Business Identity Theft Protection Guide

Protect your business from fraud and identity thieves

Business identity thieves and fraudsters are clever and determined, and can quickly take advantage of business owners that do not take basic precautions to protect their business.

The following are some of the proactive actions that you and your employees can take to help prevent your business identity information from being used by criminals to steal from you or commit fraud in your name.

Protect Your Business Bank Accounts from Fraud

Review your commercial / business banking agreements
Business / commercial bank accounts are covered by the Uniform Commercial Code (UCC). Under the UCC, businesses have shorter reporting timelines, less protections, and higher liability for fraud than with consumer banking accounts. Additionally, individual banks can shorten the fraud reporting timelines even further, or disclaim certain obligations, through amendments to their commercial banking agreements, so it is important to know your bank's policies as these can have a significant impact on your business' liability for fraudulent transactions.¹


Enact security and authentication controls to protect against fraudulent wire transfers and electronic transactions
Wire transfer and electronic payment fraud are serious threats to businesses. Through spyware and compromised banking credentials, criminals can initiate fraudulent payments and transfers out of the business' bank account. Because these transactions occur quickly, businesses often do not catch the fraud in time. Even finding and reporting the fraud within hours can frequently be too late to stop the transfer or recover the funds. Businesses hit by wire transfer fraud regularly suffer significant losses and may only recover some, if any, of the stolen funds.

If your business utilizes wire transfers, implement dual controls (or two-factor authentication) that require two party approval for outgoing wire transfers - both a wire transfer originator and a separate transfer authorizer. If an outside third party fraudulently initiates a wire transfer, the additional authorizer control can help prevent the transfer from being approved and completed. Some financial institutions also offer multi-factor authentication, which not only requires the approval of multiple persons in the organization, but also multiple methods of approval (email, fax, telephone, special tokens, etc.) before a transfer is approved.

If your business does not use wire transfers, consider inquiring with your bank if you can filter, limit, or block wire transfers altogether. If not, in addition to placing dual controls on wire transfers, you can also set the maximum wire transfer amount to the lowest possible dollar amount.

Monitor and reconcile your business accounts daily, and consider online banking
Frequent account review and immediate reporting of suspicious or fraudulent transactions can reduce your business' liability and potential fraud losses. Online banking allows you to quickly log in to your bank account and view your business account balance and transactions. Many banks also provide email and text alerts regarding your account activity, which can help alert you to suspicious transactions. Through online banking, you can also eliminate mailed paper statements which can further reduce the risk that your business banking information may be stolen or exposed.

Think "security" when you access your accounts online
Access your online banking and other financial accounts using one secure, dedicated computer that maintains regularly updated commercial anti-virus / anti-spyware / internet security software. Do not rely on free or limited versions of security software. The computer you use to access your accounts should not used by other persons or for non-business activities, such as email or web surfing. Use strong, complex passwords that could not be guessed by others, at least 8 characters long, and that include a combination of upper and lower case letters, special characters, and numbers. Change your passwords regularly, and do not use the same passwords for other websites or online accounts. Don't log in to your online accounts using public access points or Wi-Fi hotspots, which may not be secure or may be infected with spyware.


Be wary of phishing scams
Phishing email scams are designed to trick you, or your employees, into divulging confidential personal and business account information (i.e. SSN, EIN, account number, user name, password, etc.)  The IRS, government agencies, and legitimate financial institutions do not request you to provide or "verify" this information through email communications. If you or your employees receive such an email, notify your bank's fraud department. Do not respond to the email, and do not click on any links or open any attachments in the email as doing so can connect you to a fraudulent website and/or cause spyware to be installed on your computer.


If you pay by company check, consider enrolling in Positive Pay
Most U.S commercial banks offer Positive Pay services which can significantly reduce business check fraud losses. Using Positive Pay, when you write business checks, you provide your bank with a list of check numbers and dollar amounts. Your bank compares any checks received for payment against your list. If a check doesn't match, it is identified as an "exception" and is not paid.


Keep your business checking account supplies secure
Check stock, deposit slips, endorsement stamps , and all other checking account supplies and records should be kept in a secure location not accessible to unauthorized persons.

