Can Identity Theft Affect Your Business?
How to Prevent Business Identity Theft
Identity theft is becoming more and more common in the digital age, with around 7% of American adults affected each year. Amid the huge data breaches from the likes of Yahoo! and LinkedIn, a serious and growing issue is being swept under the rug–business identity theft. This underexposed crime is particularly concerning, because it tends to target small and medium-sized businesses more often, since they don’t have the same security mechanisms as their larger rivals.
What Is Business Identity Theft?
In its most simple sense, identity theft occurs when someone pretends to be someone else, usually for nefarious means. In the business context, it usually involves a thief accessing a business’s sensitive information, often through social engineering, and then using that to impersonate the business for financial gain. Thieves may steal credentials from unwitting employees or even falsify records to gain access.
Business identity theft can involve many different scams, such as criminals opening new accounts under the name of the business, draining funds from existing accounts, and even establishing lines of credit for fraudulent transactions.
Business identity theft can be tremendously destructive. It can ruin a business’s credit rating and make it much more difficult to access loans. Companies don’t just have to worry about the theft of their own assets, but also the theft of any personal data from customers. Data breaches can be damaging to a brand’s reputation and expensive to deal with.
Why Are Businesses Being Targeted?
Business identity theft is becoming popular with criminals because there are several characteristics that make it easier and more profitable than personal identity theft. These include:
Businesses Have Easily Available Information
They are often required by law to have information available to the public, such as their business license number and sales tax number. In addition, they normally have all of their contact information freely available so that customers can get in touch with them.
It Is Easy to Open Accounts and Access Credit
Suppliers are often keen to expand their operations, so they are likely to offer credit to new businesses. They also tend to allow flexible payment terms which make it easier for scammers to go unnoticed for longer.
Businesses Tend to Have Higher Account Balances than Individuals
This makes it more profitable than stealing an individual’s information. A business will also have a much higher credit limit, which makes them even more appealing to thieves. Because businesses tend to deal with larger sums of money than individuals, it is much easier to siphon off significant amounts without being detected.
How Business Identity is Stolen
Social Engineering: The Most Common Methods of Attack
So how do businesses get their identity stolen? It generally involves social engineering. This is a a collection of tricks that criminals use in order to steal valuable personal details. Social engineering relies on manipulation, either online or offline, in order to access secure information. Some common techniques include:
Phishing
By now, you’ve probably encountered hundreds of phishing emails and hopefully you’ve had the good sense to ignore them. Often, a phishing email will seem like it is from a legitimate business, such as your bank. Many phishing emails will then ask you to go to a fraudulent web page and then enter your personal details, such as your account information. These scams tend to use pressure to get people to divulge information that they often wouldn’t, usually by suggesting that it is an emergency or that something bad will happen if the victim does not comply.
To the untrained eye, it can be hard to tell these emails from the real thing, but in general, a bank will never ask for information in this way. A phishing email is generally spammed to a large group of people in the hope that some will fall for it. A similar scam, called spear phishing, involves a more personalized email that is sent to a smaller group of people in the hopes that a greater percentage will fall for the trap.
Pretexting
A scammer will invent a scenario that aims to get an individual or a business to reveal information. They often put in extensive research and then pretend to be a person of authority, such as a police officer, who potential victims will be more likely to disclose information to.
Baiting
This technique relies on human curiosity to allow the attacker to make their way into a system. A typical attack involves a criminal creating malware-infected USBs and leaving them around the premises of the target. The hope is that an employee will be curious and plug it into their work computer. Once it’s in, the attacker has access to the organization’s systems and will be able to steal information.
How Can You Prevent Business Identity Theft?
Secure Your Sensitive Information
This applies to both online and offline records. Keep all important documents in a safe place where they can only be accessed by those who need them. You should also shred any unneeded documentation so that thieves have a lower chance of finding personal details. It is important that you keep any sensitive data on your network encrypted both at rest and while in transit. Encryption will not keep the data from being captured, but it will make it useless if it does fall into an attacker’s hands.
Training
You can have Fort Knox protecting your customer data, but if one of your employees hands an attacker the keys, the entire thing is useless. Employee training and education remain the most important ways to keep your information safe. Your staff need to be aware of the various social engineering attacks mentioned above, and also how to identify them. If they aren’t sure, they need to talk to someone in IT to determine whether it is a scam or not.
Limiting Access
Set up your systems so that private information is only available to those who need it, when they need it. This applies both online and offline. If everyone in your organization has access to everything, one person’s slip-up could cause a catastrophic data breach. By limiting access, potential attacks are much easier to contain. You also need to make sure that you or your employees do not give out any sensitive information to unauthorized persons.
Monitor Your Credit and Review Your Business Accounts Regularly
This will help you to quickly identify any potential identity theft. The faster an incident is found and addressed, the less damage it can do to your business. There are several services that can monitor your information and notify you if they suspect your identity has been compromised.
Insurance
Although it isn’t exactly prevention, the right insurance can go a long way towards smoothing over any business identity theft issues. The reality is that business identity theft can destroy your company, whether through direct theft or by leaving your brand’s reputation in tatters. The fallout from serious identity theft can create huge bills and cash flow problems. Insurance can help to provide cash payouts at the most critical times and help to get past these problems.
What Do You Do If Your Business’s Identity Is Stolen?
The fastest and most effective recovery starts by having a plan in place beforehand. If your business does not have the specialized skills necessary to address identity theft, it may be best to engage a third party specialist who can handle affairs. If you want to keep your recovery in-house, you need to designate a top-level manager to handle the plan.
How you handle the recovery really depends on what kind of identity theft your business is dealing with. The reactions to your account being drained by a thief, or the breach of millions of customer records will be very different. If it involves the attacker assuming the identity of your business for fraud, you will need to immediately notify your banks, creditors, the authorities and other relevant parties. Those who have fraud insurance should also contact their insurer. If customer data has been compromised, you may have to notify the individuals, but the exact conditions vary from state to state. If the identity theft affects the public, you may also need to go into damage control mode and hire a PR agency.
Once the fraud has been contained, it is important to discern how the identity theft took place and analyze the lapses in your security. Once you have seen just how much havoc identity theft can wreak on a business, you will certainly want to take steps to minimize the chances of it ever happening again. Adequate prevention policies involving training and securing your sensitive information will save both you and your customers from unnecessary disasters.