Skip navigation

Technology

November 29, 2018 Previous day Next day

NCSS small.png

 

In October 2017, the NCSS was selected by the Identity Theft Resource Center (ITRC), under the auspices of the Department of Justice, to lead a national coalition on business identity theft.

 

Through the grant provided by ITRC, the NCSS completed a study of the crime and recently published the findings in “Business Identity Theft in the U.S.”, The report is available on our website. This fact sheet defines business identity theft and the main types of this insidious crime.

 

Business Identity Theft is defined as:

 

“identity theft committed with the intent to defraud or hurt a business by creating, using or attempting to use a business’s identifying information without authority”

 

The types of business identity theft are:

 

  • Financial Fraud – obtaining new lines of credit, loans or credit cards in the business’s name; and/or filing fraudulent UCCs,
  • Tax Fraud – filing fraudulent returns using tax subsidies and/or obtaining refunds either through the federal and/or state governments,
  • Website Defacement – manipulating a business’s identity (website) on the web,
  • Trademark Ransom – registering the business name or logo as an official trademark and demanding a ransom for release of the trademarked business name or logo.

 

Information about your business is publicly available at the state registry office and with Dun & Bradstreet. These open records are available to facilitate trade and financial transactions. However, thieves utilize these open records to find businesses with good credit to steal. By accessing online state records, they change information about your business – such as registered agent, owners, address, and revenue. This new business information is then shared with the credit reporting agencies. Once an altered identity is created, the criminal uses this information to make online applications for credit cards and lines of credit. A business owner only knows this has happened when someone calls due to nonpayment.

 

Start by protecting your business identity through establishing a user name and password at the state registry and signing up for email alerts so you may be notified in the event a record has been changed.

 

Other measures you can take:

1) officially record your business name and logo as a trademark,

2) monitor your website for malicious code that could redirect your customers to nefarious websites that look like your own, and

3) monitor your credit regularly.

 

© 2018 National Cybersecurity Society, All Rights Reserved

http://www.nationalcybersecuritysociety.org/

 

Click here to download a PDF of this article.

 

02.Biz ID Theft defined.jpg

 

About The National Cybersecurity Society

 

The National Cybersecurity Society is a non-profit organization focused on providing cybersecurity education, awareness and advocacy to small businesses.  The NCSS provides cybersecurity education tailored to the needs of the small business owner; helps small businesses assess their cybersecurity risk; distributes threat information to business owners so that they will be more knowledgeable about the threats facing their business; and provides advice on the type of services needed to stay safe online.

NCSS small.png

 

Tips to Protect Business Identity

Business identity theft is more complex than individual identity theft.

The challenge businesses face is that the majority of the elements that comprise a business identity are publicly available.

 

Business Information. Data used to manage a business’s identity contains public, non-sensitive data. Elements of business identity data are: fictitious name, or “doing business name”, DBA, owner’s name, legal entity type, address, county, state, registered agent, date of formation, subsidies, and website address (url). Protecting this data involves knowing where it is stored and learning how to control access to it. Criminals easily access these data repositories and change the identifying information to support their heist.

 

State Registry Office. First, it is important to manage the data held with the state registry office(s). Know which states you are registered in to do business. Ensure that access to the data about your business is locked down with a user name and a strong password. Change your password every 3 months. Ensure your password is at least 16 characters or longer or use a password manager. Additionally, some states offer the ability to sign up for automated alerts – a great way to be notified if a change has been made, and if the state offers two factor authentication, sign up for this protection as well.

 

Business Credit File. The Credit Reporting Agencies (CRAs) recommend that businesses be proactive in monitoring and updating their business credit file and notify them of any potential errors. Each of the three CRAs – Dun & Bradstreet (D&B), Equifax and Experian collect different data about your business. Additionally, the credit rating scales are also different. See our report for a full listing of the data collected. The key to manage your credit is to monitor your D&B business file. This file is accessible and free. As a business owner, you can go in and correct any erroneous data, as well as track whether someone might have gone in and changed it. Any changes to the D&B file are shared with the other CRAs.

