Many people think of identity theft as something that only affects members of the public. But it can also impact businesses of all sizes, from sole traders to the largest corporations. Corporate identity theft is on the rise, with scammers researching their targets and choosing their moment to strike. The impact can be devastating and potentially lead to mass job losses.
So, how can corporate identity theft be combated?
What is corporate identity theft?
Security risks to corporations and organizations are often thought to be limited to hackers looking for industrial secrets, or ransomware attacks. Increasingly, however, cybercriminals are employing other techniques that target the weak point in every computer network: people.
A common outcome of this, and typically the ultimate aim, is corporate identity theft. Also known as business identity theft, this might be the primary attack vector using a few basic company details, or it could be the result of time spent mining data from key individuals.
Why are businesses targeted?
Naturally, it’s due to the money involved. Businesses spend a lot of money, cash that can in theory be repurposed by criminals. For example, bulk buying supplies, usually with some sort of flexible payment plan. There is opportunity for a business identity thief to pose as the target company, buy goods (computers, perhaps, or some other hardware easily fenced), and avoid detection until it is too late.
Further, large purchases made under a company account are less likely to be treated with suspicion. While automated payment monitoring service can help domestic users avoid credit fraud, this is less effective for corporations with huge balances and regular purchasing.
Common routes for corporate identity thieves
What approaches do identity thieves use when targeting corporations?
SIM card swapping: thieves can gain a foothold using this scam. All it requires is to call the mobile network provider to cancel a SIM card and transfer data to a new SIM. Any two-factor authentication protection on corporate accounts which are sent by SMS can then be intercepted.
Whaling: this is a form of phishing, targeted at businesses and organizations. We usually think of phishing as a scam targeted at domestic settings over the home phone or email. Increasingly, larger targets with a far greater potential windfall are pursued. Fake emails, spoof websites, and identity theft have all been used to access business accounts.
Business Email Compromise: targeting executives and employees concerned with finance and wire transfers, this scam requires careful research by the cybercriminal. All it requires is to gain access to an email account and arrange the diversion of funds under the auspices of an “urgent” payment or transfer. Successful execution can involve phishing, impersonation of CEOs, attorneys, or other high-level personnel, or simply keyloggers.
Typical effects of identity theft on a business
What happens when a business is struck by identity theft? While seen as a “victimless crime” by the perpetrators, this doesn’t tell the full story. Business hit by the identity theft can struggle, resulting in:
- Late salary: loss of income can result in difficulty or inability to pay employees, contractors, stakeholders, and partners. The fallout from this can often be redundancies.
- Tax disputes: tax may be unaffordable. Alternatively, if a business identity is used to file a fraudulent return, the tax department will penalise.
- Lost reputation: once hit by a business identity scam, it can be difficult to be taken seriously in future. Further, any crimes or underhanded behaviour carried out under the name of the business will be looked upon with derision. The business could be destroyed.
Further, small business owners can be hit by personal liability. With typically smaller cybersecurity budgets, this can prove devastating.
How to reduce the impact of corporate identity theft
Dealing with corporate identity theft brings its own challenges.
1. Increase awareness
Easily accessible information such as revenues, profit margins, company records, and tax IDs can be used to subvert a company’s identity. These details cannot be hidden or suppressed in usual circumstances, resulting in an attack vector that cannot be defended. The best solution here is to increase awareness at all levels, particularly those that handle financially sensitive emails and logins.
2. Initiate procedures and stick to them
Corporate identity theft typically involves an email or phone call requesting the transfer of funds. Once the system is breached, anything can happen, which is why initiating agreed procedures and protocols for monetary transfer is vital. This way you reduce the likelihood of a third-party diverting valuable company funds.
3. Enhance system access with biometrics
All manner of biometric information can be used to step up system security and add an extra level of authentication. While this may not reduce faked emails demanding an urgent transfer, it can help to reduce unauthorised access to a network system, e.g. from a third party illegally accessing a procurement system.
4. Reduce who has access to the purse strings
Corporate identity theft often affects businesses with vast budgets spread across countless directors and senior personnel. No one really knows where the money is kept, but they all have access to it, with individual departmental budgets, and a free rein on spending. Cybercriminals love confusion, and this is the perfect opportunity.
5. Double check everything
This is as important for huge corporations as it is for small businesses. Ensure that every email, phone conversation, and bank and business transaction is made with a verified contact. Doing so can considerably reduce exposure to corporate identity theft. Make things too difficult and cybercriminals will move onto a new target.
Protect your colleagues from corporate identity theft
A risk to everyone you work with, corporate identity theft could result in entire departments being closed, operations pausing, or even the complete collapse of a business. One wrong click on an unsolicited email can unravel everything.
Protection against corporate identity theft is a group effort, so take care to be vigilant, attend regular network security training, and encourage your colleagues to protect themselves and each other from suspicious emails and other phishing techniques.