Facts:
Thousands of businesses across the US are victims of a frighteningly easy breed of identity theft, in which corporate information is hijacked and millions of dollars in phony credit purchases are made.
All it takes is an internet connection and, in some cases, as little as a $10 fee, to alter the name of a corporate officer or the address of a company’s registered agent on public records.
Once this is done, thieves can acquire corporate credit lines that run much higher than those offered to the average consumer.
Most companies don’t realize that their brand’s creditworthiness is being exploited until much later — often after their credit has been completely destroyed.
A Cautionary Tale
Richard Chuapoco runs a Denver firm that replaces overhead telecommunication lines with underground fiber optic cables. For ten years, business was good — until his company’s identity was victimized.
Shortly after renewing its annual registration, the business needed to acquire some new equipment. Before things could proceed, Mr. Chuapoco needed to update the firm’s credit-rating information. So, he placed a quick phone call to Dun & Bradstreet — the business equivalent of a consumer credit reporting bureau — to ensure that they had registered a recent address change.
That’s when he learned that Dun & Bradstreet had indeed made note of a new address, in addition to a newly registered agent for the Colorado company. The only problem? The new address on file was located in California, and Mr. Chuapoco hadn’t authorized anyone — beyond himself — to receive official documents on behalf of his business.
When asked how the credit bureau had verified this recent information, they said it had been retrieved from the Secretary of State’s website.
To make matters worse, the culprit behind the change had also altered key information about Mr. Chuapoco’s company in Dun & Bradstreet’s database — including increasing the number of his employees from 15 to 150, and multiplying his firm’s annual revenue by a factor of ten. Why? To get access to higher lines of credit.
Fortunately, Mr. Chuapoco caught on to the ruse early enough to limit the amount of damage done to his credit history. But he was more concerned that his business records could be changed so easily.
“As a businessman, I like to think that the Secretary of State has my back,” he said in an interview with the press. And most companies across the U.S. are likely to agree.
The Larger Scheme At Play
Earlier this week, we covered business identity theft — or, corporate identity theft — which involves the illegal impersonation of a business for financial gain. To execute this, bad actors navigate to a local Secretary of State's online portal and begin the process of “requesting changes” to their target company’s official records. These changes can be made in just a few clicks and will be accepted by the state, no questions asked. Once the changes have been recorded, scammers can easily impersonate their targets to access corporate credit lines and other business assets.
In addition to state business registration records, criminals can also manipulate and falsify other publicly-available information to defraud an organization. What information is that, you might ask? Company credit reports.
Source: Clay Banks on Unsplash
It’s well-known that credit reports are a staple of modern commerce and credit decision-making, which is why millions of consumers and businesses rely on them every day. Like consumer creditworthiness, businesses rely on their credit score to assist with cash flow and fund large purchases. However, there are two critical differences between business credit reports and consumer credit reports — and these differences are precisely what makes this crime so attractive to identity thieves.
Critical Difference #1: Unlike consumer credit reports, business credit reports are available to virtually anyone.
Consumer credit reports contain a significant amount of confidential information. Because these details could easily be abused if they fell into the wrong hands, access to these reports is restricted to businesses who need to determine a customer’s level of creditworthiness. Even then, these companies must first obtain written consent from the consumer before ordering a report.
Business credit reports also contain a significant amount of sensitive information that can potentially be misused. (If you are interested in seeing an example of one of these reports, click here or check out the resources section below.) However, because business credit is intended to promote and foster commerce — as well as aid in risk management decision processes between companies — these reports are readily available and can be purchased by any interested party.
Critical Difference #2: Unlike consumer credit reports, a lot of the information contained in a business credit report is self-reported.
To better assist credit evaluations between businesses, additional information is often obtained from public records and third parties to incorporate into a credit report. An example of this would be other companies with which the business has credit accounts. Depending upon the type of report ordered, as well as the source from which it was ordered, any interested party can obtain valuable background details — such as owner and principal information, financial statements, trade information, public filings, operations and facilities, SIC/SAIC codes, and so on — about the company in question.
