Small business identity theft: How to protect client businesses

Personal identity theft is not a new crime. Yet, many don’t realize that businesses can also be victims when sensitive information is stolen and used to obtain cash, credit, loans and more. A 2022 survey showed that 51% of organizations had experienced fraud in the past two years,¹ leading to financial losses, operational disruption, loss of new business opportunities and other potentially harmful concerns.

Helping clients prepare for business identity theft is not only a responsible and ethical practice, but also a way for insurance agents to provide added value to their small business clients and protect their own interests by reducing claims and ensuring client retention. It’s an essential aspect of modern risk management and insurance advisory services.

What is business identity theft?

Business identity theft is when criminals impersonate business owners, officers or employees to fraudulently gain funds, leaving the targeted business burdened with debt. These thieves may also commit additional fraud, like submitting fake tax returns to obtain IRS business credits. Beyond direct financial losses, victims of business identity theft may face legal challenges, such as protecting their intellectual property in court.

One way businesses may notice identity theft has occurred is if they begin having tax filing issues or receive unexpected IRS letters or requests.² They may also notice that additional credit cards or loans have been opened in the business’s name. Other forms of business identity theft include web defacement, which is when a thief impersonates the business’s website to steal data, or trademark ransom, or when the thief imitates a business by procuring a mailing address similar to the legitimate business.

Common methods used to obtain sensitive business information

The methods fraudsters employ to steal and exploit business identity information for financial gain come in various forms and continue to advance in complexity. Businesses should be aware of these common methods and implement robust cybersecurity measures and employee training to mitigate the risks associated with these tactics. Consider the following examples:

• Phishing scams—An identity thief may send an email that appears genuine in both appearance and tone (e.g., an email from the business’s bank requesting the business to confirm its account details). The email might even use graphics from the business, enticing recipients to click through the images and allowing the fraudster to potentially collect valuable information. These emails typically contain links or attachments that, when clicked, lead to fake websites or install malware to steal sensitive data.
• Fake social media accounts or websites—Those looking to steal a business’s identity may create fake social media accounts using the company’s branding to lure customers with fake advertising campaigns. Similarly, they might completely mimic the business’s website to fool unknowing visitors.
• Counterfeit invoices—In the same way these thieves can mimic an email or website, they may also send fake invoices claiming to be a business and obtain payment. These invoices often appear convincing and may use branding elements from the targeted company.
• Tax fraud—Infiltrators can exploit freely available information online that contains business information, such as sales tax numbers or business license numbers. They then use this information to file fake tax returns and obtain refunds through the government.
• Trademark ransom—Criminals sometimes register a business’s name or logo as an official trademark and then demand a ransom to release it back to the business. This can lead to legal disputes and reputational damage.
• Data breaches—Hackers may breach a company’s computer systems or databases to steal sensitive information. This can occur through vulnerabilities in software, weak passwords or social engineering attacks.

5 tips to protect against business identity theft

To combat the ever-present threat of business identity fraud, companies should adopt a multifaceted approach, including the following best practices:

1. Understand the risks of business identity theft. Identity theft can have devastating effects on shareholders, employees and customers, making it a growing and serious risk for organizations of all sizes. Fraudsters are attracted to the potential high returns from such theft, particularly when they fraudulently obtain loans or credit cards in a business’s name, leading to complex and sometimes irretrievable financial losses. The most impactful repercussions include a tarnished brand reputation, revenue loss, complicated tax disputes and the loss of customer trust. Cybersecurity is crucial to hedge against this risk. Many businesses fall prey to business identity theft, and the top priority is to act swiftly. To safeguard your business, consider utilizing software that identifies and eliminates counterfeit websites, domains, social media profiles and applications.
2. Secure business records and documents. Experts recommend that businesses maintain only essential records for their operations and securely dispose of unnecessary physical documents through shredding. Businesses should also store all records securely, preferably digitally on the cloud rather than on physical devices. For paper records, use a locked fire-resistant cabinet accessible to a limited number of individuals. Limiting the amount of mail and paper containing financial information is also important to prevent offline identity theft.
3. Educate employees about cybersecurity. A comprehensive approach to fraud protection and cybersecurity should begin at the highest levels of a company. Once internal controls are established, the next crucial step is educating employees on effective practices to prevent and respond to cybersecurity threats and fraud. This education should cover various aspects, including implementing business protocols, identifying fraud, managing passwords, secure internet browsing, recognizing email phishing attempts and reporting cyberattacks. Companies should also suggest employees only email documents that are password protected and use separate personal and business email accounts.
4. Safeguard company computers and networks. This step is essential for decreasing the chances of business identity fraud. Businesses should prioritize network upgrades, data encryption, regular data backups and the installation of a strong firewall with anti-malware capabilities. Additionally, implementing automated fraud screening systems can help identify unusual purchases, spending patterns and locations associated with the business, enhancing overall protection. Other key best practices include using strong, regularly changed passwords with a mix of characters, choosing multifactor authentication when available, restricting access to sensitive information to authorized employees only, backing up data to a source not connected to your network and securely disposing of unnecessary data, including old hard drives and printers.
5. Invest in business cyber liability coverage. Small businesses should consider investing in business cyber liability coverage because it offers financial protection by helping cover costs related to identity theft, including legal fees, notification expenses and credit monitoring. Insurance also provides access to legal experts for navigating complex legal issues. Overall, investing in business cyber liability is a proactive step that can help small businesses mitigate the financial and reputational risks associated with identity theft incidents, enabling them to recover more swiftly and effectively in the event of an attack. In today’s digital landscape, where cyber threats continue to evolve in complexity, having a robust insurance policy tailored to your business’s needs is more crucial than ever.