With consistent survey estimates of 8 to 12 million identity theft victims annually, there is no question that criminals have found consumer identity theft to be easy, low-risk, and very lucrative. In fact, the combination of low risk and large profit is so attractive to criminals that the U.S. Department of Justice has reported that identity theft has become the #1 for profit crime in the United States.

Identity crimes have evolved far beyond a crime of opportunity by petty thieves and drug users - it is now a preferred criminal activity that is big business and growing every year. Criminals ranging from street gangs to drug cartel to organized crime syndicates have actively embraced identity theft and cyber-crime as key money making enterprises with low risk.  In 2008 alone, street gangs reportedly contributed to a 31% increase in identity theft complaints in the state of California.¹

Criminals now have their sights set on businesses of all sizes

Identity theft is no longer only a consumer crime. Thieves have learned that businesses also have identities that can be stolen, and unsuspecting businesses can be very easy targets. To criminals, business identity theft means the potential for even more easy money and goods.

2 Critical Concepts:
What business identity theft is...  and what it is not

In terms of potential losses and damage to victims, business identity theft could easily be considered consumer identity theft's bigger, meaner, and more evil twin. However, fueled by the focus on consumer identity theft issues and compounded by a lack of understanding, the crime of business ID theft is frequently mischaracterized in many articles, media reports, business publications and other sources.

These continued mischaracterizations are dangerous, because they cause businesses and business owners to remain unaware of the true nature and risks of business identity crimes, and unprepared to take appropriate actions to protect themselves.

Critical Concept #1:  Business identity theft is not an information security breach, or an incident involving the loss or theft of confidential consumer information that a business may possess. Rather, like its consumer crime counterpart, business identity theft involves the actual impersonation of the business itself.  It can occur through the theft or misuse of key business identifiers and credentials, manipulation or falsification of business filings and records, and other related criminal activities intended to derive illicit gain to the detriment of the victimized business; and, to defraud creditors and suppliers, financial institutions, the business' owners and officers, unsuspecting consumers, and even the government. (See Business ID Theft Scams for more information)

Critical Concept #2:  The term corporate identity theft is misleading, as corporations are not the only business entities that are victimized by this crime. Any type of business or organization of any size or legal structure, including sole-proprietorships, partnerships, LLCs, trusts, non-profits, municipalities and county governments, school districts, and corporations - are all targets of business identity theft. (See News for many specific examples)

8 key reasons why businesses are being targeted by identity thieves

To understand why identity thieves are now targeting businesses, you need to compare the potential illegal proceeds of consumer identity theft to those of business identity theft - from a criminal's perspective:

✔  Larger bank account balances
Businesses routinely maintain larger bank account balances than consumers. An average small business may have $5,000 to $10,000 or more in its account at any given time, and a larger business may have tens or even hundreds of thousands of dollars. If you compare that to an average consumer who might have $500 to $1500, it doesn't take long to realize which accounts are the most tempting and lucrative targets for identity thieves. (See Cyber Crime for more information)

✔  Easy credit and account opening
Most businesses are eager to open a new account for a business. The reason is obvious - businesses spend more. In some cases, opening a new business account can be even easier than opening a new consumer account.  A consumer may have to be approved through a credit check for a new account with a $500 credit limit; whereas, a $1000 credit limit or more may be automatically granted simply for opening a new business account.

✔  Invoicing and payment terms
Because of their larger purchases, businesses frequently enjoy flexible payment terms that allow them to receive the goods or services they ordered and then pay within a specified period of time, commonly within 10 to 30 days after receipt of the invoice. This allows business identity thieves a clear window of opportunity to order and receive products or services in a business' name; and, as an added benefit, they can also avoid the risk of early detection that comes with using a stolen check or credit card for payment at the time the order is placed.

✔  Higher credit limits
Once again, it is expected that a business will spend more than a consumer. An average individual consumer may have a credit limit of $1,000 to $5,000, while an established business may have credit lines of $25,000 to $100,000 or more. Additionally, many businesses provide employee cards linked to the business' main credit account. Without an expense approval process, transaction limits, and careful review and reconciliation of all transactions, any of these cards can be compromised and fraudulent transactions may easily occur without timely detection.

✔  Larger purchases can be made with less scrutiny
Automated fraud screening systems are designed to detect unusual spending patterns, purchases, and even purchase locations. However, these systems also tend to concentrate on consumer payment card transactions and can be circumvented. Even in the case of manual or telephone orders, an order for 50 laptop computers, 100 smart phones, or $30,000 in office equipment by a consumer would raise red flags, but may not be unusual for an established business. Many commissioned sales persons would be eager to take such an order.

✔  Minimal security
Small businesses are especially vulnerable, because they typically do not have the layers of security and oversight, an alert accounting or I.T. department, or the sophisticated security technology that larger businesses may have. Add to this the fact that most businesses remain completely oblivious to the concept and risks of business identity theft. For many small businesses, just keeping up with the day to day demands of being in business is difficult enough, and important tasks such as account review and reconciliation, or computer security updates, may be left undone. This leaves ample openings for thieves to strike.

✔  Easily available information
Business identity thieves don't even need to steal much of the information they need to impersonate a business - more often than not it is publicly available for free, or legally purchased. In most states, businesses are required by law to dutifully post documents that contain many of their key identifiers - sales tax number, business license number, etc.