While this information can be put to “good use” by identity thieves, it also provides them with an opportunity to manipulate the report itself. As previously mentioned, businesses are allowed to self-report details they deem relevant to their creditworthiness. This means that, in theory, anyone who is authorized to act on behalf of the company can alter certain information, or inflate numbers, in order to deceive creditors and lenders. And since business credit reports include registration records that are obtained and verified through the Secretary of State, all a criminal has to do is first file a change online with the appropriate Secretary — an endeavor which is surprisingly easy to carry out — and then modify the business credit report of his target company. All of this is done to maximize the potential profits that will eventually end up in the imposter’s pocket.
How It Works
After filing for a change of address and adding a new registered agent, using the Secretary of State’s online portal, cybercriminals will head over to the Dun & Bradstreet website. From there, they can use their newly obtained authority to view and update their target’s business credit report. Alternatively, a report on a different company can be purchased for anywhere from $60 to $190, depending on the level of detail desired.
With all of this information at the fraudster’s fingertips, he is able to act on behalf of his target company and make some serious money. From initiating fraudulent sales of a business’ assets to taking out generous lines of credit, the con artist piggybacks on the organization’s established financial and operating histories — causing irreversible damage in the process. He can also open new merchant bank accounts, or access existing ones, and conduct bogus business deals to launder stolen funds obtained from other criminal activities.
The list of malicious possibilities is endless and rather self-explanatory; however, the Secretary-of-State/Dun-&-Bradstreet method is not the only tactic used to gain proprietary access to a company. Below are two other approaches employed by identity thieves:
The Fake-Business-Credit-Applications Method
As a consumer, if you want to apply for a personal loan or line of credit, you have to complete a detailed application — providing sensitive information such as your social security number, date of birth, bank account numbers, etc. Likewise, when your business needs to take out a loan or open a new account for banking or payment processing, you have to fill out a business credit application. These applications request sensitive details, including EIN, account numbers, trade references, and so on. Providing personal information about the owners of the company is also required, as they frequently act as the guarantors on the accounts.
Of course, no one would want this information to fall into the hands of criminals. And yet, credit applications are so commonplace these days that they are often filled out and submitted to the requesting party without a second thought. Thieves are aware of this, which is why — rather than purchasing a business credit report or filing a change with the Secretary of State — they might rely on unsuspecting owners to willingly send them this information for free.
To make this work, a criminal will create a bogus credit application and make it appear as if it originated from a well-known credit card company, major supplier, or lender. This is as simple as downloading a legitimate form from one of these providers and modifying the return address to reflect his mail drop. The thief will then send these applications out to hundreds of small businesses, banking on the fact that a new line of credit or extended payment terms can be very appealing to cash-strapped owners.
If everything goes according to plan, the business owner will complete and return the application, without verifying its authenticity. The criminal will then have everything he needs to defraud the company, or obtain lines of credit in the firm’s name. After maxing out as many loans as he can, and receiving his ill-gotten merchandise, the thief disappears and leaves the business owner to deal with the mess.
The False-Business-Financial-Reports Method
Businesses routinely have to file financial reports for a variety of reasons — whether it’s to report to the board of directors and shareholders, prepare taxes and handle accounting, or submit requested documentation to lenders. As for companies that are publicly traded, their quarterly and annual financial reports are published online and, therefore, are easily accessible.
Business identity thieves take these reports and modify them to make the organization’s financials appear better off than they are. Alternatively, thieves might take the time to fabricate such reports. When combined with other real (or falsified) business credentials, a company’s financial reports add to its appearance of legitimacy and financial capacity — thus laying the groundwork for thieves to deceive creditors for their own gain.
Take Steps to Protect Yourself
Protecting your business from the damage created by identity thieves comes down to two essential areas: regularly reviewing your business credit file and actively monitoring company accounts across the board. These security measures are broken down further below:
Maintain an inventory of accounts and key contact information. Create a record of all company accounts — including creditors and financial institutions, account numbers, corporate card numbers, as well as contact information for corresponding billing and fraud departments. While this task may seem tedious, completing it now will drastically reduce the amount of time it takes to notify these accounts in the event that fraud is discovered.
Carefully review and reconcile account statements as soon as they are received. Be alert for any unusual or suspicious transactions, and promptly contact the creditor if you discover any fraudulent activity — no matter how small.
