Everything You Need to Know About Business Identity Theft

Fiona Dalton

In 2024 alone, 80% of businesses reported that they dealt with attempted business fraud. It’s no secret that you need to be careful to avoid personal identity theft, but remember: a business can be a target too. Identity fraud against companies is rising fast, and even small firms are getting hit.

Fixing the damage of business identity theft takes time, but unfortunately, reputational damage can be irreparable. This guide explains how business identity theft works and how a company can protect itself.

What Business Identity Theft Means

Business identity theft happens when cybercriminals, often acting within a group, pretend to be a real company. Sometimes, an individual will pose as a business owner or executive, and with that false identity, they’re able to open accounts and take out credit fraudulently.

It feels intuitive to assume that fraud is only a risk for large enterprises, but the risk is high for small businesses, as they often have fewer checks in place. Problems can go unnoticed until a payment is missing or a vendor calls with a concern.

The Different Forms of Business Identity Theft

Criminals use several methods to steal a company’s identity, and it’s important to be aware of all of them. Different methods are appearing every year, but most commonly, fraudsters use the following:

Opening credit lines or loans under the business name, and cashing them into their own accounts
Taking over or copying a company’s website, forcing the real company to pay to get it back
Filing fake tax bills and refund forms to redirect money or take control of business records.

How Criminals Pull It Off

So, how do criminals manage to pull off such large-scale fraud? Many attacks start with phishing. A criminal will send an email that looks like it came from a boss or business partner, with the message linking to a fake login page. Once an employee enters their details, the criminal has access to real accounts.

Other scams skip the initial login stage. For instance, the scammer may pretend to be a vendor and “confirm” new bank details. Payments will get sent to the wrong place before anyone notices, and then it’s already too late to take action. Alternatively, some attackers file fake updates to public business records, which can change addresses, ownership, or tax information.

To prevent business identity fraud from happening, clear audit trails are essential. Nowadays, software platforms exist to help, enabling businesses to automate audit verification through detailed activity logs and notifications.

Signs Your Business May Be a Target

While fraudsters go to great lengths to cover their tracks, they usually still leave clues. To catch business identity fraud before it occurs, a company should pay attention to:

Credit checks that it did not request
Clients who report invoices they never received
Vendors who ask about payment changes that no one made
Login alerts from new devices or unfamiliar places
Drops in domain reputation or reports of spoofed emails
Strange filings that appear in public business records

Ways to Reduce the Risk

Thankfully, there are many simple habits and workflows that a business can adopt to protect itself from business identity fraud. Automation can help, but only when paired with strong rules and checks. Otherwise, it can have the opposite effect.

Secure Vendor Onboarding

Firstly, every vendor should go through the same SOP before being added to a business’s system. Every detail should be verified, and all approved contact methods should be kept on file. This blocks fake vendors from slipping into inboxes.

Cyberattack Insurance

Risk mitigation is ideal, but it’s still wise to be prepared for the worse. In the event that a company does fall victim to business identity theft, a disaster can be significantly mitigated through cyberattack insurance. It helps businesses recuperate the costs of dealing with a cyberattack, helping them get back on their feet as soon as possible.

It’s also useful to educate your employees on individual identity theft protection service, as this helps them understand how to safeguard their personal information if a breach happens.

Clear Payment Verification

Any payment or bank detail change should pass a two-person approval without exception. It only takes a few moments to make a quick callback to a client or vendor, and just like that, you can confirm that a request is real.

Strong Access Controls

While it might seem efficient or more economical, software accounts should never be shared between employees. MFA should be on for every user, and when someone leaves the company, their access must be removed at once.

Routine Checks

As was previously touched on, business process automation can be invaluable. However, it shouldn’t ever replace regular reviews. Regardless of automated SOPs, a business should routinely check its domain, run invoice audits, and keep an eye on vendor lists. Furthermore, public business filings should be reviewed for unauthorized changes.

What to Do If Fraud Happens

Hopefully, the steps outlined in this article will help you to avoid business identity fraud altogether. If the worst comes to the worst, remember that quick action limits the damage.

In such a case, a business should immediately freeze affected accounts and warn vendors. Then, it should gather copies of any fake documents, alert credit agencies, and verify its public filings. If all else fails, cyberattack insurance can cover many of the financial losses of business identity fraud. It can’t repair the full damage, but it still keeps the situation from becoming a full-blown crisis.

Categories: Business, Security
Tags: access control, business fraud, business identity theft, business security, cyber insurance, cybersecurity, fraud prevention, identity theft, phishing protection, vendor verification

Cookie	Duration	Description
akavpau_ppsd	session	This cookie is provided by Paypal. The cookie is used in context with transactions on the website.
nsid	session	This cookie is set by the provider PayPal. This cookie is used to enable the PayPal payment service in the website.
tsrce	3 days	This cookie is set by the provider PayPal. This cookie is used to enable the PayPal payment service in the website.
x-pp-s	session	This cookie is set by the provider PayPal. This cookie is used to process payments from the site.

Cookie	Duration	Description
ac_enable_tracking	1 month	This cookie is set by the Active Campaign. This cookie is used to keep track of the site usage.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gcl_au	3 months	This cookie is used by Google Analytics to understand user interaction with the website.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
_hjFirstSeen	30 minutes	This is set by Hotjar to identify a new user’s first session. It stores a true/false value, indicating whether this was the first time Hotjar saw this user. It is used by Recording filters to identify new user sessions.
_omappvp	11 years	The cookie is set to identify new vs returning users. The cookie is used in conjunction with _omappvs cookie to determine whether a user is new or returning.
_omappvs	20 minutes	The cookie is used to in conjunction with the _omappvp cookies. If the cookies are set, the user is a returning user. If neither of the cookies are set, the user is a new user.
_uetsid	1 day	This cookies are used to collect analytical information about how visitors use the website. This information is used to compile report and improve site.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website.
fr	3 months	The cookie is set by Facebook to show relevant advertisments to the users and measure and improve the advertisements. The cookie also tracks the behavior of the user across the web on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
MUID	1 year 24 days	Used by Microsoft as a unique identifier. The cookie is set by embedded Microsoft scripts. The purpose of this cookie is to synchronize the ID across many different Microsoft domains to enable user tracking.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
uid		This cookie is used to measure the number and behavior of the visitors to the website anonymously. The data includes the number of visits, average duration of the visit on the website, pages visited, etc. for the purpose of better understanding user preferences for targeted advertisments.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

Cookie	Duration	Description
_fw_crm_v	1 year	No description
_gat_UA-124464104-1	1 minute	No description
_gat_UA-182261587-1	1 minute	No description
_hjAbsoluteSessionInProgress	30 minutes	No description
_hjid	1 year	This cookie is set by Hotjar. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_hjIncludedInPageviewSample	2 minutes	No description
_hjIncludedInSessionSample	2 minutes	No description
_hjTLDTest	session	No description
_lfa	2 years	This cookie is set by the provider Leadfeeder. This cookie is used for identifying the IP address of devices visiting the website. The cookie collects information such as IP addresses, time spent on website and page requests for the visits.This collected information is used for retargeting of multiple users routing from the same IP address.
_seg_uid	1 year	No description
_seg_uid_3536	1 year	No description
_seg_visitor_3536	1 year	No description
_uetvid	16 days 6 hours	No description
CONSENT	16 years 8 months 2 days 6 hours	No description
cookielawinfo-checkbox-functional	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-others	1 year	No description
DO-LB		No description
enforce_policy	1 year	No description
hyperise_session	2 hours	No description
l7_az	30 minutes	No description
LANG	9 hours	No description
prism_799560831	1 month	No description
RUL	1 year	No description
whr_nov	1 year	No description
x-cdn		No description