UPDATE 08/06: Panda Security reports 44% of SMBs admit falling victim to cybercrime.
Generally speaking, when most people discuss identity theft, they are referring to an individual using the personal identifying information of another individual, without their consent, to obtain some profit or advantage. Identity theft is largely viewed as a “people” problem, and for good reason- Most state and federal laws, websites, non-profit organizations and consumer advocacy groups tasked with the job of helping identity theft victims address the American consumer at large.
Yet, small and medium sized businesses (SMBs) are an attractive target for identity thieves. According to the Institute of Consumer Financial Education (ICFE), SMBs usually qualify for larger lines of credit, “enjoy extended payment terms and less transactional scrutiny for large purchases or high value ticket items than individual customers.” They often have physical property such as computer equipment of value, or perhaps inexperienced employees that may be susceptible to phishing attempts or bribes. Many SMBs are located in shared business buildings, making it even easier to obtain credit cards and loans. All a criminal has to do is rent a small space or mailbox in your building- the address will verify as correct, and he’ll get the credit cards, loan documents, and bills instead of you. Before you even know something is wrong, he has skipped town without a trace- except for the damage to your business.
In addition to being lucrative, small and medium size businesses are often careless with privacy and security because they are preoccupied with- well, running their business. According to the ICFE, “Many businesses do not regularly review their business credit report.. [or] ..always carefully scrutinize employee charge card billing statements before they are paid, particularly those accounts for which multiple cards are issued.” Additionally, a recent survey from security firm Panda Security shows SMBs in the United States are increasingly the victims of cybercrime, yet many do not take simple precautions to protect themselves. By the numbers:
* (44 percent) were hit by some form of cybercrime
* (10 percent) surveyed were hit so bad that they had to stop production -- worldwide, the average was 30 percent.
* (50 percent) of companies in the survey lost time or productivity as a result of being infected.
* (97 percent) of U.S. SMBs have installed anti-virus and (95 percent) claim their security systems are up to date. YET (29 percent) said they have no anti-spam in place, (22 percent) are without anti-spyware technology and (16 percent) do not have firewalls. (52 percent) said they have no web filtering solution in place. (39 percent) of respondents said that they have yet to be trained about IT threats.
When you combine large cash /credit flow and little scrutiny or security, it is easy to see what a gold mine this is to thieves. I’m not done yet- There is another factor that makes these threats an increasing danger in an age of government transparency and online communications. Not only are you an attractive target, but obtaining the documentation necessary to impersonate a business or pose as a representative of the business is often easier than for an individual.
Your business information is easily obtained from a variety of offline and online sources. Business stationary and business cards are easy to obtain and duplicate, and since “most businesses are eager to open new accounts for other businesses, and the process can be quite simple- such as submitting a request on company letterhead along with the business license number and Tax ID.” (ICFE) Since most businesses display their business license on their wall (as many are required to by law), this theft is dangerously easy. Additionally, businesses may engage in high-risk sharing of their business information. Because many companies such as Costco require an EIN to give users status as a business, the EIN is tossed around a lot on documents and over the phone. Small business owners may even be using their own social security number in place of an EIN, increasing their risk and potential for damage. SMBs aren’t just a gold mine; they’re a gold mine filled with diamonds.
There are unfortunate gaps in our system. There are hundreds of companies, pre-paid legal services, private investigators, non-profits and consumer advocacy groups that are trained and versed in handling personal identity theft- but find themselves either unprepared or unable to assist businesses when they become victims. Their hands are often tied by either state laws, procedural technicalities, binding contracts and user agreements or just plain ignorance.
As pointed out in a recent article by Business Week, “While business identity theft can often be prosecuted under other statutes, like mail fraud or wire fraud, businesses victimized lose many of the protections afforded to consumers under identity theft laws, like access to information about their credit. Before California last year amended its 1997 identity theft law explicitly to include crimes targeting business entities, a business whose identity had been co-opted could not even get a police report. ‘We were having businesses being taken over and their names being used and I could not prosecute them, at least under ID theft statutes,’ California Deputy Attorney General Robert Morgester says.” (The state legislature amended the “person” in identity theft cases to encompass associations, organizations, partnerships, businesses, trusts, companies and corporations, in addition to logos and “photographic representation” as legally recognized personal ID data.) Yet, there are many other states that still do not recognize business identity theft as a separate crime at all.
