In the past two weeks, I have been contacted separately by two local business owners to share how their business identity has been stolen and used to set up accounts with various companies on which thousands of dollars are charged and they (the actual owners) are left to pay the bills. There are no identity theft statistics on this type of crime, but I am certain that it is just coming onto the trend radar. In further proof that this is becoming a major problem for corporations, the Denver Post ran an article this morning titled “Corporate ID Thieves Mining the Store“.
Here’s how this incredibly easy form of business identity theft works:
- A thief scours the internet for your company information (Facebook is usually a good place to start, as is your local Secretary of State’s website). They are particularly interested in bids for government contracts, as they often contain a sample of your letterhead as well as your pertinent business information. If they can obtain the Federal ID# of your businesses, they have even more ammo to defraud you.
- Business name in hand, the thief logs on to your local Secretary of State’s website (the agency generally responsible for registering corporations and maintaining databases on corporations) and pays a small fee ($10) to alter the name of a corporate officer or the address of a company’s registered agent on public records. I would imagine that they generally register an identity stolen from another individual in order to cover their tracks further. In most states, there is no password to protect your official business filings from unauthorized users and changes. In Colorado, according to the Denver Post article mentioned above, officials say that “putting password protection on corporate data — where only a business owner or representative can make changes — is prohibitively expensive.”
“In other words, the State of Colorado provides less protection for your corporate data than the average online dating service.”
- Now that the imposter is a “corporate officer” of your business with full authority to act on behalf of your corporation, the thief applies for a credit account in your business’s name, generally at a large national retailer (Home Depot, Lowes, AT&T, Sprint and Verizon see to be the top choices). If necessary, they use your poached letterhead to facilitate the process of setting up the account.
- The retailer, before extending credit, verifies with Dun & Bradstreet that you are in fact an official officer of the corporation. And where does Dun & Bradstreet get its information about your business? From the Secretary of State’s office, the very source of your illegally modified information. In other words, all parties in the process are relying upon falsified source data that remains unprotected on government websites.
- Using the newly established business account with terms (i.e., the thief doesn’t have to pay for what they buy, it is invoiced to the company for payment at a later date), the thief makes large purchase of equipment of services, often worth tens of thousands of dollars.
- Equipment in hand, the thief leaves the store never to be seen again. Your business, of course, receives the bill, and begins the arduous, time consuming and expensive process of proving that you never made the purchase, a difficult task given that the account was established by what the retailer considers to be a legitimate officer of your corporation.
Farfetched? Not at all. The problem is compounded by the fact that sales associates at many national retailers receive incentive bonuses for every sale they make. Why wouldn’t they push the sale of 50 mobile phones through the system when they receive a large commission to do so? It’s much easier than selling one handset at a time.
Both actual cases I worked with involved phone companies, and each business owner has struggled desperately to prove that they did not make the purchase and do not owe on the account. In one of the cases, the business in question already had an account established with the phone company – same company name, address, phone number, etc. – and the phone company failed to ask any questions as to why they would want a second account. In many of the cases, the thieves use the same stolen business identity over and over again in different cities (rarely do they even shop in your actual city), causing the owner untold hours of time repairing their damaged Dun & Bradstreet ratings, fighting with collection agencies and sitting on hold trying to explain to large corporations that don’t have any incentive to believe what you are saying.
In a spiraling economy, taking your eye off the ball can mean you lose the game. In the meantime, you can take these steps to being affecting change and protecting your valuable business data:
- Contact your local Secretary of State’s Office and encourage them to resolve the issue as quickly as possible. You just might be the first person to let them know that this problem exists. At minimum, ask them to begin protecting your corporate data with a password that only the verified and legitimate corporate officers of your corporation can access.
- Review your corporate filing with the Secretary of State’s Office regularly to make sure that there is no altered or false information in their database. If there is, contact them immediately.
- While in your corporations’ listing on the Secretary of State’s website, make sure that you set up any security measures they have provided. For example, if they have email alerts anytime your profile changes, make sure you take them up on it and have a current email address in the profile. This will send you an alert anytime someone changes your file.
- Monitor your Dun & Bradstreet account regularly to make sure that no liens or encumbrances have been placed on your credit profile. If there is incorrect or unrecognizable data on your report, contact D&B’s fraud department immediately at 1.800.234.3867 begin_of_the_skype_highlighting 1.800.234.3867 end_of_the_skype_highlighting.
- Set up a Google Alert for your corporation’s official name, TIN and any DBAs to monitor unexpected internet activity on behalf of your organization.
- If you are a contract-based vendor, include a clause in your contract prohibiting the publication of your TIN/EIN/SSN in any electronic or internet form without your prior written consent.
- Protect your TIN, letterhead and company information as if it were currency, because it is.