News

In-depth: Avoiding becoming a victim of corporate ID fraud

Microscope contributor
A quick scan of identitytheft.org.uk, a government website backed by organisations and companies with an interest in reducing fraud, is enough to put the frighteners on any law abiding reader, writes Adam Bernstein.

While many in the channel realise that fraud and identity theft affects us as private citizens, few really understand that it hurts businesses too. According to a CPP survey of 200 SME's in September 2011, only one third of respondents thought they were at risk of identity fraud; the awareness of fraud varied wildly across industry sectors surveyed.

So consider this: a business runs a tight ship with good controls over its finances. But one day, it receives demands for payment for debts that it doesn't recognise. After much investigation it appears that a third party has used the business to fund criminal activities. It later transpires that the owner's identity has also been cloned and that someone else has a driver's licence, credit cards and a new bank account in the owners name and has used them to their disadvantage.

Businesses under attack
Companies House says that it sees some 50 to 100 cases of identity each month. Worryingly, these cases only cover incorporated businesses and not sole traders, (incorporated) partnerships and of course, cases not yet discovered.

The cost of fraud is estimated at around £75 billion a year according to the National Fraud Authority (NFA) in their 2012 Annual Fraud Indicator. Of concern is the rate of growth; the figure was estimated at £30 billion in 2010 (although the NFA say that they are getting better at detecting fraud). While these figures include all forms of fraud - insurance, mortgage, benefit, credit card as well as identity fraud (there are too many other types of fraud to list) - it's clear from the NFA report that all sectors of the UK economy and businesses are at risk.

It's surprisingly easy to hijack a company by changing a directors name and address and the registered business address. Companies House take all documentation at face value - there's no checking of submissions at their end. Suppliers - of goods, services or finance - will often check a customer against official records and for a proven credit rating established by a legitimate business. If the data given by the fraudster stacks up then the deal is done, leaving the victim to pick up the pieces. The supplier will not necessarily know (or care) until it's too late that fraud is involved.

Types of Fraud
There are numerous forms of fraud and they don't all exhibit the 'instant strike' that some might expect. Indeed, they can be the result of a long term sting where a firm is set up, or hijacked, with the intention of placing several small orders with a supplier. The orders are paid for quickly to build up confidence before large orders are placed and subsequently not paid for.

Another variant involves a phoenix company where the directors create a business, wind it up with substantial debt, and then setup up an almost identical company to start the process again.

Criminals can also literally hijack a business with investment and personnel to take control from within.

But one of the simplest frauds to watch for involves the owners of a newly registered company who submit fictitious returns to Companies House featuring 'too good to be true' accounts. This creates a perfect credit rating from which they can source credit, which of course, is never repaid.

Find the weakness
Fraud and identity theft can never be entirely eliminated, but the threat it poses can be minimised. This means businesses need to understand where fraudsters probe for weaknesses.

* Waste: The easiest and most obvious starting point to setup a fraud is to search business waste in bins outside premises.

* Websites: Websites can easily be replicated tricking the unwary into entering contact information, or bank data, which can then be harvested and used illegally.

* Credit: As seen earlier, it's quite possible to use of the good name of a legitimate business to obtain goods or services. A derivative of this, however, is to use an identity to set up a false internet merchant account allowing a third party to take monies from customers who think they are trading with the legitimate company.

* Hacking: Unsecure computers (or networks) can be targeted for the sensitive information they contain - staff or customer details - which can then be used for other identity based crimes. It does happen - in May 2012, Kent based Lewys Martin was jailed for 18 months for creating and distributing software that harvested bank logins, credit card details and internet passwords from infected computers. Martin was only discovered by chance. The stolen data was then sold on to other criminals for their use.