Next, unlike the protections provided for consumer credit reports, if a business has a credit report, virtually anyone can order a copy of it because business credit reports are intended to foster and promote commerce. Unfortunately, business credit reports contain a wealth of information that can also be misused by crafty business identity thieves.

Business EIN used for tax fraud

Click to play

A business' EIN (federal employer identification number) is, in some respects, a business form of Social Security number because of the ways it is commonly used to uniquely identify the business, though an EIN is not provided the same protections as an SSN. Many business identity theft schemes occur, and many fraudulent accounts can be opened, with just a business' name, address, and EIN. (See Stolen Business EINs used in Tax Fraud Schemes for more information)

Add to this the fact that state business registration information is public record. The business' legal structure, owner(s), officers, directors, registered agent, registered address, and in some cases copies of documents that contain the owners' or officers' signatures, are all readily available by law to anyone who is inclined to look.

And finally, there is the Internet black market where the stolen confidential information of millions of consumers and businesses is routinely purchased, sold, and traded every day. Fueled by widescale data breaches caused by hacking, theft, loss, or human error, there is a surplus of consumer and business credit card numbers, account numbers, and other sensitive information to be had.

✔  Difficult to investigate and prosecute
Sophisticated identity thieves are able to hide behind technology, cover their tracks, and have global reach. Because identity crimes routinely cross state and even national jurisdictional boundaries, they are already difficult to investigate and prosecute. In the case of business identity theft, there can be yet another challenge even if the thieves are local - if state identity theft criminal statutes only recognize identity crimes against individuals, how do investigators and prosecutors deal with a case in which a business' identity was stolen?

"We were having businesses being taken over and their names being used and I could not prosecute them, at least under ID theft statutes," says California Deputy Attorney General Robert Morgester.²

In 2006, California became the first U.S. state to finally amend its state identity theft laws to specifically include identity crimes targeting business entities. However, in most states a business is still not considered a "person" or "individual" (and therefore not a "victim" of an identity crime) under identity theft criminal statutes that were written to protect the identities and identifiers of individual consumers.

Large or complex business identity theft schemes, those that cross multiple state lines, or that originate outside of the United States, may need to be investigated and prosecuted at the federal level; but, there is a challenge with this as well. Consider the two primary federal laws under which identity crimes are prosecuted at the federal level: the Identity Theft and Assumption Deterrence Act and the Identity Theft Penalty Enhancement Act. The language of these laws makes it a crime to transfer, possess, or use another person's means of identification without lawful authority, with "means of identification" defined as something that can be used to identify a specific individual. The statutory language does not include business entities, and therefore further complicates federal prosecution of business identity theft cases. (It is also important to note that the identity theft laws of most states were modeled after these two federal laws.) 

"This is a real gap. The current federal law looks at ID theft as a crime against individuals," stated Betsy Broder, former Assistant Director of the FTC's Division of Privacy and Identity Protection.

Until state and federal legislation catches up with the crime, business identity theft is likely to remain an attractive crime with low risk; and, for unsuspecting business owners and officers, it remains a serious risk that can have devastating business and personal consequences.

A scheme to target businesses of all sizes...

Although business identity theft schemes frequently target small to medium size-businesses for the purpose of quick financial gains, this certainly does not mean that large businesses can't or won't be targeted given any window of opportunity.

Determined criminals can employ more sophisticated tactics designed to impersonate and defraud even a large, well recognized company, and the lengths to which they are willing and able to go can be shocking. To illustrate, consider the following case involving well-known computer and electronics manufacturer, NEC Japan.

In May of 2006, a private investigation conducted by international risk management and investigations firm, Investigative Risk, uncovered a sophisticated ring of criminals that had established a complete NEC-branded company. By the time that the operation was finally shut down, this bogus company, operating in Hong Kong, China, and Taiwan, had more than 50 factories producing a complete line of counterfeit NEC products, including computer keyboards, computer peripherals, CDs, and DVDs. The company was even reportedly developing its own MP3 players and home entertainment systems. The persons operating the factories utilized counterfeit NEC identification, and several of the buildings brazenly displayed NEC signs. Products were shipped in NEC labeled boxes, and the company even went so far as to charge royalties to other companies to license the products that it produced. The counterfeit NEC products produced by this company were reportedly discovered being sold throughout China, Taiwan, Southeast Asia, the Middle East, North Africa and Europe. As some small measure of consolation, according to NEC, the counterfeit products were deemed to be "of generally good quality." Had they been of significantly inferior quality, the operation may have eroded consumer confidence in legitimate NEC products, and the NEC brand, causing further losses beyond significant lost revenues.³

If a large, high-profile, international manufacturing company such as NEC could be victimized in this manner, how easy would it be for a smaller, lesser-known company to become a victim of more common business identity theft schemes - and at what cost?

¹ Menn, Joseph. "Identity Theft is now Street Gang Territory," Los Angeles Times, August 12, 2008
² Tozzi, John. "Identity Theft: The Business Bust-Out," Bloomberg Businessweek, July 23, 2007
³ Lague, David. “Next Step for Counterfeiters: Faking the Whole Company.” The New York Times, May 1, 2006.

Article source: Barnett, Michael. The Consumer Identity Theft Protection Manual. 2010. Excerpted with permission.