When we think about fraud committed against individuals, many of us immediately think of identity theft. Identity theft is the taking of a victim’s private information (such as their social insurance number or birthdate) to use for financial gain. Examples of identity theft include applying for and using a credit card with the stolen information. Our awareness of identity theft as a crime has increased significantly over the past few years, because the issue has been regularly featured on the news and in popular culture, and the risks have been frequently highlighted by financial literacy organizations (such as CPA Canada).
What is business identity theft?
Though many people are well aware of the risks of individual identity theft, what is not as commonly known is that identity theft can just as easily happen to a business. Identity theft for a business has the same definition as for an individual: acquiring a business’s private information to use for financial gain.
Why does business identity theft happen?
Any person(s) committing fraud, including identity theft, will typically need to have all three of the following factors: incentive, rationalization and opportunity. These factors are, in fact, more commonly present when committing business identity theft for the following reasons:
Incentive: A business will typically have access to a greater amount of money than an individual. This includes corporate bank accounts, credit cards and access to large loans from banks. Therefore, the financial incentive for committing business identity theft is higher.
Rationalization: A person that will commit any fraud, including identity theft, will typically need to convince themselves it is ok to commit this crime. This is much easier to believe when the crime is committed against a business, which can be viewed as an entity and not an individual and, therefore, cannot be personally hurt by the act.
Opportunity: Finally, a person that intends to commit identity theft needs the opportunity to acquire key information. For a business, this key information is more likely to be publicly available on a company website and/or social media accounts and, therefore, easier to acquire.
What information is needed to commit business identity theft?
For individual identity theft, a person’s social insurance number (SIN) and birthdate are key pieces of information to acquire. For a business, the key information to protect against identity theft is your company’s business number (BN) and/or provincial tax identification number. In Ontario, that would be your Business Identification Number (BIN). Other key information that may be used for business identity theft include:
legal corporate / business name
employee information (e.g., email addresses and phone numbers)
What are examples of business identity theft schemes?
There are several ways in which a business identity thief can use the acquired information for financial gain. Examples include:
transferring funds out of the business bank accounts
opening and using a corporate credit card
applying for and receiving a loan from the bank
making large business purchase orders
filing false tax returns to receive refund amounts from the government
What are the consequences of business identity theft?
The consequences of identity theft for a business, much like for an individual, is lost time and money. Examples include:
loss of revenue and cash from the business if fraudulent purchases are made
reputational damage if the fraudulent use of the business’s identity is carried out in ways that are antithetical to the business
tax liabilities to the government if fraudulent corporate tax returns are filed
How can businesses mitigate the risk of identity theft?
To mitigate business identity fraud, there are both preventative and detective actions that can be taken. Preventative actions help to protect against the theft occurring in the first place. Detective actions help to discover the business identity theft before significant losses have occurred.
Protect your BN as you would protect your individual SIN. Only provide this number to approved and authorized employees, customers, suppliers or third parties (such as the CRA).
Restrict access to key websites. For example, only authorized individuals should be allowed administrative access to the company website, online accounting software or CRA business account.
Use strong passwords / passphrases for access to key websites, and change these on a regular basis (at least annually).
Protect your business banking information when making or receiving electronic payments. For example, do not make an online supplier payment on a public computer / browser, such as at the business center of a hotel.
Review all public information for your company, specifically on the company website and social media accounts. Make a list of key identifiers (such as mailing address and legal corporate name), and evaluate the purpose of having this as publicly known information. Remove this information from any websites and/or social media accounts if it serves no benefit to the company to have it public.
Review and reconcile all corporate bank and credit card accounts on a regular basis (at least monthly).
Review your business credit reports on a regular basis (at least monthly). The four nationwide credit reporting bureaus in Canada are Equifax, Experian, TransUnion and Dun & Bradstreet.
Review your business tax account (made available by the CRA) on a regular basis (at least monthly).
This article is reprinted from the newsletter BUSINESS MATTERS with the permission of CPA Canada. BUSINESS MATTERS is a bimonthly newsletter prepared by the CPA Canada for the clients of its members.
BUSINESS MATTERS deals with a number of complex issues in a concise manner; it is recommended that accounting, legal or other appropriate professional advice should be sought before acting upon any of the information contained therein.
Although every reasonable effort has been made to ensure the accuracy of the information contained in this letter, no individual or organization involved in either the preparation or distribution of this letter accepts any contractual, tortious, or any other form of liability for its contents or for any consequences arising from its use.
Richard Fulcher, CPA, CA – Author; Patricia Adamson, M.A., M.I.St. – CPA Canada Editor.