Many people think of identity theft as something that only affects public members. But it can also impact businesses of all sizes, from sole traders to the largest corporations. Corporate identity theft is rising, with scammers researching their targets and choosing their moment to strike. The impact can be devastating and potentially lead to mass job losses.
So, how can corporate identity theft be combated?
What is corporate identity theft?
Security risks to corporations and organizations are often thought to be limited to hackers looking for industrial secrets or ransomware attacks. Increasingly, however, cybercriminals are employing other techniques that target the weak point in every computer network: people.
A common outcome of this, and typically the ultimate aim, is corporate identity theft. Also known as business identity theft, this might be the primary attack vector using a few basic company details or the result of time spent mining data from key individuals.
Why are businesses targeted?
Naturally, it’s due to the money involved. Businesses spend a lot of money, cash that can, in theory, be repurposed by criminals—for example, bulk buying supplies, usually with some flexible payment plan. There is an opportunity for a business identity thief to pose as the target company, buy goods (computers, perhaps, or some other hardware easily fenced), and avoid detection until it is too late.
Further, large purchases made under a company account are less likely to be treated with suspicion. While automated payment monitoring services can help domestic users avoid credit fraud, this is less effective for corporations with huge balances and regular purchasing.
Common routes for corporate identity thieves
What approaches do identity thieves use when targeting corporations?
SIM card swapping: thieves can gain a foothold using this scam. All it requires is to call the mobile network provider to cancel a SIM card and transfer data to a new SIM. Any two-factor authentication protection on corporate accounts sent by SMS can then be intercepted.
Whaling: this is a form of phishing targeted at businesses and organizations. We usually think of phishing as a scam targeted at domestic settings over the home phone or email. However, increasingly, larger targets with a far more significant potential windfall are pursued. For example, fake emails, spoofing websites, and identity theft have been used to access business accounts.
Business Email Compromise: targeting executives and employees concerned with finance and wire transfers, this scam requires careful research by the cybercriminal. All it needs is to gain access to an email account and arrange the diversion of funds under the auspices of an “urgent” payment or transfer. Successful execution can involve phishing and impersonating CEOs, attorneys, high-level personnel, or keyloggers.
Typical effects of identity theft on a business
What happens when a business is struck by identity theft? While seen as a “victimless crime” by the perpetrators, this doesn’t tell the whole story. Businesses hit by the identity theft can struggle, resulting in:
- Late salary: loss of income can result in difficulty or inability to pay employees, contractors, stakeholders, and partners. The fallout from this can often be redundancies.
- Tax disputes: tax may be unaffordable. Alternatively, if a business identity is used to file a fraudulent return, the tax department will penalize it.
- Lost reputation: once hit by a business identity scam, it can be challenging to be taken seriously in the future. Further, any crimes or underhanded behavior carried out under the business’s name will be treated with disdain. As a result, the company could be destroyed.
Further, small business owners can be hit by personal liability. With typically smaller cybersecurity budgets, this can prove devastating.
How to reduce the impact of corporate identity theft
Dealing with corporate identity theft brings many challenges.
1. Increase awareness
Easily accessible information such as revenues, profit margins, company records, and tax IDs can be used to subvert a company’s identity. These details cannot be hidden or suppressed in usual circumstances, resulting in an attack vector that cannot be defended. The best solution here is to increase awareness at all levels, particularly those that handle financially sensitive emails and logins.
2. Initiate procedures and stick to them
Corporate identity theft typically involves an email or phone call requesting the transfer of funds. Anything can happen once the system is breached, which is why initiating agreed procedures and protocols for monetary transfer is vital. This way, you reduce the likelihood of a third-party diverting valuable company funds.
3. Enhance system access with biometrics
Biometric information can step up system security and add an extra level of authentication. While this may not reduce faked emails demanding an urgent transfer, it can help reduce unauthorized access to a network system, e.g., from a third party illegally accessing a procurement system.
4. Reduce who has access to the purse strings
Corporate identity theft often affects businesses with vast budgets across countless directors and senior personnel. No one knows where the money is kept, but they all have access to it, with individual departmental budgets and free rein on spending. Cybercriminals love confusion, and this is the perfect opportunity.
5. Double-check everything
This is as important for giant corporations as it is for small businesses. Ensure that every email, phone conversation, and bank and business transaction is made with a verified contact. Doing so can considerably reduce exposure to corporate identity theft. Make things too tricky, and cybercriminals will move on to a new target.
Protect your colleagues from corporate identity theft
A risk to everyone you work with, corporate identity theft could result in entire departments being closed, operations pausing, or even the complete collapse of a business. One wrong click on an unsolicited email can unravel everything.
Protection against corporate identity theft is a group effort, so be vigilant, attend regular network security training, and encourage your colleagues to protect themselves and each other from suspicious emails and other phishing techniques.