With few safeguards in place, smaller businesses make easy targets for identity thieves.
How do you ensure your business doesn’t fall victim to a scam?
Corporate identity theft involves acquiring or stealing information about a business and using it fraudulently for financial gain.
Sometimes fraudsters hijack a company by changing the registered office address and appointing rogue directors at Companies House. “In effect, they set up a parallel structure in order to receive goods or services,” says Michael Hatchwell, partner at Child & Child, Globalaw. Purchases are made on credit, in that company’s name, but the accounts are never settled.
And what if they also apply for business loans and credit cards? The potential financial and credit rating damage to you and your business doesn’t bear thinking about.
Hatchwell says: “Apart from this, theft of corporate ID usually results in a significant amount of disruption, hassle and damage to your reputation. If a business cannot look after its own confidential information it’s questionable whether it can be trusted with confidential information of its clients.”
He adds that it could also lead to sanctions and fines if professional bodies and the Information Commissioner’s Office decide that you had taken insufficient precautions to protect confidential information of third parties along with your business’ own information.
Business owners are at higher risk
According to fraud prevention organisation Cifas, company directors are twice as likely as other members of the public to become the victims of identity theft.
This doesn’t mean that it’s safer to operate your business as a sole trader.
“You can fall victim to traditional personal identity theft and the impact of ID fraud will be the same if you and your business identity are the same,” says Harman Singh, co-founder of cyber security consultancy Defendza.
Armed with stolen data, fraudsters can impersonate you or your company, often by pretending to be you or one of your employees, and trick your clients into diverting payments to a different bank account.
Pretending to be you, crooks can also target unsuspecting members of the public and attempt to steal their data.
Singh says: “They could be after personally identifiable information (PII), which is information that can identify an individual: national insurance numbers, date of birth, address and phone numbers.”
Theft of corporate ID usually results in a significant amount of disruption, hassle and damage to your reputation
How your information gets stolen
In addition to the information easily available at Companies House, fraudsters use whatever a business volunteers about itself on its website, LinkedIn and elsewhere on the Internet.
Singh points out that your business may be impersonated with a bogus website that appears to be legitimate.
It involves setting up a similar or identical-looking website using your business logo but a slightly different domain name, perhaps .me.uk instead of .co.uk. A fraudster can then use the domain to send e-mails with bogus invoices, at the same time notifying recipients of a change of address and change of bank account.
Often, paper documents get taken from rubbish and recycling bins. Or untrustworthy visitors steal or take photos of confidential information from files left out in the open.
“Sometimes fraudsters also buy data from dark web operated black markets, and often use cybercrime techniques such as phishing and spyware,” adds Singh.
Phishing emails sent to your employees are designed to appear to be from a legitimate source: you or someone else within your business that the employee recognises and trusts.
“This way they can attempt to obtain passwords, gain access to company bank accounts and divert funds directly,” says Hatchwell.
A phishing email may also have a virus attached, which could allow the fraudster to hack into your internal systems and steal the information from within.
How to look after your business identity
Companies House deals with up to 100 cases of corporate identity theft every month.
To prevent unauthorised changes to your records at Companies House, register for online filing and join the Companies House free protected online filing (PROOF) scheme.
Also, a new law came into force at the end of April 2018 to help protect company directors from identity fraud. Directors can now remove their personal addresses from the public record at Companies House.
Many ID theft incidents occur because businesses don’t have proper information security procedures in place.
Hatchwell says: “You must introduce robust processes such as verification of all money send/receive instructions as well as double-checking phone numbers and addresses. I’d suggest using electronic identification systems whenever available. Also, ensure that your IT systems, laptops and work phones are password-protected and that passwords are changed regularly.”
Your business logo and website can be easily replicated with a few clicks if you don’t take steps to protect content.
“Your website and any web portals should be created by a developer who has a secure design in mind so that no weaknesses are left in the code that may allow crooks to find loopholes to get in,” adds Singh.
Hatchwell says that better physical security is paramount. “You must prevent mail theft, dumpster diving and unauthorised access to work stations. And you must keep all sensitive documents in a safe place.”
He adds: “One of the best ways to protect your business from corporate identity fraud is to raise awareness amongst staff of possible scams, lessening the likelihood that they will be tricked. The scams are getting more sophisticated, and it’s easy to be taken in.”
What to do if you are a victim of business ID theft and fraud
If you operate as an ltd, contact Companies House to report and reverse any unauthorised changes to your company’s records.
Also, report the matter to your professional body, the police and to Action Fraud, the UK’s national reporting centre for fraud and cyber crime, and follow their advice.
Iwona Tokc-Wilde is a business journalist.