Identity thieves - and the fraud-based havoc they cause in the US – were responsible for losses exceeding $16 billion in 2016. In fact, according to a study by Javelin Strategy and Research, more than 15 million Americans fell victim to identity theft last year. And that’s a record high.
Identity crimes not only have the potential to drain a victim’s bank account and damage their credit, they can impact your business dramatically.
Thanks partly to the wake of unpaid bills left behind, identity thieves cost global businesses something in the neighborhood of $221 billion every year. But there’s far more at stake than just dollars and cents. Identity fraud causes irreversible harm to customer relations - and can put you out of business for good.
Business Identity Theft – Understanding the Basics
Identity theft poses a threat to your organization in two different ways. You could inadvertently do business with a fraudulent client who’s stolen someone else’s identity - or your business could end up having its own identity pilfered.
In the first instance, you face being stuck with financial losses when goods or service purchases go unpaid. In the second, you risk financial responsibility for fraudulent loans and business equipment purchased in your company’s name.
With the number of small businesses in the US closing in on the 30-million mark – and our ever-growing reliance on digital dealings - business identity theft has become increasingly attractive to those of the criminal persuasion. In fact, stealing business identities is disturbingly simple when compared with consumer identity theft.
Unlike most individuals, newer companies have little to no credit history. With so little background to reference, thieves have been known to get credit approval from lenders and suppliers with little more than some letterhead and a stolen Employer Identification Number (EIN). It’s vital that you protect sensitive business and financial information from falling into the wrong hands.
Business identifiers like account numbers, tax numbers, and your EIN should be safeguarded with the same zeal you apply to your personal credit cards and Social Security number. Even your business checks and other banking supplies should be locked away from unauthorized access.
Both your business and your customer data need to be treated as highly confidential. That means verifying the identity and intent of anyone asking for it, and shredding old or outdated documents securely.
The Federal Trade Commission offers some additional advice to help keep your business safe from identity theft:
- File your reports and renewals with state filing offices on time.
- Check your business records regularly to make sure information is accurate.
- Even if your business isn't a going concern at the moment, check those records, too. ID thieves often target companies that are no longer in business in the hope their crime will go undetected.
- Many state offices responsible for corporate filings offer password protections for online transactions and email notifications when changes are made. Take advantage of these security features and limit employee access to your filings on a need-to-know basis.
- If you spot unauthorized changes to business records, contact your Secretary of State immediately.
You should also be aware that business and pleasure don’t mix when it comes to loans, lines of credit, and credit cards. It’s important to keep your personal life and accounts separate from your company for more than just reasons of accounting compliance. Many financial institutions don’t apply the same “zero fraud liability” to business transactions performed through personal accounts as they do to personal transactions. That could leave you directly responsible for unauthorized charges resulting from business identity theft.
Another important consideration in protecting your personal finances is safeguarding your credit information. It’s not unusual for sole proprietors and other small business owners to undergo a personal credit check when applying for new business accounts - and that can be a leak that needs plugging. Initiating a temporary credit freeze on your personal file will make it more challenging for would-be identity thieves to use your business to obtain credit or loans.
Finally, don’t forget to check with your insurance provider to ensure your business is covered in the event of data loss related to fraud or identity theft.
Keeping Your Business Safe Online
Security chip credit cards were a long time coming in the US, but EMV technology has since done a great deal to reduce counterfeit fraud associated with in-person transactions. Unfortunately, identity thieves have only gotten smarter. The theft of account information – minus the physical credit card – increased by about 40% in 2016.
To keep both your business and your customers as safe as possible while conducting online transactions, consider the following tips:
- Go through the proper channels to secure your website
- Remain vigilant when processing new clients or credit applicants
- Encourage your regular customers to be on the look-out for unauthorized account activity or credit card charges
- Don’t hesitate to contact your customers directly to confirm the legitimacy of large or unusual orders
- Take advantage of your payment processor’s fraud prevention services, including address and credit card code verifications
- Follow the instructions provided by your payment processor immediately should you suspect or receive notification that an order is fraudulent
Any online credit card order that seems out of the ordinary could be a sign of identity theft. The brief amount of time you invest in verifying that a purchase is authentic could save your business from chargeback fees - and from delivering goods or services for which you’ll never be reimbursed.
