Recently, I was happy to discuss synthetic identity theft on the Great Day show. I briefly talked about how synthetic identity theft was also committed in the U.S. using business employer identity numbers (EINs). Crooks often target small and midsize businesses for this type of crime. After the show I got a lot of questions asking for more information about synthetic EIN identity theft.
What is business identity theft?
Put quite simply business identity theft is the impersonation of an entire business. It can occur through multiple ways, but in the U.S. most often occurs through the use of valid EINs. The U.S. Internal Revenue Service (IRS) issues EINs to identify business accounts that are also taxpayers within the U.S. EIN identity theft is when criminals take a valid EIN and use it with other bogus information, such as business name, payroll, address, and so on. They then use this new bogus business identity to do a number of illegal acts. Any size of business is subject to being a victim of business identity theft. However, small and midsize businesses are often, and increasingly, targets because
1) there are so many more of them within the U.S. than large corporations;
2) businesses usually have more money in the bank than individuals;
3) businesses often can make larger purchases, and take longer to pay, than individuals;
4) businesses usually have much higher credit limits, giving crooks a lot more purchasing capability in a very short period of time;
5) technology can be used to hide their tracks, and to more easily allow crime to occur from another country from where the victim is located; and
6) because they are typically less diligent about checking to ensure there is no fraud occurring with their EIN, since most aren't even aware of this type of fraud to begin with.
Here are just a couple of many types of common business identity theft schemes and the impacts to the businesses whose actual EINs are being used.
Crooks getting tax refunds under a business's EIN
Crooks will include a valid EIN on Form W-2 and include bogus wages on it. The crook will then file a bogus tax return, the IRS gets it, and issues a refund to the crook. This often happens when the social security numbers (SSNs) of live people are used, but increasingly this is a scam where the crooks take some of the personal information of deceased individuals and submit tax returns fraudulently showing they worked for a business, and use the business's EIN. For example, during 2009 Thomas William Quintin and his accomplices not only used deceased individuals' social security numbers (SSNs) to commit fraud, they also obtained the EINs a variety of businesses and submitted false returns, claiming the deceased worked at those businesses, earned income and had taxes withheld. They then claimed refunds on the false income tax withholdings. This type of fraud can impact the business because the IRS records now show the defrauded business has more employees than what they are actually reporting, which can lead to a lot of time and trouble getting the bad information fixed within those businesses tax records.
Crooks getting loans or lines of credit
Many types of business accounts require a personal guaranty from one or more of the business owners. For example, to get a credit card, a business bank account, a line of credit, and so on. Crooks will obtain business loans or lines of credit using the owner's or business partner's name as a guarantor, and provide the EIN. The bank then checks to see if the EIN is valid, and if it is, then often give the loan, line of credit, etc. This often eventually impacts those owners and partners when the crooks, of course, don't pay back the loan. The bank then goes on a search to find them, and their search ends at the valid business owner. The lender will then attempt to get their money from the business and/or individual whose identities were fraudulently used.
These types of frauds can result negative credit reporting and collections activity, and may cause the defrauded owner or officer to have increased interest rates, decreased credit lines, or even impact his or her own personal accounts and credit scores, particularly in small to midsize businesses where much of the owners' personal information is included within the business documentation. It can also result in being denied new accounts, not getting clients that see bad marks on the business's credit reports when doing checks of their fiscal health, or even losing their ability to write checks. Such problems are typically eventually resolved, but it can cost hundreds of hours of work to do, and potentially cost hundreds of thousands of dollars in the meantime.
What can businesses do?
Of course every business needs to have effective information security and privacy controls and policies in place, such as those recommended by IBM. In addition to these, to protect against business identity theft organizations should do the following.
1) Monitor their state business registration information. Check it at least once a year for all active and closed businesses to make sure there are no revenues or locations that are not recognized, or that do not apply to their businesses.
2) Sign up for digital alerts. Many states offer free email and/or text alerts that will let business owners know when their business registration information, (name, address, registered agent, business owner and officer information) has changed. Such alerts can provide an early warning of potential fraud. Most states have resource pages that provide information for how to do this.
3) Periodically go to the state websites where business information is provided and perform a business entity search to see the information they have for the business. Make sure the information is correct. Also check for any closed businesses. Business leaders need to make sure some fraudster has not reinstated it.
4) Always file state business reports and renewals on time. If business leaders are late doing this, they risk administrative dissolution of their company for failure to file. Business identity crooks look for this type of lapse and target businesses that are classified as inactive, suspended, in default, and so on. Crooks love to identify businesses that appear to be lax in their record keeping because this is often a sign that they will be lax in their security, lax in checking their business information, and sloppy in other protections as well. More opportunity for them to use the business's identity for a longer period of time without getting caught.
5) Protect business EINs. Too many small and mid-size businesses are nonchalant when it comes to safeguarding their EINs, usually because they are not aware of how easily their business could be defrauded if the EIN got into fraudsters' hands. However, I've also seen a lot of bad advice online saying there is no risk in sharing EINs...do not believe it! Such advice may have been provided by crooks that want to get their hands on the EINs to do what I've described here. Know the circumstances for when EINs must be provided (e.g., opening business bank accounts, doing taxes and wages reports, and on W-9 forms), and do not give EINs in other situations.
6) Part of general information security controls mentioned above this list, but worth elaborating on: Secure all documents with business information and identifiers in a place that is accessible only to authorized individuals. Always protect and secure hard copy documents that contain business identifiers, account numbers, and other sensitive information at all times. This includes from the point in time documents are created, to the point in time they are disposed of. Which brings us to...
7) Finely and irreversibly shred documents that are no longer needed containing business information and/or identifiers. Also irreversibly remove such information from digital storage devices, computing devices, fax machines, copy machines and printers.
From Privacy Professor.