According a Dun & Bradstreet, a leading provider of business information, inadequate data-quality checks have enabled criminals to use government websites to steal the identities of legitimate businesses in order to perpetrate crimes.
D&B reported business identity theft cases in 22 states with typical losses in the mid-six figures.
State Business Registration Websites Are a Magnet for Cybercrime
It may be hard to believe. But it’s easier to steal business information than it is to steal personal information because it’s not adequately protected online. Over the past decade, as states moved business registration online to facilitate filing, they didn’t take the necessary steps to improve online security. And that left the door wide open to identity thieves.
IT World recently reported that Colorado experienced a spike in business identity theft cases going back three years. Thieves used the state’s business registration website to change the names and addresses of 85 companies, including nonprofit organizations, churches and family-owned businesses. In Florida, there were 40 reported cases of fraudulent business filings, according to IT World.
Cyberthieves can go online in that state and alter the information of companies simply by sending in forms and paying the fee for filing an amendment.
Case in point: This year, Roger Lee Shoss and Nicolette Loisel, two Houston-based attorneys, were found guilty of conspiracy to commit wire fraud in an elaborate corporate identity theft scheme. According to the U.S. Attorney’s Office in Tampa, the two worked with another person over three continents, exploiting online business registries to find dormant publicly traded companies. Then they used the corporate identities they had stolen to create fraudulent shell companies which appeared to be publicly traded. After that, they sold the bogus shell companies that originated from the companies whose identities they’d stolen, for a profit.
For Business Identity Thieves, Small Is Beautiful
While the scope of that corporate identity case is larger than most, it illustrates how cybercriminals can steal and manipulate freely available online information belonging to companies of all sizes. Most small and medium-sized companies don’t understand why they would be on the radar of identity thieves. But according to Dun & Bradstreet, they’re tempting targets for a couple of reasons. Thieves know they have cash reserves and a credit line, but fewer technical, legal and financial resources to detect and protect themselves from cybercrime.
Online business ID theft takes many forms. Cybercriminals can change a company’s contact information. They can even set up a website with a similar domain name or the same domain name with a different extension to fraudulently obtain goods and services in the name of the legitimate business.
D&B estimates that 20% of business information in government databases is inaccurate. To make matters worse, banks and credit card companies often rely on business registration documents to approve new accounts and new lines of credit.
Too Few States Are Fighting Back Against Business Identity Theft
Colorado’s problems with business identity theft led it to become the first state in the nation to implement tougher online security: optional password protection for business filings and email notification if there are any changes to business information. Not surprisingly, business ID theft in the state dropped 40% between 2010 and 2012.
This year, Nevada created an online Business Portal which protects against business identity theft by incorporating single sign-on and online identity management tools.
But so far, only a few states have followed Colorado’s and Nevada’s lead to beef up online security for business filling. The National Association of Secretaries of State is seeing an increasing number of cases involving falsified business documents.
Here’s what you can do to make sure your company’s identity isn’t co-opted by cybercriminals:
- Find out what information about your business is online and where it’s located. Check with business registration entities to ensure it can’t be altered without your permission. That means password protection and email notification.
- Update your business filings as soon as any of your business contact information changes and check your business filings with the Secretary of State’s office at least once a year.
- Notify local law enforcement about any unauthorized changes and update your state business filings with the correct information.
- Monitor your accounts and bills for unauthorized charges.
- Monitor your business’ credit profile with major credit bureaus.
- Secure paper documents in locked cabinets and electronic records in password protected files.
- Establish business data security policies and limit employee access to sensitive information. That means knowing what company information is stored electronically in and out your office.
- Secure the mobile devices your employees are using. If they’re accessing sensitive information at wifi hotspots without using a virtual private network like Private WIFI™ to hide it from hackers, your company’s identity could be at risk.
Business identity theft is an under-reported crime because there’s no federal reporting system to track it. But just because it isn’t grabbing newspaper headlines doesn’t mean it can’t happen to your business.