 

If you believe your company’s data in the business file has been changed by an unauthorized user, contact Dun and Bradstreet at 1- 866-895-7262, mailto:highriskandfraudinsight@dnb.com The other CRAs require you to register to have your credit file monitored, whereas D&B allows you to do that for free.

 

During our review, D&B informed us they will provide businesses recovery support for an identity theft – offering research support, flagging the account as “stop distribution” until the file is corrected, and assisting in resolving any inaccurate data.

 

CRA Contact Information for Identity Theft are:

Dun & Bradstreet: 1-866-895-7262

Experian: 1-888-397-3742

Equifax: 1-800-685-5000, option 4.

 

Website. Managing your identity on the web, is an important aspect of your business, especially if your business depends on e-commerce through your website. Recommendations for a safe and secure website are:

 

  • Conduct regular backups for your site; at least every day;
  • Ensure your website is routinely scanned for malware and/or viruses;
  • Ensure your site is protected by a web application firewall;
  • Ensure your site transactions are secure and your website is listed as https:

 

Trademark. Officially register your firm’s name and logo as a trademark. Many state offices provide this service at a nominal cost.

 

EIN/SSN. Protect your business’s EIN (Employer Identification Number from disclosure, and the owner’s SSN.

 

Training. Train your employees not to release information about your business to callers; or post business information on social media or the web. Have periodic phishing training for your employees.

 

Partners. Verify the financial/solvency position of your potential and existing business partners before you share critical business data.  D&B provides this service for a nominal fee. Require your partners to sign a partnership agreement that requires them to protect your critical business data.

 

 

© 2018 National Cybersecurity Society, All Rights Reserved

www.nationalcybersecuritysociety.org

 

Click here to download a PDF of this article.

04.FACT - TIPS TO PROTECT BIZ ID FINAL 81318.jpg

About The National Cybersecurity Society

 

The National Cybersecurity Society is a non-profit organization focused on providing cybersecurity education, awareness and advocacy to small businesses. The NCSS provides cybersecurity education tailored to the needs of the small business owner; helps small businesses assess their cybersecurity risk; distributes threat information to business owners so that they will be more knowledgeable about the threats facing their business; and provides advice on the type of services needed to stay safe online.

NCSS small.png

Business Identity Theft Scams

 

In order to protect your business from identity theft, it is useful to understand how criminals use corporate identities to steal or compromise your business. Small businesses work years to build a strong credit rating in order to facilitate transactions between partners and to manage cash flow. Your credit rating is probably your most coveted asset.

 

Business Identity Theft is defined as:

 

“identity theft committed with the intent to defraud or hurt a business by creating, using or attempting to use a business’s identifying information without authority.”

 

Notable scams include:

 

  • In Tennessee, criminals created phony websites that impersonated the identity of legitimate car dealerships and advertised low prices in order to scam people into making deposits for vehicles that didn’t exist (1);

 

  • In Nevada, the identity of a business was stolen after a criminal changed the name of the businesses’ officers filed with the Secretary of State’s office, then sold the business to a third party (1);

 

  • In California, criminals rented office space in the same building as a legitimate business, ordered corporate credit cards and retail merchandise in the business’s name and then disappeared by the time the business realized its identity had been stolen (1);

 

  • Home Depot and Lowes - millions of dollars in merchandise were stolen by criminals posing as an illegitimate business;

 

  • In Canada, an identity thief falsified company documents to make himself the CEO, then sold the company-owned building;

 

  • Thieves mirrored the physical address of a business to obtain credit, loans, cash and other goods or services in the business’s name;

 

  • Criminals targeted an inactive business and stole the business’s identity to obtain goods and services. Then, the family of the deceased owner received notices to pay the debts created through the crime;

 

  • Criminals have stolen EINs to create false W-2s or 1099s to fraudulently file for benefits such as fuel and farm tax credits.

 

Dun and Bradstreet offers free support to a business that believes their identity has been stolen. To request support and report a theft, businesses can call Dun & Bradstreet at 1-866-895-7262, mailto:highriskandfraudinsight@dnb.com .

