Identity theft explained: Why businesses make tempting targets

Identity thieves can take advantage of businesses as well as individuals. Here's what you need to know to protect yourself and your organization.

Impersonation / disguise / fraud / false identity / identity theft
AlphaSpirit / Getty Images

Identity theft definition 

Identity theft is the use of someone else's personal information without permission, typically to conduct financial transactions. By personal information, we mean data that institutions use to identify or recognize you: your social security number, your bank account number, your address history, and so forth.

These sorts of data points are in theory private but in practice can often be discovered in a variety of ways by a dedicated identity thief, who can then either access your own accounts or open new ones in your name. The latter practice can be particularly pernicious: with just your social security number, identity thieves can take out loans or credit cards that they never pay off — and the resulting damage to your credit rating can be very difficult to undo.

While identity theft is a very old crime, in many ways it is a defining problem of our modern digital age, in which your personal information can easily be exposed online due to your own negligence or the poor security practices of companies you do business with, and so much of your financial life rides on the accuracy of your credit rating. The damage can be mitigated, but it's better to prevent the theft in the first place.

Impact of identity theft on business

Identity theft is most often associated with the act of stealing an individual's identity. But as Mitt Romney once famously said, "corporations are people, my friend," and businesses have all the sorts of "personal" data — tax ID numbers and bank accounts, for instance — that individuals have, which can be stolen and abused. We're not talking about security breaches or employees misusing corporate assets here; we're talking about an identity thief pretending to be someone within a company who has the authority to make financial transactions, just like they might pretend to be another individual.

In fact, a business may be an even more tempting target for an identity thief than an individual because businesses have high credit limits, substantial bank accounts, and make big payments to vendors on a regular basis. The consequences can be dire, particularly for small businesses where the founder's or owner's finances are deeply entangled with the company's.

Before we move on, we should take note of a couple of ways that even the theft of individuals' identities can affect businesses. For instance, one of the most pernicious effects of identity theft is just how much time victims have to spend calling credit agencies and financial institutions to resolve the issue; a recent study found that victims can take up to 175 hours to set everything straight — and because they need to make these calls during business hours, if your employees are victims, that happens on company time. In addition, if an identity thief makes a purchase from your business with a stolen or fraudulent credit card, the victim will generally be recompensated by the credit card company — who may then attempt to claw the money back from your company, a dynamic exploited under the name of "friendly fraud."

How is identity theft committed?

Every act of identity theft begins with a thief gaining access to one or more pieces of personal information about the victim. The credit agency Experian has a good a good outline of the various overlapping ways that this can happen. Thieves can, for instance:

  • Steal your mail to harvest data from your bills or bank accounts
  • Hack into your home or corporate network and intercept browsing data or emails
  • Steal your mobile phone and get access to the treasure trove of personal data you walk around with every day
  • Send you phishing emails to trick you into giving up your personal information
  • Buy data dumps on the dark web, many of which include personal information derived from data breaches of corporate databases

Many of these techniques would work on both individuals and businesses. Businesses are often less strict about controlling "personally" identifying information than individuals, since certain facts about businesses must be public by law, and a business is run by multiple people and lines of responsibility may be diffuse.

For those identity thieves looking to masquerade as a business, however, there are some more elaborate schemes that can be perpetrated, which represent both higher risk and higher reward. CPO Magazine outlines two of the more devious techniques. In one, identity thieves monitor business registration information, and if your company fails to renew its license or registration on time, they swoop in, pay a small fee, and renew it for you, changing your company's contact information or board of directors so that, on official documents, they now run it. In another scam, sometimes called "address mirroring," the thieves will establish an office or at least a mailing address in the same building as their target company, and use the confusion to start corresponding with the victim company's banks and vendors.

Identity theft examples

Once identity thieves have identifying information about you or your company, there's a lot of different techniques they can use to profit from it. Experian breaks down some of the types of identity theft:

Accessing existing financial accounts. This is probably the most straightforward way to profit from identity theft: by simply stealing your money. With a credit card or bank account number, identity thieves can make purchases until the fraud is noticed and the accounts frozen. Businesses, which may have large amounts of cash or credit for day-to-day operations, are a particularly tempting target.

Opening a fraudulent credit card or other line of credit. This can be achieved with as little data as a name and a social security number. Once the credit is available to the identity thief, money can be withdrawn and spent or charges made to the card — and of course they'll make no attempt to pay off the loan. Since the debt is attached to the victim's social security number, there are little or no consequences for the identity thief. Again, businesses are a particularly tempting victim of these scams, as they can often acquire bigger lines of credit than individuals can.

Filing a fraudulent tax return or health insurance claim. These are somewhat more specialized scams, but still potentially lucrative. The IRS has been criticized for using so-called knowledge-based identification, in which users confirm their identity by answering questions derived from credit reports about places they've lived or people in their family — questions a determined identity thief could discover and then use to snag a person's tax refund before they had a chance to file. The IRS is moving away from this form of authentication, though many other U.S. government agencies have not. 

Identity theft protection

There's a wealth of information out there on how to protect yourself from identity theft, from outlets ranging from credit agencies to government websites to personal finance publications. While the details differ, there are some bits of advice that almost everyone seems to agree on, and they apply to individuals and businesses alike:

Monitor your credit. Under U.S. law, you're entitled to a free annual credit report from each of the big three credit agencies (Equifax, Experian and TransUnion). In addition, many banks and credit cards offer continuous credit monitoring to customers. Take advantage of this and keep an eye out for new accounts being opened in your name that you don't recognize or credit checks being conducted that you haven't requested.

Freeze your credit. If you're particularly worried about identity theft, you can put a freeze on your credit with the credit agencies so that nobody can open a new account of any kind in your name. You would need to manually unfreeze things when you yourself wanted to open a new account, of course, but you trade convenience for security.

Keep a close eye on your financial statements. A subtle identity thief could slowly siphon money out of your bank account or ding your credit card with small charges for months if you don't take the time to examine your statements to look for things you don't recognize.

Practice good online hygiene. This means using strong passwords that vary from site to site to avoid hacks and data breaches, and being on guard against phishing and spoofing scams that will try to trick you into giving up passwords or personal information.

Don't leave a paper trail. Theft of surface mail is a popular and underrated identity theft vector; you can protect yourself by using a mailbox with a lock on it, and choosing to receive your bills via email rather than surface mail when you can. When you do have paper documents with personal information, be sure to either keep them secure or shred them when you're done with them.

How to report identity theft

That's a long list of precautions you need to take, and while many people make strong efforts to meet all of them, it's hard to do it all perfectly — and an identity thief only needs to get lucky once. And as we've noted, many identity thieves get personal data derived from hacks of corporate systems, so even if you've been completely vigilant about your data, you can still find yourself a victim of identity theft if some company you've done business with lets down its guard.

If you do discover that you're the victim of identity theft, you can take steps to remediate the problem. You can begin at the FTC's IdentityTheft.gov website, which asks you questions about your situation and generates a report and step-by-step recovery plan to help you reclaim your credit. You can take this report to your local police department, and while we'd love to tell you that crack detectives will get to work right away tracking down the identity thieves who wronged you, in all probability the best you can hope for is that they'll let you file a police report, which will be useful on other steps of your journey.

You'll also want to contact all three credit bureaus to place a fraud alert on your file: this means requests for new accounts will be subject to additional scrutiny. (You may want to freeze your credit completely at this point if you haven't already.) Finally, you'll want to get in touch with the companies involved — the banks where fraudulent accounts were opened or that issued credit cards in your name, for instance — to explain to them what happened and begin the process of shutting down those accounts and getting them removed from your records. The FTC has a good sample letter you can use to open communication with these companies. This can be the most time-consuming and difficult part of the process; a police report can come in handy here, as can the procedures credit agencies have for disputing aspects of your credit report.

Identity thieves can be persistent, and you may find yourself in a frustrating game of whack-a-mole for months or years as they open new accounts in your name. We hope the resources here will help you get through the process as painlessly as possible, and wish you luck.

Copyright © 2020 IDG Communications, Inc.

The 10 most powerful cybersecurity companies