shouldn't be.
Business identity theft has been going on for decades, but as time goes by and technology improves, the thieves get more advanced and the losses get worse. This is a threat that is ramping up.
In July 2017, the IRS reported that they'd seen a 250% jump in the number of business identity theft cases when compared to the year before and about $137 million total in damages so far.
If you run a business or are responsible for its finances, security or human resources in 2017, then you need to be aware of the dangers of business identity theft.
Business Identity Theft: What is It?
Just like personal identity theft, business identity theft involves a variety of attack vectors and forms. Generally, however, thieves will either steal or spoof the identity of a corporation in order to get either undeserved tax benefits (through filing a fraudulent return, for instance), or so they can open up false lines of credit (and make exorbitant, discreet purchases).
Thieves prey on businesses because the sums involved in the theft are much greater, while simultaneously attracting less attention:
- Steal a credit card and immediately try to buy $10,000 worth of something resellable—the odds of getting caught are high.
- Steal an open line of credit in a corporation's name and immediately try to buy $10,000 worth of something resellable—the transaction might not even attract scrutiny.
Years ago, masquerading as a business could be as easy as going to a local Secretary of State's online portal and simply “requesting changes” on nearly any given company's official records—they could add content, delete content, or more importantly, edit their name into the incorporation documents. Once your name is in the “official” record for that business, you can try to apply for lines of credit in its name or even try to file a fraudulent tax return.
Business Identity Theft Today
Today, business identity theft takes many forms. While simple methods like emulating a company's letterhead and sending faked correspondence are still plausible, many thieves have developed more sophisticated techniques.
- They can use virtual front-offices to convince your staff that they're legitimate and trick them into clicking on phishing links.
- They can break into an executive's email and then send fake emails to the finance team asking for a last-minute wire to a foreign bank account.
- They can even plant an unsecured WiFi hotspot in or around your office, hoping an employee will connect to it by mistake and leave their system open for hacking.
Business identity theft can be something as simple as a thief looking up your Employer Identification Number (EIN) and using it to file a fake tax return. It can be something as complex as gaining access to your internal email server and using it to send fraudulent wire requests to employees in control of your company's finances.
The truth is that businesses, by virtue of communicating with the outside world and processing transactions and needing information to flow freely inside, have a lot of exposure to threats and vulnerabilities from the outside. This makes businesses a natural target for thieves—especially today, when there are so many touchpoints available for thieves to capitalize on.
Business Identity Theft Statistics
The number of business identity theft cases every year is not as high as the number of personal identity theft cases—but the outcomes are much more dire and can often result in businesses shutting down. Plus, according to the data we looked at from Kaspersky Lab, Phishlabs and the Treasury, this is a growing threat. Here is business identity theft “by the numbers”:
- 350—The number of corporate tax returns the IRS flagged for potential business identity theft in 2015.
- 4,000—The number of corporate tax returns the IRS flagged for potential business identity theft in 2016.
- 10,000—The number of corporate tax returns the IRS flagged for potential business identity theft during the first six months of 2017.
- 6,176—The number of EINs the Treasury had reported as “associated with fictitious businesses” as of 2015.
- 1.1 million—The number of taxpayers not informed of employment-related identity theft committed in their names between 2011 to 2015.
- 300%—The percentage increase in ransomware attacks targeting businesses from 2015 to 2016.
- $325 million—The amount paid to hackers over the CryptoWall 3 ransomware in 2015.
- 230 million—The number of computers compromised by the WannaCry ransomware within one day.
- 20%—The number of business identity theft incidents that were caused by employees and could have been prevented with better security awareness in 2016.
- $500,000—How much Village View Escrow lost in two days after an attacker was able to process 26 international money transfers in their name.
- 60%—The percentage of small businesses that go out of business within one year after being affected by business identity theft.
Business identity theft is a serious problem. It has imperiled businesses across the country and led to losses of millions of dollars. There are steps, however, that you and your business can take to lower the risk of business identity theft.
Preventing Business Identity Theft
In an effort to fight the fraudulent tax return aspect of business identity theft, the IRS is planning to ask tax professionals for more context on the corporations they're filing taxes for in 2018, such as:
- Name and SSN of the person signing the return:to ensure that the person signing the corporation's return is a legitimate employee or trustee of the corporation
- Previous payment history:to ensure that this request lines up consistently with previous tax returns, and wasn't pulled out of thin air by a fraudulent requester
- Filing history:to ensure that a corporation has filed all relevant tax forms and not solely the return—a good sign that the person signing the return is an actual corporation rather than a single person
There are a few important steps you should take as a business to be proactive and lower your chances of being affected by business identity theft:
- Sign up for alerts from your financial institutions:Your corporate credit cards should be set to automatically freeze or notify you if a transaction above a certain amount is processed.
- Educate your employees about phishing:Sophisticated email attacks can be almost indistinguishable from real emails, and can result in huge breaches. Ensure that each member of your team understands this (https://auth0.com/blog/the-new-trend-of-artisanal-spam/).
- Limit disclosure of sensitive information:The more you distribute your company's EIN, the more surface area you're creating for possible attacks. Limit disclosure to when it's absolutely necessary, and try to communicate it over the phone or in-person rather than over a stored medium.
- Sign up for alerts with your local Secretary of State:If anyone tries to change your business's registration information, you can receive an email from your local Secretary of State notifying you of the change. If it's not something you authorized, you can have the fraud immediately rolled back.
- Check your credit reports regularly:Whether through Dun & Bradstreet or one of the big three credit bureaus, you should be checking on your credit report to make sure that there's nothing suspicious going on.
Do each of these 5 things, and you'll have a strong set of practices that will help make sure that if you are the victim of business identity theft, you know about it soon enough that you can prevent any real damage from taking place.
If you want to truly prevent the possibility of anyone compromising your company's security, of course, then you need protection at the system-level.
Do Something About Business Identity Theft with Auth0
Keeping your business truly safe from business identity theft starts with controlling who has access to your systems.
Proactive measures are great, but you need to keep people from being able to access your sensitive information in the first place if you truly want to prevent business identity theft.
Enable Breached Password Detection
With Auth0's breached password detection, you can ensure that your employees and customers aren't logging in with credentials that have been compromised elsewhere on the web. If someone tries to log in and our breached password detection finds their username and password somewhere on the web, they will be automatically notified of this and forced to change their password.
Without breached password detection, hackers with access to lists of breached credentials can sign into corporate intranets and wreak havoc. We've identified more than 3.5 million instances of Auth0 users trying to log in with breached credentials!
Enable Multifactor Authentication
Multifactor authentication is another important line of defense against the danger of customers and employees logging in with compromised accounts, but it's also an important security step to take in general.
With multifactor authentication, a user's identity is double-checked when they undertake sensitive operations like logging in from a new location or accessing company information.
Enabling multifactor authentication ensures that thieves can't simply steal a username and password, log into an executive's email account, and start withdrawing funds or wiring them to themselves. Instead, they'll be prompted to enter a code into their smartphone or place their finger on a biometric scanner—which they won't be able to do.
Keep Your Corporate Identity Safe
Thieves hijack the identities of businesses because they're both bigger and more vulnerable targets than individual consumers.
They especially like to target small and medium-sized businesses that don't necessarily have the capital to invest upfront in building out their security.
But it is possible to prevent business identity theft. By being proactive and signing up for alerts, and by securing your internal systems with breached password detection and multifactor authentication, you can increase the difficulty of stealing your business's identity dramatically.
About the author
Diego Poza
Sr Manager, Developer Advocacy