Protect the business
Not many businesses (or individuals) place the destruction of sensitive information high on the agenda; a name and address found from bins combined with other personal information can make for easy pickings. With the internet, it's easy to build on information found on discarded paper to establish someone's home address, telephone number, date of birth (which in itself is often used as a password or pin code), place of birth, family members, past employers, education history and so on. Considering that many financial institutions use elements of this information to verify a caller it's not hard to see how identities can be manipulated. So as well as shredding documents social media sites etc. should be protected with minimal identifying information being freely available.

In a similar vein, businesses should review security on their computers and networks to prevent authorised attacks. At the minimum, internet routers should be protected with encryption keys and MAC address filtering (it's not that technical) to prevent snoopers accessing a network; both the firewall on the router and on the computer should be turned on; good anti-virus software should be installed and kept up to date (especially on a Windows computer, but Mac users should consider it too); any security software offered by a bank should be installed; and if possible, businesses should seek technical help to disable USB ports on computers to stop data exported onto USB memory sticks. It also makes sense to limit access to sensitive data and ensure that whenever it's moved that it's encrypted in case of loss.

Navigation to a bank's home page should be direct rather than through a search engine. When on a payment page or on a bank website users should look in the navigation bar for 'https' rather than 'http'. This indicates that the page is secure (something that most fraudsters won't set up).

Directors of incorporated businesses (as a company or limited liability partnership), should invest time on Companies House website (http://bit.ly/MjZ4kC) which offers three levels of protection to registered businesses. The first is WebFiling, an online filing service that does away with paper forms to return statutory information. It requires registration and uses security and authentication codes to secure the filing process. Next is PROOF, which, once a business is registered, means that Companies House will only accept electronic submissions (using the codes). Lastly, Monitor, which keeps subscribers updated on documents filed at Companies House.

Credit referencing agencies such as Equifax and Graydon provide useful services. Graydon's CreditWatch, for example, will monitor a subscriber's own business or that of a customer and alert of any critical changes. A one-off check costs from £10, but for £600 pa upto 100 companies can be watched. Alternatively, their Intelligence Network offers credit data on customers in given business sectors. Graydon offers a free search and Equifax offers individuals Identity Watch Pro that gives instant access to their credit file and alerts to changes in the file.

For businesses, Equifax offer a Portfolio Monitoring Service that monitors for changes in a business's profile that may indicate fraudulent activity. The agencies can also help check on individuals with shady pasts they want to hide. While these paid for services may not prevent an attempt to steal an identity, they should alert the subscriber immediately to any changes, authorised or not, before any criminality can be committed. More information on credit agencies is available at BIPA.

Few businesses consider that fraud comes from internal as well as external threats; during a time of economic stress, the risk of employee-based fraud will grow. The 2011 CPP survey found instances of staff accessing HR databases and removing the data on USB sticks, as well as cases of staff stealing thousands of pounds from their employer. It is therefore important to run checks on business partners and directors as well as staff that includes their credit history, any criminal past as well as seeking and reading references. The Metropolitan police offer tips on their website.

Lastly, businesses mustn't take everyone and everything at face value. They should confirm who they buy from or sell to with checks on telephone, fax, email and website addresses. In particular, they should ensure that area codes match the registered address, that orders are always taken on original company paper, and trade and/or bank references should be sought. Those dealing with unincorporated businesses should ask to see original utility bills to establish proof of address. It's also possible to check for (in)valid VAT numbers online.

Too late?
Time is of the essence once fraud has struck. Victims report to not only the police but also Companies House, their bank and suppliers. However, victims should take legal advice first. While the police aim for a conviction in fraud cases, the victim will want restitution. The two don't always go hand in hand and the time taken to get a conviction could make recovery difficult.

Urgent repair of a credit file will be required meaning victims should obtain their credit report and Companies House record. The credit reference agencies can be found via BIPA, and they can help with guidance on the steps that need to be taken. Individuals have a legal entitlement to their credit file for £2, but businesses will have to pay going rate. Of course, those that suspect customer information has been compromised should inform customers of the suspicion so that they can take appropriate measures.

There's no doubt that fraud occurs. But with careful management, the risks can be significantly lowered.




Join the conversation Comment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.