Additionally, many loan contracts and credit agreements may have fine print that could leave you high and dry. According to ICFE, “liability provisions in many cardholder agreements specifically exclude: unauthorized transactions involving business cards and cards used for business purposes…and instances where a transaction by an individual, who at some point was given permission to use the card by the cardholder, ‘exceeds authority’ given by the account owner.” Since insider threats are still the biggest concern when it comes to loss prevention, this particular fine print can mean a lot to a business owner. Perhaps most devastating: “Most loan documents contain a provision which states that if the lending bank ‘deems itself insecure’, repayment of the loan may be accelerated. If numerous fraudulent accounts have caused the bank to no longer be confident of the business’ long term viability, a business’ loans or credit lines may suddenly be called and most businesses would simply not have sufficient cash or liquid assets available to fully service the debt.” While there has been a little progress in this area, like state laws, there are a lot of gaps. Visa, MasterCard, and American Express no longer distinguish between small business and individual credit card fraud, which helps companies to clear the purchases made by thieves. We can only hope that others follow suit.
A thief with access to EIN, address, key names, and letterhead or company logos can easily apply for credit or obtain loans and merchandise as a “representative” of your company. There are painful gaps in consumer law and business practices that make the extensive, time-consuming, complex and potentially expensive process of recovering from identity theft even harder. Dealing with the theft can take months or years. Don’t take chances, and protect yourself:
Shred. Shred. Shred. Dumpster diving is still a common source of information.
Don’t hold onto documents any longer than absolutely necessary.
Obtain an EIN and use it instead of your SSN. Be cautious with your EIN and give it out sparingly.
Obtain regular credit reports for yourself and your business. Review them carefully.
Review your Better Business Bureau report regularly. In addition to identity theft, business can also become the victim of professional impersonation. In many cases, evidence of both types of crimes will show up on the BBB report.
Owners should review transactions statements and account for all items. If you give review power to another individual, be aware they are now a target for bribes and extortion. The best solution is to take matters into your own hands and report any unusual activity immediately.
Improve your business physical, technical, and personal security. Alarms, firewalls, encryption and anti-virus are all important components, but more important is the education of you and your staff. How to detect and deter phishing attacks, how to report suspicious behavior anonymously, and what to do if you believe you may have compromised information are all topics every employee should know by heart.
Be an informed consumer- ask what precautions businesses take with your applications and other business identifying documents and data. Explain your concerns. Enough business owners bring up these concerns, they will listen.
“Consider using electronic payment options. Since the networks are password-protected and the messages are encrypted, wire transfers and ACH payments are much safer than using paper checks…
And lastly, consider a post office box or a lockbox for your mail. This ensures that business mail is retrieved by appropriate personnel and is not left in a box at the reach of any passerby.”
Practical advice for changing the outlook for SMBs: Put your money where your mouth is, and the squeaky voting wheel gets the grease. Do business with companies with good security practices- even if it means it makes it more difficult to do business with them. Write to your representatives and voice your concerns. Bring awareness to the dangerous of identity theft for small and medium businesses to your associates, your lawmakers and your financial institutions. If legislation regarding personal identity theft rights is any indication, it is going to require a concerted grass roots effort to bring awareness to the issue and create change. It is time.
UPDATE 07/30/2009: Another threat to businesses highlighted by the Better Business Bureau, "Scam artists send an invoice for a product commonly purchased by the business. For example, paper or other office supplies, in hopes that the busy staff will pay the funds without question."
Copyright 2009 Rachel James. Please do not republish without written consent. You are welcome to link in reference.
Rachel, this is a terrific article.
ReplyDeleteDo you have any tips for what we can do as customers of these SMBs? I recently looked into getting a mortage from one of these businesses and I was scared to death watching the complete lack of security. They had every single piece of PII they could get for me and absolutely no security.