Recognizing Fraudulent Credit Card Chargebacks
According to the Fair Credit Billing Act, card holders have 60 days to dispute a charge on their credit card statement. That delay can stack odds firmly in the identity thief’s favor. The fact is that not all merchant chargebacks are created equal. And when fraud is involved, your business may be out of luck AND out the money.
There are three different types of credit card chargeback fraud that could affect your organization, so let’s take a look at them here:
- Friendly Fraud isn’t so much about fraud as it is about human error. Sometimes a card holder will dispute a legitimate charge on their statement simply because they don’t recognize or remember it.
- Chargeback Fraud also involves a legitimate credit card charge. But in this case, a dishonest card holder disputes a charge in an attempt to avoid paying for a purchase they’ve made.
- True Fraud is related directly to identity theft. A criminal uses stolen credit card information to rack up as many expensive purchases as possible before the fraudulent charges are discovered, and the card holder’s account is shut down.
In most cases, your business won’t be reimbursed for purchases resulting from true fraud. But the good news is that friendly and chargeback fraud – both of which represent recoverable revenue - account for more than 70% of a merchant’s chargeback losses.
Your best bet when it comes to protecting your business from falsified chargebacks is to manage both your sales records - and your payment reversals - in an organized and proactive fashion. Don’t let those merchant chargebacks slide in the mistaken belief that they can’t be recouped, or simply aren’t worth the bother. Your business should have a process in place for challenging them, whenever it’s cost-effective to do so.
Red Flags in Your Day-to-Day Operations
Many small businesses implement programs to thwart identity thieves based on recognizing “red flags” associated with fraud. Staying alert in your daily operations is one of the best ways for you and your employees to prevent a crisis - and minimize unavoidable repercussions.
Red flags are basically any suspicious activity, pattern, or practice that falls outside normal expectations where your business operations are concerned. They’re especially prevalent in companies that set up and administer customer credit accounts.
In any sales situation where your business offers goods or services on a pay-later basis (i.e. your company has accounts receivable), it should be standard policy to verify a new customer’s credit history and references. Those checks need to be done before any sales are conducted. And because credit screening alone isn’t always enough, it’s important to watch for warning signs during the application process itself.
Make a habit of following up and investigating when credit applications prove incomplete or inaccurate - and don’t be afraid to ask for information that’s missing. The bottom line is that if you want to avoid providing free goods or services to a client operating under a false identity, never believe a credit application to be authentic until you’ve confirmed the information for yourself.
Consider these guidelines for the safe handling of new and existing client accounts, whether they’re invoiced or “credit card-and-carry”:
- As a bare minimum, new account information should include the customer’s name, full address, contact number, and email
- For in-person verification, ask to see government-issued identification such as a passport or driver’s license
- Consider running a credit check if it’s appropriate under the circumstances
- Watch for identifier documents that look altered or forged, identifying photos that don’t look like the presenting individual, credit applications that appear tampered with or reassembled, and any inconsistencies in the information provided
- Take steps to verify the identity of your customer every time they initiate a transaction – online verification can include the use of passwords or PINs
- Monitor the nature of all customer transactions, and double-check orders that look out of the ordinary
- Confirm that any change-of-address requests are authentic before you implement them
- Watch for customer mail being returned while account transactions continue, complaints that account statements and other communications aren’t reaching your client, and unauthorized changes to a customer’s account
As technology and identity theft tactics continue to evolve, you should be prepared to update your prevention program as new red flags emerge. It’s particularly important to pay close attention whenever your business undergoes change: think mergers, acquisitions, or new service providers.
Remember, as a business owner, you know your organization best. Spotting the unusual is half the battle when it comes to staying one step ahead of identity thieves.
