When the discussion of identity theft arises, most people would naturally assume that the phenomenon is one that primarily impacts consumers.  However, the unfortunate fact of the matter is that merchant (or business) identity theft is a very real threat that often gets overlooked.  One reason for the lack of attention provided to business identity theft is that it is a relatively new trend.  According to the state of Colorado, which has established a Business Identity Theft Resource Guide, ” Business identity theft (also known as corporate or commercial identity theft) is a new development in the criminal enterprise of identity theft. In the case of a business, a criminal will hijack a business’s identity and use that identity to establish lines of credit with banks or retailers. ”  The thieves have the same goal in mind as those that target individuals, but can often get away with more from businesses.  Businesses typically have larger lines of credit and are sometimes less fastidious about checking statements.

Lisa Lee of Atlanta provides illustration of just what a thief can accomplish through the misuse of corporate credentials.  According to news reports, Ms.Lee would scour the state databases of corporations (which are public) and would select corporations that were inactive or otherwise defunct.  She would then bring these entities “back to life” by filing corporate documents, opening bank accounts and establishing email and other contact information.  Once that was accomplished, she would apply for business lines of credit in the companies’ names.  During the course of crimes, Ms. Lee applied for and received over $1 million in loans and credit.  Fortunately, Ms. Lee was caught and convicted and has been sentenced to 10 years in prison.

In 2010, 35 businesses in Colorado were victimized by a scam in which corporate identities were stolen and used to make purchases at big box retailers.  In that instance,  more than $750,000 in fraudulent purchases were made at just one store.  There were half a dozen stores at which fraudulent purchases were made, so one can just imagine what the ultimate tally might be.

The focus on consumer protection has certainly succeeded in making individuals more cautious about their information and more conscientious about checking their financial statements.  Unfortunately, businesses have not benefited from the same level of focus and education.  That leaves many businesses, particularly small businesses, vulnerable to predators and scams.  There are steps that companies can take to protect themselves, though.

Protect your business records – Business records contain a great deal of sensitive information.  This may include EIN or Tax ID numbers, Insurance information, financial account information and other sensitive data that can be used to establish or alter lines of credit or financial accounts belonging to the business.  It is important that these documents are stored securely, in a locked cabinet, drawer or file cabinet.  Documents that are no longer needed should be shredded.

Hide your merchant ID – It is very common for small merchants to have their merchant ID on a sticker that has been affixed to their PINpad or terminal.  Unfortunately, these devices are almost always in view of the customer.  That means that anyone that goes to the counter or desk can easily gain access to the merchant ID number and the name of the merchant service provider through which the company processes payment transactions.  From there, it is a short hop to compromising a merchant account, though social engineering or other means.   Imagine if you received a call from someone purporting to be from the merchant services company and was able to provide your merchant ID as proof.  You’d probably be inclined to believe it was a legitimate call and provide more sensitive information.  Your merchant ID should be considered as sensitive as any other financial account information and protected accordingly.

Check your corporate records – Often, thieves will try to alter the corporate records of existing entities.  Many states have public online databases of corporate entities, complete with filings, name reservations documents, corporate officers.  Identity thieves may try to alter the address of record or change the names of the corporate officers.  While most states will take some action to verify these changes, it is a good idea to periodically check your corporate records with the secretary of state in your state of incorporation.  If anything appears out of order notify the secretary of state at once.

Review financial accounts - Just as with your personal financial statements, it is helpful to review business account statements to identity any anomalous behavior.  Quickly identifying potential identity theft can significantly reduce the potential damage to the company.

Restrict access to “need to know”- In small businesses it is often tempting to keep everyone in the loop with respect to every aspect of the business.  While that may be laudable, the unfortunate fact is that the more people that know, the more that can disclose.  It is important to ensure that only those employees that have a need to know things like bank accounts and EINs have access to that information. Not only does that limit the number of people that can (intentionally or unintentionally) disclose or misuse data, it also provides a chain of accountability in the even that business identity information is misused.

Certainly this is not an exhaustive list of protective measures, but it does represent some good, commonsense steps that small businesses can take to protect against identity theft.   Most states have a webpage that offer more information and localized resources or tips on the prevention of identity theft.  If you suspect that your business has been the victim of identity theft, it is important to notify the secretary of state and appropriate law enforcement agencies as soon as possible.

Dr. Heather Mark, PhD; SVP Market Strategy