Identity theft is a growing, global menace. The use of stolen personal information to fraudulently order goods or obtain credit is the fastest growing crime in the US, according to the Federal Bureau of Investigation. In the UK, four out of 10 people say they have fallen victim to identity theft. Banks and credit card companies often reimburse defrauded customers, but the personal inconvenience of getting cards cancelled and reissued is enormous. And it can be harder to apply for legitimate loans or credit in future. But identity theft is not only a pain for private individuals. Companies are, increasingly, finding that their identities are being stolen or that, in more sophisticated cases, they are being cleverly impersonated. Corporate identity theft happens when fraudsters steal the identity of a legitimate company and then trade under its credit and name. It can affect companies through assets being stolen and bank accounts emptied by fraudsters trading on the company’s creditworthiness, for example.
In an increasingly globalised business environment, the crime often has an international dimension, regardless of where the target company is based. In one typical case highlighted by police in the UK, for example, companies in France, Spain, Germany, Portugal and Austria received orders for computer parts and spares from a UK business called PC Specialist. Those that checked the company’s background would have found that it had a good credit rating and trading history. The orders asked the goods to be delivered to an address in London, with invoices sent to the company’s head office, which was in a different part of the country. The orders carried the official PC Specialist logo, and logos from National Westminster and Halifax banks. But they were fraudulent. PC Specialist was a legitimate company, but criminals had stolen its identity. Such corporate identity theft is one of the fastest growing risks businesses face and will cost UK companies £700m a year by 2020, an increase of 1,300 percent on current levels, according to leading commercial insurer Royal & SunAlliance (R&SA). The insurer says that large businesses with over 250 employees will pick up the biggest share of costs. The sectors most likely to be affected are communications, banking, finance and insurance. “Companies are increasingly being affected by corporate identity theft and many are worried about the risks of fraudsters stealing their company identity, as this could lead to a loss of competitive advantage or public confidence,” says Jon Woodman, director of risk solutions at R&SA.
A case like PC Specialist relies on a few faked logos, but in more advanced identity frauds the criminals will actually change the target company’s registered details. In the UK, these are held at Companies House, a government agency. Of the 500,000 documents filed here each month, only about 50 are identified as false, but the Metropolitan Police estimate that each false filing can result in a £1m fraud. “The trick appears to be gaining control of a company and its assets as far as third parties are concerned,” says Ian Manson of Digita, an accountancy software firm. A Digita report on identity theft, called ‘Keeping the Record Straight,’ highlights some examples. In one case, fraudsters stole a company’s identity and used it to sell off an office block that it owned in Moscow. “The true owners only found out it was no longer in their possession when they were barred from entering it,” says Mr Manson. In another case, the proprietor of a family owned business found that its registered office had been changed from the address where it had been for over 100 years. To add an extra veneer of fraudulent credibility, the criminals had even stolen the company’s nameplate from the front of its building.
Other frauds include setting up bogus companies, falsely manufacturing accounts and even stealing the identity of auditors to ensure that these accounts appear to be credible. Mr Manson says that nine audit firms have had their details appropriated to legitimise a false set of accounts over the last nine months. “Another 100 sets of accounts have been set up using completely fictitious auditor details over the same period,” he adds. Prosecutors have scored some limited wins against identity fraudsters. In one recent case a disgraced Russian bank chief was jailed for six years after being found guilty of running an international identity theft gang. The sophisticated operation saw tens of thousands of British, American and Spanish account holders defrauded out of millions of pounds. Police believe the internet-based scam lasted a decade. The criminals used compromised credit cards to buy large numbers of electrical goods that they then sold on eBay, the online auction site. They also used the money for gambling on sports and to set up fake merchant accounts. They created large numbers of false documents and even a bogus legal firm to help generate numerous fictitious identities. Hundreds of bank accounts were then opened in those names for the huge amounts of illicit cash flooding in. At the heart of the scam was Anton Dolgov, the former head of the ill-fated Moscow City Bank, which collapsed in 1994 with debts of up to $120m. As the ‘general manager’ of the operation, he is thought to have a huge fortune stashed in secret Russian bank accounts waiting for him when he finally emerges from prison, according to press reports. Mr Dolgov admitted conspiracies to defraud, to obtain services by deception, to acquire and use and possess criminal property. The FBI is also trying to crack down on international identity theft. It recently targeted one operation that involved the trading of social security numbers, the sale of stolen credit card account information, and phishing, the practice of using email to trick consumers into handing over personal information. The Washington Post reported that an investigation called Operation Cardkeeper had led to the arrests of more than a dozen people in the US and other countries, all of whom are alleged members of online communities that specialize in ‘carding,’ the trafficking of stolen identities and credit card and bank account information. “We are sharing evidence and using sophisticated techniques like never before,” said James Finch, assistant director of the FBI’s Cyber Division. “Cyber criminals will no longer be able to hide behind borders to conduct their illicit business.”