In addition to using Positive Pay services, you should also consider using high security checks, with multiple security features to further thwart common check fraud schemes against your business, such as fraudulent payroll checks, altered payee, or check washing schemes.  See the Additional Resources section for a useful guide to check fraud prevention

Protect Your Business Information and Identifiers

Business EIN used for tax fraud

Click to play

Treat and protect your business EIN as you would your own Social Security number
There are many circumstances under which the business EIN must be provided, such as business bank accounts, tax and wage reporting, W-9 forms, etc.  However, be aware that thieves can commit numerous business identity theft fraud schemes, tax fraud schemes, and fraudulently access or open many types of business accounts with only your business name, address, and EIN.  Just as you would protect your Social Security number, attempt to limit EIN disclosure to those circumstances under which disclosure is required. Be suspicious of unsolicited business credit applications, and verify the authenticity and return mailing address before you complete and return the form.


Keep all documents containing business information or business identifiers in a safe, secure location not accessible by unauthorized persons
Be certain to protect and secure hardcopy documents that contain business identifiers, account numbers, and other sensitive information at all times. This includes employee workspaces, public access areas, waste and shred receptacles, filing cabinets, and any other locations where these documents may be found.  Be cognizant of all persons that may be able to view or have access to these documents (authorized or not), including clients and customers, visitors, contractors, cleaning crew personnel, etc.


Securely shred old or unnecessary documents that contain your business information or business identifiers
Shred any old or unnecessary documents containing business license numbers, business registrations, EIN / TIN, account numbers, etc. using a cross-cut, confetti cut, or diamond cut shredder, or utilize the services of a secure document destruction company. Any documents waiting to be shredded should be placed in a secure locking receptacle or locked storage room not accessible to unauthorized persons,

Protect and Monitor Your State Business Registration Information

Enroll in Email Alerts
Many Secretaries of State are beginning to offer free email alert services that can notify you when your business registration information, (name, address, registered agent, and business owner and officer information) has been changed or updated. Enrolling in such a service can provide early warning of potential fraud. Use the State Resources page to find more information about the availability of these services, as well as additional resources, in your state or territory.


Regularly review your business registration information online  (for all active and closed businesses)
If your Secretary of State or Corporations Division does not yet offer email alerts, you can still go to their website and use the public "Business Entity Search" to enter your business name and review the information on file for your business. You should also periodically check any past businesses that you may have closed, to ensure that they have not been fraudulently reinstated.  Use the State Resources page to find information for your state or territory.


Be certain to file your annual reports and renewals on time
In addition to the risk of administrative dissolution of your company for failure to file, business identity thieves will often target companies that are classified as inactive, suspended, in default, etc. The thieves quite logically assume that, if a business doesn't keep up with its basic quarterly or annual business filings, the owners probably won't realize the information has been changed until it is far too late. Likewise, the apparent lack of attention to detail may mean that other forms of fraud may go unnoticed as well.

Protect and Monitor Your Business Credit Card, Supplier and Trade Accounts

Maintain an inventory of accounts and key contact information
Create a record of your business accounts, including creditor / financial institution, account number(s), card number(s) (including all employee cards), and key contact information for billing and fraud departments. Keep this list in a safe, secure location. This can minimize the time required to make notifications in the event that fraud is discovered.


Carefully review and reconcile account statements as soon as they are received
Be alert for unusual or suspicious purchases or transactions, and promptly contact the creditor if you discover any unrecognized or fraudulent activity, no matter how small. Be aware that a common criminal tactic is to make small purchases on a compromised card, typically $5 to $10, and wait to see if the fraudulent transaction is noticed before making larger purchases.


Ask trade and credit references to notify you if they are contacted
If your business provides or maintains a list of trade or credit references, request each reference to notify you if they are contacted by a third party. Business identity thieves often leverage a business' trade and credit references to impersonate a business or to submit fraudulent account applications. They may also contact your business' suppliers, posing as an employee, in order to request detailed account and payment information that they can then use to submit fraudulent orders or commit further fraud with other businesses.

Protect and Regularly Review Your Business Credit File

Review your business credit reports
Though Dun & Bradstreet may be the most recognized source of business verification and business credit reporting, the 3 national credit bureaus (Equifax, Experian, and TransUnion) also provide business credit services. You can obtain copies of your business credit reports from each of these organizations and review them for suspicious activity and to ensure the information is accurate. These organizations also offer fee-based services to monitor your business credit file and alert you to changes.

