Business identity theft is a popular and growing tactic that is being used by fraudsters across the globe.
The Australian Government Australian Cyber Security Centre (ACSC) identified that $98 million was lost by Australian businesses and organisations due to business email compromise and other business identity theft schemes during the 2021-2022 financial year [1].
Any business can be affected by business identity theft and therefore all businesses should consider any associated risks and control mechanisms that can be used to combat this emerging scheme.
Business identity theft is the unauthorised use or attempted use of a business name or identity for some form of gain. This tactic of procuring improper gain by fraudsters is distinct from traditional identity theft of an individual’s details as it involves impersonating a whole business or organisation.
While many organisations have internal controls in place to combat fraud or corruption perpetrated by an employee or other associate related to the organisation, it can be easy to overlook the potential for fraud or corruption to be committed by an external party. If the risks and associated internal controls have not been considered with respect to an external attack on the business, an organisation can leave itself vulnerable to business identity theft and other schemes conducted by external parties. This may cause loss to the organisation in a number of different ways including reputational damage, payment of fictitious invoices, inappropriate banking activity, a loss of sales or customers to the perpetrator of the fraud, or legal action being taken against the organisation.
How Business Identity Theft is Perpetrated
There are many ways in which a business identity theft scheme could occur. It is vital for an organisation to understand the different ways in which fraud can be perpetrated by an external party in order to be able to combat any wrongdoing. The steps leading to business identity theft and any associated loss include the following:
Theft of Business Information
Information with respect to the entire business or a key individual within the business is stolen. This may involve any of the following methods conducted by the fraudster:
- Data breach or hack – This can involve an inadvertent leak of data by a business, an employee intentionally leaking data to an external party, usually in association with the employee receiving a bribe or kickback, or an external party launching a cyber-attack on the organisation with the aim of stealing confidential and identity related information.
- Phishing – Where a potential fraudster uses an email to imitate another business or website that appears legitimate but is in fact intended to steal passwords and other identity related information. Other variants of phishing may also use phone calls, text messages or the imitating of a website in order to steal information.
- Malware – Fraudsters may infect the organisation’s IT systems through viruses, trojan horses, key loggers, spyware, or ransomware with the aim of obtaining confidential or identity related information.
- Shoulder surfing – Where a fraudster observes confidential, and identity related information being input by an employee of the organisation. Access by the fraudster to the organisation may be obtained through poor security, following an employee through physical access barriers, by creating a fake ID badge, or by posing as a fictious contractor, customer, or other business associate of the organisation.
- Corporate espionage – Involves the use of illegal means to gather information, including unauthorised surveillance and trespass.
- Social engineering – A method where a fraudster deceives the victim into disclosing confidential or identity related information, usually by relying on an emotional or time sensitive response from the victim.
- AI (Artificial Intelligence) – Generative AI using any Large Language Models (LLMs) such as ChatGPT, Bing Chat or Google’s Bard – used by organised crime, threat actors or cyber threat actors, and individual criminals to automate committing cyber fraud including the ability to do some of the above fraud methods.
Regulatory Compromise of the Business
Once key information and identity of the organisation is stolen, the perpetrator can pose as the business and go to banks, government authorities, lawyers, and courts to update business registration or mailing details. A fraudster may change all correspondence to their own email address, mailing address, and phone number. This enables the fraudster to then hide any further changes to the business details of the organisation as they now have control of all related correspondence.
Once this has occurred, the fraudster may be able to add themselves as a director of a business, remove others as directors of the business, and make key governance decisions on behalf of the organisation.
Fraudster Begins Acting on Behalf of the Organisation
Once a fraudster has infiltrated the organisation, they are able to make contact with customers, suppliers, and other business associates of the organisation. They can then commence siphoning funds, goods, or services from the victim organisation and its business associates to themselves for their own personal gain. Some potential schemes that may be conducted by the fraudster at this stage include:
- Sending a fake invoice to the business for payment;
- Making sales, generating revenue, and receiving cash from customers of the organisation;
- Taking out loans on behalf of the organisation with financial institutions and using the funds from the loan for personal use;
- Stealing the identities of individuals within the organisation and those of business associates to then commit traditional identity theft;
- Opening up a telephone, internet, or other expense account under the organisation’s name to be used by the fraudster for their own personal use;
- Having goods and services delivered to themselves rather than to the organisation; or
- Intentionally damaging the reputation of the organisation.