 

The three credit reporting agencies – Dun & Bradstreet, Experian and Equifax will provide a free copy of a business’s credit rating, if the company has been denied credit through fraudulent activity or believe they have been a victim of identity theft.  Business owners can reach:

 

Equifax at 1-800-685-5000, option 4, mailto:cust.serv@equifax.com ;

Experian at 1-888-397-3742, mailto:businessrecordsvictimassistance@experian.com

 

1 | National Association of Secretaries of State, 2012, Developing State Solutions to Business Identity Theft.

 

© 2018 National Cybersecurity Society, All Rights Reserved

http://www.nationalcybersecuritysociety.org/

 

Click here to download a PDF of this article.

03.Biz ID Theft SCAMS.jpg

 

About The National Cybersecurity Society

 

The National Cybersecurity Society is a non-profit organization focused on providing cybersecurity education, awareness and advocacy to small businesses.  The NCSS provides cybersecurity education tailored to the needs of the small business owner; helps small businesses assess their cybersecurity risk; distributes threat information to business owners so that they will be more knowledgeable about the threats facing their business; and provides advice on the type of services needed to stay safe online.

NCSS small.png

 

Tips to help protect your company during tax season

 

TIP 1: BE PREPARED FOR PHISHING SCAMS

Hackers and cyber criminals know you’ll be looking for ways to quickly prepare for tax season. Don't be fooled by emails that try to entice you to click on a link or download malicious content. If an offer looks promising, research the company, their competitors and verify their site is legitimate. If doesn't hurt to call them before you engage online.

 

TIP 2: ENCRYPT SENSITIVE DOCUMENTS

Encrypt sensitive documents before you sending them to your accountant. If the accountant doesn’t accept encrypted documents, then don’t send them online. Make copies and deliver them in person. Use only https websites for transmitting sensitive information.

 

TIP 3: TECHNOLOGY CHECKLIST

Since you will be reviewing expenses for the past year, now is a great time to create a list of your technology that should be protected, including copiers, printers, software services, websites, social networks and point of sale devices. Include detailed information about the service, age and security parameters.

 

TIP 4: DATA BACKUP

When is the last time you backed up your critical business data? Review your critical data and take steps to back it up it up with an encrypted service provider.

 

TIP 5: CYBER DAY

Has the CEO taken the time to talk to employees about cybersecurity? Schedule a monthly meeting to have the business owner talk about the importance of protecting the business from scams. Many scams target employees, so have them learn how to protect your company.

 

TIP 6: IDENTITY THEFT

In order to protect your identity and prevent fraudulent returns, learn the signs. Identity thieves often use letters to obtain sensitive information to conduct further attacks. For instance, you or your accountant might attempt to file your business tax return, but it is rejected, or you may receive a tax transcript by mail that you didn’t request. The IRS has several good references to protect against business identity theft. If you believe you've been a victim of tax fraud, contact the IRS via mail – information is available on their website - http://bit.ly/2ejECXg.

 

TIP 7: SHRED

Shred confidential business data. Make sure your employees also learn to shred sensitive information rather than simply throwing it away. 

 

TIP 8: BUDGET FOR SECURITY

As you are reviewing your expenses from last year, assess whether your company is adequately protected. An industry best practice is to spend between 5-8% of your IT budget on IT security. The NCSS assists our members in obtaining quality cybersecurity products and services in order to keep your costs low.

 

TIP 9: ASSESS

Assess the risks to tax information to include your operations, physical environment, computer systems and employees. Make a list of all locations where you keep sensitive business data and implement controls to protect access.

 

 

DID YOU KNOW?

  • In 2015, the IRS identified 233 business tax returns that were filed using known or suspicious EINs of which 97 claimed refunds exceeding $2.5 million.
  • The IRS has found that identity thieves apply for and/or obtain an EIN using the name and social security number of another individual as the responsible party.
  • Are you protecting your business identity from tax fraud?
  • Learn more about business identity theft at our resource page.

 

Click here to download a PDF of this article.

 

Still have questions, need help?

Contact us at our “Ask-an-Expert” service, mailto:web@thencss.org or visit us at the link below.

http://www.nationalcybersecuritysociety.org/

 

© 2018 National Cybersecurity Society, All Rights Reserved

http://www.nationalcybersecuritysociety.org/

 

JOIN THE NCSS

Become a member of The National Cybersecurity Society today and learn more about how to protect your business from a cyber attack.