Keep your business and personal finances separate
Avoid using your personal credit cards, accounts, and lines of credit for business and instead use business cards for business related expenses and transactions. In addition to obvious issues of sound business separation, accounting, and proper tax reporting, most financial institutions and major card issuers specifically exclude business related transactions conducted with personal cards from their "zero fraud liability" programs. If a business account is compromised, any personal payment methods (including card or account numbers) associated with that account may also be compromised.


Consider placing a credit security freeze on your personal credit file
In most small businesses, the owner(s) are required to provide a personal guarantee for business accounts, and may be subject to a credit check. If you are not actively applying or planning to apply for new credit, you can place a security freeze on your personal credit to prevent businesses with whom you do not already have an existing relationship from accessing your credit file. This can help to reduce opportunities for thieves to fraudulently list you as a guarantor or open new credit accounts in your business' name.

Protect Your Business Computers and Networks

Restrict the use of your business computers to only business activities
Activities such as casual Internet surfing, use of social networks, online gaming, downloading programs, and file sharing expose your business computers to viruses, spyware, and other security risks that can jeopardize your business operations, your accounts, and the confidential information of your business, customers, and employees.


Install and use regularly updated anti-virus / anti-spyware / Internet security software
Effective anti-virus, anti-spyware, and Internet security software programs are essential. Don't rely on free software to protect your business. Be certain to utilize a program that actively scans and is frequently updated to keep up with new threats.


Keep security patches and updates up-to-date
It is critically important to regularly check for and install any security updates for your computer’s operating system and internet browser program to ensure that you have the latest versions designed to protect against known software vulnerabilities. Most newer operating systems permit the user to set an automatic update schedule with a specified frequency. You should set your system to check for and install important security updates no less than weekly.


Install and utilize a firewall on your business computers or network
A firewall is a software program or hardware device that monitors and controls external connections to your computer and/or network. A firewall helps to prevent unauthorized or unwanted external connections, and it is your first line of defense against intrusion attempts and malicious code attacks. Be certain to change the default administrative password.


Secure your business' wireless network
If your business uses a wireless network and it is not secured (encrypted), others can gain access to your network. Average Wi-Fi signals can extend for hundreds of feet beyond the perimeter of the building. Off the shelf wireless network devices typically do not come with their security features active, so review the product documentation to learn how to set the security features for your device, or call the manufacturer if you need assistance. WPA2 is currently the strongest wireless network encryption standard and is available on most newer wireless network devices. Be certain to change the default administrative password on the wireless router, and disable broadcasting of your SSID (Service Set Identifier).  See the Additional Resources page for a helpful video about wireless security.

Know the Risks and Train Your Employees

What you and your employees don't know can hurt your business
Criminals take advantage of unsuspecting businesses. Knowing how thieves work, and the tactics they use, can help you avoid becoming their next victim. Be certain to review the Business Identity Theft Scams section so you know what to look for.


Train your employees (and yourself)
Protecting your business and the sensitive information of your business, your customers, and employees is the responsibility of everyone in your organization. Numerous state and federal laws also mandate annual employee information security and privacy training for compliance. Employee training is not merely a compliance requirement, it also provides significant benefits for your organization. Properly trained employees become your first line of defense because they understand the risks, know how to protect information, and can recognize and stop fraud and information security risks before they impact your business.

Protect Your Business From Fraudulent Orders - "Trust, but Verify"

Be alert for large or unusual orders from unknown customers or companies
While a large, unexpected order can be a welcome surprise, you should be certain to review the order and customer information provided before providing products or services to avoid unwelcome fraud losses. Unusual orders or customer information can be a sign of attempted fraud, and taking a few moments to review and confirm the validity of the order can save your business from loss of goods, services, chargeback fees, and other potential losses.

• - Is the order size or quantity unusual?
• - Is the information provided a potential cause for concern? (such as an overseas shipping address, a P.O. Box, or a maildrop)
• - Is the billing or shipping name and information different than the actual customer information?
• - Is overnight or expedited delivery requested for a large order with an apparent lack of concern for high shipping costs?
• - Were there repeated failed transactions?