Basic Security is a Good Place to Start
Never underestimate the resourcefulness of an identity thief! As opportunists with a great deal to gain, fraudsters understand the quickest and most effective ways to exploit businesses that fail to take basic precautions.
Following are some of the fundamental areas where your business might benefit from having security measures in place:
Safeguard Your Business Computers
Keeping computer firewalls, security programs, anti-virus and anti-spyware software current is critical for protecting your network from intruders. Make sure company computers are being used for business activities only, and don’t skip the few extra moments it takes to install security patches and regular updates. Take advantage of modern encryption technology where appropriate, and remember to secure your wireless network as well.
Check Your Account Statements Regularly
Your business accounts are the lifeblood of your company – so guard them well. Bank and credit card statements are often where the first signs of identity theft reveal themselves. So get in the habit of monitoring and reconciling your accounts as soon as your statements are available. Taking advantage of online banking is a great way to monitor your accounts in real time. And switching from paper to online statements means less risk that your account documents will be stolen. Above all, bear in mind that reporting unrecognized transactions or suspicious activity quickly helps minimize liability and financial loss.
Beware of Scams
There are a lot of scams out there geared toward the small business. While the intent of many of these ploys is to cheat your company out of funds directly, phishing emails are designed to trick you into revealing confidential account or identifier information. No legitimate legal, financial, or governmental entity would ask your business to confirm EINs, passwords, account numbers, or SSNs over email. But identity thieves have no such qualms, and are happy to prey on your respect for authority. Avoid responding to any email that strikes you as suspect, and resist clicking on links or attachments until you’ve verified the legitimacy of the sender.
Team Up with Trade Partners
It’s not unusual for identity thieves to target a company’s suppliers to submit fraudulent orders or gain access to account information. Consider asking your trade partners to contact you for verification any time they’re asked to provide a credit reference for your business. You may also want to check that they have measures in place both on-site and online to protect your confidential information from unauthorized access.
Weed Out Imposters
Identity thieves steal more than just revenues – they can also rob your business of its good reputation. Many cyber-criminals are not above impersonating your company in order to defraud your clients and lay the blame at your door. Some common practices for this deception include using legitimate business logos and other images to set up fake websites, social media accounts, yellow page listings, and email communications that drive prospects and customers toward a false point of contact. Take the time to monitor your online presence regularly, and stay alert to client reports of misleading communications from your business.
Keep an Eye on Your Credit Reports
Both you and your customers should make a point of habitually checking your credit reports for fraudulent accounts opened without your consent. Consumers are entitled to a free credit report every twelve months from each of the three major credit bureaus - Experian, TransUnion, and Equifax. Meanwhile, you can pay to receive your company’s credit report from any or all of these companies, or by contacting Dun & Bradstreet directly. It can prove a worthwhile investment to obtain reports from all of these sources at regular intervals, since the data they contain isn’t always identical. Reviewing your credit history for unauthorized activity - and verifying that all personal information is correct – is often all it takes to foil an identity thief before too much damage is done. Fee-based monitoring services are also available to alert you when changes are made to your credit file.
Train and Refresh on a Regular Basis
Training your employees to watch for potential identity fraud is essential. Once you have procedures in place to protect your business, be sure to review and update them often with the help of your personnel. Your employees are literally on the front line when it comes to carrying out your daily operations, and that makes their input both valuable and timely. Dealing appropriately with sensitive customer and business data, watching for red flags during transactions and communications, and taking note of missing statements or off-beat inquiries can help put a stop to identity theft.
Whenever you or your staff do spot unusual activity that arouses suspicion, have a plan for responding quickly and efficiently. Keep a list of all your banking and credit account information in a safe place, alongside the contact numbers for reporting suspected fraud to various billing, financial, and governmental departments.
Carelessness, indifference, and lack of attention are an identity thief’s best friends. So stay on your toes and follow up immediately if you suspect that fraud has occurred. The sooner you act, the less your business stands to lose.
Photo Credit: Canva