Why Are Businesses Being Targeted?
There are a number of advantages available to fraudsters who target businesses compared to those conducting traditional identity theft. The advantages for a fraudster when targeting businesses include:
- Businesses tend to have more money or credit available to them than individuals;
- Business websites may be easy access to corporate information and people to facilitate their fraud;
- Many organisations do not have sophisticated controls and as such are easier targets than individuals;
- Organisations are less likely to notice identity theft and its associated loss than individuals as high value transactions are more common; and
- Employees at an organisation may care less about fraud being committed at their organisation than if it were committed against them individually.
Prevention and Detection of Business Identity Theft
In Australia, the Australian Standard AS 8001:2021 Fraud and Corruption Control has been the pre-eminent guide on how to prevent, detect and respond to the risks of fraud and corruption. Regarding business identity theft, AS 8001:2021 outlines the following controls that could be implemented with respect to preventing the theft of business information:
- The effective implementation and operationalisation of an Information Security Management System (ISMS) for the organisation.
- Implementing passwords, firewalls, and other IT security related controls, especially to conform to relevant standards such as international standards like the AS ISO/IEC 27001 Information Technology – Security Techniques, and the Essential Eight Maturity Model from the Australian Cyber Security Centre;
- Ensuring there is perimeter security, locks, alarms, and video surveillance at the organisation’s premises; and
- Providing IT security / fraud and corruption control awareness training to all employees.
AS 8001:2021 also states that organisations shall implement pressure testing procedures for assessing the effectiveness of internal controls. This involves an independent person or team testing different situations that may occur at the organisation to assess the effectiveness of controls related to those situations. An example of this in relation to business identity theft may be posing as a fictitious contractor and attempting to gain access to the organisation’s building to see if internal controls documented in the organisations’ policies and procedures are effective in preventing access to the person testing the controls. Common vulnerabilities that can be uncovered through pressure testing include:
- A lack of fraud awareness;
- Inadequate quality assurance;
- Not verifying information or evidence;
- A lack of effective oversight;
- Weak technology controls;
- Inadequate detection controls; and
- A lack of reporting or reconciliation.
Corruption commissions / integrity bodies from around Australia often provide better practice guidance for public sector organisations that is just as relevant to the private sector. An example is Victoria’s Independent Broad-Based Anti-Corruption Commission (IBAC) that outlines on its website[2] the following suggested control measures to assist in preventing and detecting attacks perpetrated by external parties, including organised crime.
- Risk assessments should be performed to address threats presented by organised crime groups.
- Clear security standards should be documented and implemented by the organisation.
- High-value information must be identified, and the organisation must ensure appropriate protections are applied to these areas of the organisation.
- A policy should exist requiring employees to declare any association to criminal entities.
- There should be clear consequences for staff who do not make such disclosures in an appropriate manner.
- Potential employees should be screened during the recruitment process, particularly in relation to any potential previous criminal history.
- Employment screening should also be conducted for employees being promoted into high-risk positions or for employees who are about to pass their probationary period.
- Routine audits should be conducted regarding access to confidential and identity related information to see if there has been any breach of data or unusual activity with respect to this information.
Another example of better practice guidance relevant to mitigating the risk of business identity theft is from the New South Wales (NSW) Independent Commission Against Corruption (ICAC) on its website[3][4] which is also just as applicable to private sector organisations. The NSW ICAC guidance includes the following prevention and detection measures for business identity theft:
- Robust systems that ensure information is classified according to risk, stored securely and where access is managed appropriately.
- Restricting access to confidential information or payment methods to only employees who require this access, reviewing access rights on a regular basis, and maintaining a record of who has this access.
- Direct that unique username and password access for ICT systems be required (passwords should also automatically require changing on a regular basis).
- Regularly test firewalls and other security systems.
- Consider the use of encryption and/or multi-factor authentication.
For more information
Please do not hesitate to contact Roger Darvall-Stevens, Milind Sheth, Chris Scott, or any others in RSM’s Fraud & Forensic Services team to discuss how your organisation can prevent and detect potential business identity theft or discuss how we can help your organisation with fraud and corruption control better practice.
[3] https://www.icac.nsw.gov.au/prevention/corruption-prevention-advice-topics/confidential-information