For new business orders with payments terms or delivery / shipment with invoicing, check the business customer's credit and references prior to providing your products or services. For larger orders that are not taken in person (via website, phone, fax, etc.), consider contacting the customer, if possible, to confirm the order is legitimate. Stopping a large fraudulent order is well worth a few moments of time taken to verify.


Utilize fraud prevention services for online order processing
Most payment gateway providers offer fraud prevention services, such as zip code / address or card code verification, designed to help detect and minimize potentially fraudulent orders placed with stolen credit card information. This is especially important for online "Card Not Present" transactions where merchant liability for fraudulent transactions is higher. Utilizing these services can save your business from loss of goods, services, chargeback fees, and other potential losses. Be aware, however, that these services are not 100% foolproof and determined thieves can and do find ways to circumvent these systems.


Be alert for and respond quickly to customer notifications of fraudulent orders
If your business receives a notification of a fraudulent order or use of a stolen credit card, or if you suspect that an order made with a payment card may be fraudulent, immediately follow the notification procedures outlined by your payment processor. Your processor will give you instructions, and will notify the issuing financial institution, which will in turn follow up with the legitimate cardholder.

Protect Your Business' Online and Public Presence

Export and delete all information from web applications associated with expiring domain names
If your business owns a domain name that is expiring and is not going to be renewed, and you have used that domain for emails, calendaring, or other online applications such as Google Apps, be certain to delete all information in these apps prior to allowing the domain to expire. Known security vulnerabilities can allow anyone who later purchases the domain to access the applications associated with the domain, such as email accounts, passwords, other online account credentials, contacts, social networking accounts, and calendars.


Use Google Alerts or a similar service to monitor the Internet
Because thieves can easily impersonate your business in other states or on the Internet, a very simple and proactive step you can take is to use a free Google feature known as Google Alerts. Rather than taking time away from your business to actively conduct an Internet search, Google Alerts allow you to quickly set and receive email alerts of search results and news stories that match terms you specify, such as your business name.

You can enter your search query, create, and manage the details of your alerts at: www.Google.com/alerts


Whois Database and domain privacy services
Thieves, scammers, and spammers frequently utilize the public Whois database, which provides information regarding the registered owner of an Internet domain name (including owner name, key contacts, address, email, and telephone number) that can be used in a variety of scams and also for spam email. If your business owns one or more Internet domains and/or maintains a website, you might consider opting for a domain registration privacy service which replaces your business information in the Whois database with that of the domain privacy service (proxy information). Your business retains full ownership and control of the domain, but your information is better protected from scammers, spammers, and prying eyes.


Be alert for impostors on the web and in the phone book
Common tactics to impersonate a business in order to steal customers, or intentionally defraud a business' customers, range from hi-tech to low-tech. Cyber-criminals can lure in your business prospects and existing customers through phishing email scams, or through the use of phony websites intended to deceive your clients into believing that they are dealing with your business. Some business imposters establish a page in your business' name on popular social networking sites, such as Facebook or LinkedIn. These pages can include your business' logos, images, and information, but provide alternate contact information. Likewise, bogus yellow page listings with deceptively similar business names in local phone books are a low-tech, low-cost tactic that can easily confuse clients and prospects, who may inadvertently call the impostor company. Such tactics can not only cost your business lost revenues, but can also dilute and damage your company's brand and reputation, and be used to defraud your customers in a manner that causes your business to appear to be the culprit.

Be Alert for Suspicious Activity

Remain vigilant and be alert for suspicious or unusual activity
Mis-addressed business mail, missing or late account statements, unusual inquiries, or telephone calls and correspondence regarding unknown accounts are all potential indicators that something may be wrong.

Be alert for unusual or suspicious activity in and around your building. Do you notice a sudden large volume of deliveries to the new tenants? Do the items being delivered seem unusual? Do people or activities seem out of place?

Remember, thieves use haste, carelessness, and lack of attention to their advantage. The longer you wait to follow-up, the more damage they can do.

¹ Uniform Commercial Code Article 3 (Negotiable Instruments) , Article 4 (Bank Deposit), and Article 4A (Funds Transfer)

©Copyright. All rights reserved.