Although many connect the term identity theft with the theft of a person’s identity, corporate identity theft, in which the identity of a corporation or business — even small and medium-sized businesses (SMBs) — is stolen, is becoming more and more common. In some cases, the break-in is so stealthy that executives do not become aware of the issue until quite a lot of damage has been done. SMBs can be more attractive than people to identity thieves due to larger lines of credit and less scrutiny about how it is used.
The exact mechanisms of corporate identity theft may vary somewhat by country, depending on the laws and the mechanisms for changing information. For example, in the UK, on the submission of documents that seem to be authentic to a corporate registration service, an identity thief could make substantive changes to an organization. This is the mechanism to appoint new directors, change the director, or change the registered address. With this type of changes, the actual directors will not be notified, and the new directors have, in effect, taken over the company.
Another approach is to create a fake website that appears to match a corporate identity (called spoofing). Through this website, people are hired for jobs with a title like “Account Coordinator,” and set up with facilities to collect payments from “customers.” The actual job is being a money mule for the scammers.
The information that enables corporate identity theft may be acquired by scammers in a variety of ways. The loss of any computer, laptop, netbook, or mobile device with company data is a potential invitation to corporate identity theft. Working in public without a privacy screen is another issue. Displaying a business license on the wall may be the law, but when it includes the business license number and Tax ID, if those items are legible or someone can take a photograph and enlarge them, the information on it may be stolen. Considering this when placing the license is a good plan.
Steps to prevent corporate identity theft include the following suggestions. First institute a company policy concerning sensitive information and how it is handled. Second, be sure security systems are current, that computer networks have firewalls, and that anti-spyware, and anti-virus and anti-spam software are all engaged. Make reviewing the business credit report a regular part of the expense review. Invest in a good shredder and shred all business papers before disposing of them. Also, anyone using a Social Security number as an EIN (Employer ID Number), should replace it to lessen risk.