Ask trade and credit references to notify you if they are contacted. If your business provides or maintains a list of trade or credit references, request each one to notify you if they are contacted by a third party. Business identity thieves often leverage a business' trade and credit references to submit merchant account applications. They may also contact your suppliers directly — often posing as an employee — in order to request detailed account and payment information, which can later be used to make purchase orders or to engage in fraudulent business dealings.
Review your business credit reports. While Dun & Bradstreet may be the most recognized source of business verification and business credit reporting, the three national consumer credit bureaus — Equifax, Experian, and TransUnion — also provide these services. You can obtain copies of your firm’s credit reports from each of these organizations to review them for suspicious activity and ensure that the information is accurate.
Keep your business and personal finances separate. Avoid using personal credit cards, bank accounts, and lines of credit for company transactions and opt for business-specific accounts instead. In addition to the obvious issues of business separation, accounting, and proper tax reporting, most financial institutions and major card issuers specifically exclude business-related transactions — conducted with personal cards — from their "zero fraud liability" programs. Furthermore, if your business account is compromised, any personal payment methods associated with that account may also be at risk.
Consider placing a credit security freeze on your personal credit file. Because it is common practice for business owners to provide a personal guarantee for business accounts, they often have to undergo a consumer credit check. If you are not actively applying or planning to apply for new credit, you can place a security freeze on your personal credit. This will prevent businesses — with whom you do not already have an existing relationship — from accessing your credit file, thus minimizing opportunities for thieves to fraudulently list you as a guarantor or open new accounts in your company’s name.
Final Thoughts and Updates
Building a business from the ground up offers many exciting opportunities for owners to scale their income, but it also exposes them to a certain amount of risk. And for small businesses and startups, the financial consequences of business identity theft can be devastating.
In addition to drained bank accounts and incessant collection calls, victims of these thefts often encounter a wide range of other headache-inducing problems, such as:
Late payments. If your business loses significant income, it could be difficult to pay employees and vendors, uphold tax obligations, or purchase supplies. You might be forced to cut back on operating expenses and let go of loyal employees, whose salaries are no longer within budget.
Negative credit reports. If identity thieves get ahold of business credit cards, there’s a good chance it will also impact your business credit score — a number that measures how trustworthy your company is in the eyes of creditors. For small business owners, who may be guarantors for these lines of credit, there’s an additional risk to their personal credit reports.
State and federal tax disputes. If your business identity was used to file a fraudulent tax return, which many are, you can expect to face serious disputes with the IRS and/or state tax agencies.
Business reputation. In the world of business, relationships are everything. That’s why one of the biggest risks of identity theft is the way an organization is perceived in the aftermath. If the damage is extensive enough, not only could your cash flow take a hit, but so might your reputation with creditors, suppliers, and clients going forward.
Personal liability. As a small business owner, any criminal breach in security can put you at risk. Proceed with caution when disclosing personal information, as you are a prime target for identity thieves and will likely be held accountable for any outstanding debt of the credit cards and loans linked to you.
Keeping all of this in mind, it’s worth noting that although businesses of all sizes are at risk of identity theft and impersonation schemes, small business owners are especially vulnerable. Therefore, it’s important to remain diligent, as a single lapse in security could be detrimental to any future operations.
Useful Resources
Example of a business credit report:
http://creditreports.dnb.com/webapp/wcs/stores/servlet/BirSample?storeId=11154&catalogId=71154
Checklist for victims of business identity theft:
http://www.businessidtheft.org/VictimAssistance/tabid/90/Default.aspx
To order a credit report or to place a freeze on your credit:
Equifax https://www.equifax.com/business/business-credit-reports-small-business
Experian https://www.experian.com/small-business/business-credit-reports.jsp
Dun & Bradstreet https://businesscredit.dnb.com
Transunion https://www.transunion.com
Editor’s Note: Have you been affected by fraud? Most people have, in some form or another. If you have a story you would like to share, we’re sure our readers would benefit from hearing it. Please send an email to editor@theconartist.pub detailing your experience, and we will be in touch. Your privacy and any wishes of anonymity will be respected.
Thanks for reading! If you haven’t already, consider joining our community to receive in-depth exposés on the latest scams, hoaxes, and other forms of fraud.