 

 

About The National Cybersecurity Society

 

The National Cybersecurity Society is a non-profit organization focused on providing cybersecurity education, awareness and advocacy to small businesses.  The NCSS provides cybersecurity education tailored to the needs of the small business owner; helps small businesses assess their cybersecurity risk; distributes threat information to business owners so that they will be more knowledgeable about the threats facing their business; and provides advice on the type of services needed to stay safe online.

 

NCSS small.png

Victim Resources

Do you think your business has been the victim of identity theft? Not sure where to start or what to do? This fact sheet provides some guidance and a list of resources. It is important to note that the procedures for addressing business identity theft are different than consumer identity theft. The FTC only responds to consumer complaints and the credit reporting agencies won’t place a “freeze” on your account like they would for consumers. So, the traditional advice on how to respond to identity theft doesn’t apply to businesses.

 

As with any cyber incident, the first task is to figure out what happened. Interview staff, investigate and take notes – the goal is to document what occurred, how you found out, and collect evidence. Identify what accounts were affected, who has access to those accounts, when was the last time the account was accessed and/or when a transaction occurred. Check if other accounts have been affected. These are all examples of good data to collect. Change passwords to these accounts immediately.

 

Financial Fraud.

If your credit card or line of credit was stolen, the next step is to notify the financial institution and put a freeze on the account.  Once this has been done, you may need to obtain funds from another creditor in order to provide the operating funds until the account freeze is lifted.  The analysis you conducted initially will be helpful when you contact the financial institution. As a business owner, many banks will require you to prove you or your employees were not the cause of the fraudulent charge. Your financialinstitution will guide you through the process, albeit a long one.

 

Credit Reporting Agencies.

Next step is to contact Dun and Bradstreet’s fraud department at 1-866-895-7262, highriskandfraudinsight@dnb.com and report the theft. D&B will investigate the issue, confirm the information in question and correct any inaccuracies in your account. In many cases a “stop distribution” order will be placed on the account until the matter is resolved. The stop distribution or account freeze is shared with the other CRAs (Experian and Equifax, not TransUnion) who will flag your business credit file. This may affect your ability to obtain any additional credit.  (TransUnion only manages credit files for consumers, not businesses.)

 

Tax Fraud.

If you have been notified by the IRS that your business has been involved in a fraudulent tax return activity, they will guide you on the information they may need to conduct the investigation. They will only notify you by mail, not phone. Don’t fall victim to IRS phone scams! If, however, you notice that someone has used your business to submit a fraudulent tax return, notify the IRS at 1-800-829-4933.

 

Law Enforcement.

Local law enforcement is required to respond to the incident. Call the non-emergency number to report the crime – reporting the crime will be helpful for insurance purposes. Ensure you obtain a copy of the incident report. Unfortunately, the crime may never be solved.

 

Internet Crime Complaint Center (IC3).

Businesses can file a complaint at https:///www.ic3.gov/default.aspx. IC3 doesn't investigate crimes, but collects valuable statistics on Internet crime. Of particular, IC3 is interested in crimes related to website/online extortion, identity theft, intellectual property rights, hacking, and theft of trade secrets.

 

State Business Registries.

Many states offer resources for business identity theft. Visit your state’s website for information or resources for victims.

 

Identity Theft Resource Center (ITRC).

The ITRC offers many free resources for victims of identity theft. While the business might have been the target of this crime, owners and employees often feel victimized as well. Visit their site at: http://www.idtheftcenter.org/

 

©2018 National Cybersecurity Society, All Rights Reserved

http://www.nationalcybersecuritysociety.org/

 

Click here to download a PDF of this article.

05.Biz ID - Victim Resources.jpg

 

About The National Cybersecurity Society

 

The National Cybersecurity Society is a non-profit organization focused on providing cybersecurity education, awareness and advocacy to small businesses. The NCSS provides cybersecurity education tailored to the needs of the small business owner; helps small businesses assess their cybersecurity risk; distributes threat information to business owners so that they will be more knowledgeable about the threats facing their business; and provides advice on the type of services needed to stay safe online.

Filter Article

By tag: