✔ Larger bank account balances
Businesses routinely maintain larger bank account balances than consumers. An average small business may have $5,000 to $10,000 or more in its account at any given time, and a larger business may have tens or even hundreds of thousands of dollars. If you compare that to an average consumer who might have $500 to $1500, it doesn't take long to realize which accounts are the most tempting and lucrative targets for identity thieves. (See Cyber Crime for more information)
✔ Easy credit and account opening
Most businesses are eager to open a new account for a business. The reason is obvious - businesses spend more. In some cases, opening a new business account can be even easier than opening a new consumer account. A consumer may have to be approved through a credit check for a new account with a $500 credit limit; whereas, a $1000 credit limit or more may be automatically granted simply for opening a new business account.
✔ Invoicing and payment terms
Because of their larger purchases, businesses frequently enjoy flexible payment terms that allow them to receive the goods or services they ordered and then pay within a specified period of time, commonly within 10 to 30 days after receipt of the invoice. This allows business identity thieves a clear window of opportunity to order and receive products or services in a business' name; and, as an added benefit, they can also avoid the risk of early detection that comes with using a stolen check or credit card for payment at the time the order is placed.
✔ Higher credit limits
Once again, it is expected that a business will spend more than a consumer. An average individual consumer may have a credit limit of $1,000 to $5,000, while an established business may have credit lines of $25,000 to $100,000 or more. Additionally, many businesses provide employee cards linked to the business' main credit account. Without an expense approval process, transaction limits, and careful review and reconciliation of all transactions, any of these cards can be compromised and fraudulent transactions may easily occur without timely detection.
✔ Larger purchases can be made with less scrutiny
Automated fraud screening systems are designed to detect unusual spending patterns, purchases, and even purchase locations. However, these systems also tend to concentrate on consumer payment card transactions and can be circumvented. Even in the case of manual or telephone orders, an order for 50 laptop computers, 100 smart phones, or $30,000 in office equipment by a consumer would raise red flags, but may not be unusual for an established business. Many commissioned sales persons would be eager to take such an order.
✔ Minimal security
Small businesses are especially vulnerable, because they typically do not have the layers of security and oversight, an alert accounting or I.T. department, or the sophisticated security technology that larger businesses may have. Add to this the fact that most businesses remain completely oblivious to the concept and risks of business identity theft. For many small businesses, just keeping up with the day to day demands of being in business is difficult enough, and important tasks such as account review and reconciliation, or computer security updates, may be left undone. This leaves ample openings for thieves to strike.
✔ Easily available information
Business identity thieves don't even need to steal much of the information they need to impersonate a business - more often than not it is publicly available for free, or legally purchased. In most states, businesses are required by law to dutifully post documents that contain many of their key identifiers - sales tax number, business license number, etc.
Next, unlike the protections provided for consumer credit reports, if a business has a credit report, virtually anyone can order a copy of it because business credit reports are intended to foster and promote commerce. Unfortunately, business credit reports contain a wealth of information that can also be misused by crafty business identity thieves.
Business EIN used for tax fraud
Click to play
A business' EIN (federal employer identification number) is, in some respects, a business form of Social Security number because of the ways it is commonly used to uniquely identify the business, though an EIN is not provided the same protections as an SSN. Many business identity theft schemes occur, and many fraudulent accounts can be opened, with just a business' name, address, and EIN. (See Stolen Business EINs used in Tax Fraud Schemes for more information)
Add to this the fact that state business registration information is public record. The business' legal structure, owner(s), officers, directors, registered agent, registered address, and in some cases copies of documents that contain the owners' or officers' signatures, are all readily available by law to anyone who is inclined to look.
And finally, there is the Internet black market where the stolen confidential information of millions of consumers and businesses is routinely purchased, sold, and traded every day. Fueled by widescale data breaches caused by hacking, theft, loss, or human error, there is a surplus of consumer and business credit card numbers, account numbers, and other sensitive information to be had.
✔ Difficult to investigate and prosecute
Sophisticated identity thieves are able to hide behind technology, cover their tracks, and have global reach. Because identity crimes routinely cross state and even national jurisdictional boundaries, they are already difficult to investigate and prosecute. In the case of business identity theft, there can be yet another challenge even if the thieves are local - if state identity theft criminal statutes only recognize identity crimes against individuals, how do investigators and prosecutors deal with a case in which a business' identity was stolen?
"We were having businesses being taken over and their names being used and I could not prosecute them, at least under ID theft statutes," says California Deputy Attorney General Robert Morgester.2
In 2006, California became the first U.S. state to finally amend its state identity theft laws to specifically include identity crimes targeting business entities. However, in most states a business is still not considered a "person" or "individual" (and therefore not a "victim" of an identity crime) under identity theft criminal statutes that were written to protect the identities and identifiers of individual consumers.
Large or complex business identity theft schemes, those that cross multiple state lines, or that originate outside of the United States, may need to be investigated and prosecuted at the federal level; but, there is a challenge with this as well. Consider the two primary federal laws under which identity crimes are prosecuted at the federal level: the Identity Theft and Assumption Deterrence Act and the Identity Theft Penalty Enhancement Act. The language of these laws makes it a crime to transfer, possess, or use another person's means of identification without lawful authority, with "means of identification" defined as something that can be used to identify a specific individual. The statutory language does not include business entities, and therefore further complicates federal prosecution of business identity theft cases. (It is also important to note that the identity theft laws of most states were modeled after these two federal laws.)
"This is a real gap. The current federal law looks at ID theft as a crime against individuals," stated Betsy Broder, former Assistant Director of the FTC's Division of Privacy and Identity Protection.
Until state and federal legislation catches up with the crime, business identity theft is likely to remain an attractive crime with low risk; and, for unsuspecting business owners and officers, it remains a serious risk that can have devastating business and personal consequences.