Business v. individual identity theft
Businesses generally deal with larger transactions, have larger account balances and credit lines than individual taxpayers, and can set up and accept merchant credit card payments with numerous banks. Business information regarding tax identification numbers, profit margins and revenues, officers, and even officer salaries are often public and easily accessed. At the same time remedies and enforcement tend to focus more on individual identity theft. Thus, business identity theft can be more lucrative and arguably less dangerous to engage in than individual taxpayer identity theft.
Methods used
Only some of the many business identity theft schemes relate to tax. Nevertheless, such schemes can be devastating for businesses, resulting in massive employment tax liabilities for fictitious wages or huge deficiencies in reported income. Identity thieves can use a business's employer identification number (EIN) to initiate merchant card payment schemes, file false tax returns, and even generate hundreds of fake Form W-2s in furtherance of more individual taxpayer identity theft.
How they do it
Business identity theft can require less effort than individual identity theft because less information is required to establish a business or open a line of credit than is required of individuals. In general, the thief needs to obtain the business's EIN, which is easy to acquire. Common sources for an EIN include:
- Filings made to the Securities and Exchange Commission (SEC) such as the Form 10-K, which includes the EIN on its first page;
- Public databases that enable users to search for business entities sometimes also display the employer's EIN;
- Websites specifically designed to search for EINs, such as EINFinder.com;
- Business websites sometimes openly display the EIN; and
- Forms W-2, W-9, or 1099.
Once a thief has the EIN, he or she may file reports with various state Secretaries of State to change registered business addresses, registered agents' names, or even appoint new officers. In some cases the thief will apply for a line of credit using this new information. Since the official Secretary of State records display the changed information, potential creditors will not be alerted to the fraud. In one case, however, criminals changed the names of a business's officers by filing with the Secretary of State's office and then sold the whole business to a third party. In the end, however, once an identity thief has established a business name, EIN, and address information, he or she has all the basic tools necessary to perpetrate business identity theft.
Best practices
Businesses should review their banks' policies and recommendations regarding fraud protection. They should know what security measures are being offered and, if commercially reasonable, take them. In a recent U.S. district court case from Missouri, the court found that a bank was not liable for a fraudulent $440,000 wire transfer because it had offered the business a commercially reasonable security procedure, and the business had rejected it. The decision cited Uniform Commercial Code Article 4A-202(b), as adopted by the Missouri Code. Many other states have also adopted the UCC, meaning victimized businesses might find themselves without recourse against their banks in the eve