Combating corporate identity fraud is more difficult. In the UK, Companies House – the official repository for corporate documents – has created an online filing scheme, called PROOF, where only mutually approved documents are registered. It has also launched a monitoring service that lets a company know each time a change of record has been made. There has also been a legislative crackdown. Under a new Companies Act it is an offence for a person to knowingly or recklessly deliver or cause to be delivered (to Companies House) a document that is misleading, false or deceptive in a material particular. Those convicted face up to two years imprisonment, or a fine, or both. “If every company were to opt in to the PROOF scheme tomorrow, and of course guard their company authentication codes as carefully as they guard their bank account PIN numbers, then the phenomenon of company hijacking would almost certainly disappear overnight,” says Mr Manson. But fraudsters are innovative people, and other identity frauds might prove harder to guard against. City of London police warned recently of a new identity con that exploits the international nature of business. Here, criminals are hi-jacking corporate identities with a view to compromising their bank accounts and transferring money overseas. These attacks have been aimed at foreign-based companies, which usually have a representative office in the UK, and have existing accounts with a UK bank. The intended victim will also usually have a ‘faxed indemnity’ arrangement in place with the bank. Popular targets have been foreign airlines, banking institutions and even embassies. The fraud works like this. The criminals contact the relationship manager at the UK bank, purporting to be the genuine client and informing them that they are changing their contact details, usually giving the excuse that a temporary move of office is necessary due to refurbishment. They will then give the relationship manager their new telephone and fax number, and occasionally an email address. These telephone numbers are generally arranged in advance, via the internet, and are able to be diverted to mobiles and ‘fax to e-mail’ facilities. The criminals will then ask for confirmation from the bank, acknowledging the new details, and this will provide them with a headed, signed fax from the bank, which they can copy and manipulate for future use against the intended victim.
New contact details
At the same time, the criminals will also make contact with the finance director, or equivalent, of the targeted company purporting to be the relationship manager of the UK bank. They will provide the same, new telephone and fax contact numbers to the company using the excuse that the bank is experiencing computer problems or their records need updating. Again, they will request confirmation from the company acknowledging the new contact details, and a headed, signed fax will be forwarded to the criminals, which they can then use in their correspondence with the bank. Once these steps have been taken, the criminals are then effectively in control of the direct line of communication between the bank and its client. The criminals then do one of two things. They either request that a new account be opened with the UK bank and the company’s existing overdraft facility be extended to this account, or they continue to forward any faxed indemnity transfer requests they receive from the victim to the bank as normal. After a short period of time, the criminals will then fax the bank a number of high-value transfer requests, from the existing or newly opened account, to recipient accounts, usually based in Japan or Pakistan, resulting in substantial losses to the victims. This kind of identity fraud requires a great deal of planning and research. “It is apparent that the criminals carry out ‘homework’ before making the approach to the bank and the intended victim,” says a police briefing note. “They usually know the management structure of the target company and will use the name of the relevant finance director or similar in their correspondence. They will also usually know the name of the relevant relationship manger at the bank, to whom they need to speak.” More companies will have to adapt their fraud controls to deal with this and other kinds of identity theft, says Simon Wallace of the Centre for Economic and Business Research. “We are on the cusp of a potential boom in corporate identity theft,” he believes. “With almost universal computer usage and internet coverage in the business environment, the potential for corporate identity theft is more significant than ever. Those willing to hack, scam and defraud will find new and technically advanced methods to open up the necessary loop holes and steal a firm’s identity.”