In 2010, businesses across Colorado were being billed by big retailers like Home Depot, Office Depot and Dell for charges they didn’t make. Investigators finally cracked the case when they realized the businesses had been victims of a new scam, known as business identity theft, in which criminals surreptitiously created the appearance that they ran the corporations.
Eventually, investigators learned, more 300 business had become targeted as part of a $3.5 million scam. Today, businesses across the country are still vulnerable, largely due to a glaring security vulnerability facing business records held by state governments.
In most states, corporations are required to maintain a record of their basic business information with the secretary of state. Those files include the names of company officials and the company’s address. But in many states, those records can be edited by just about anybody. Essentially, the contents of those records are about as immune from edits as a Wikipedia page.
That’s because many state secretaries lack the budgets – or even the legal authority – to question the validity of changes made to those records. “They essentially take it at face value, as long as the information is complete,” says Michael Barnett, executive director of the Identity Theft Protection Association.
That means that criminals are able to hijack companies and rack up debts on their dime. There are many types of scams, but the typical one goes like this: a criminal will name himself a director of an existing company, change its address to match an office he already has access to, and then start applying for credit using the company’s name.
Retailers check with business credit rating agencies to make sure an applicant’s information is accurate. But according to state secretaries, they often can’t detect the fraud, because they typically compare an applicant’s information to the very state records he’s altered.
Once the crook gets a business account with a retailer, he can start making purchases using the company’s name. And when he’s done, the business is left with the debts and the devastated credit. The fraud is especially attractive since in some circumstances, a retailer may be willing to offer more credit with less scrutiny than would typically be offered to an individual.
While most personal consumers are aware of the threat of identify theft, the same can’t be said of businesses. “I think most business owners are somewhere between not knowledgeable and totally clueless,” says North Carolina Secretary of State Elaine Marshall.
Most business record databases lack the basic password protections that are standard on just about every website that has user accounts, whether they be for shopping, social media or games. In many places, a business owner’s fantasy baseball lineup is less susceptible to tampering than his company’s records.
But state secretaries are hoping to change that. In October, state secretaries convened in Atlanta to examine the issue, and business identity theft was on their radar again at their annual conference in Washington, D.C. earlier this year.
Colorado officials recently instituted a password protection system in which business owners were sent PIN numbers that they then used to create passwords that they will need to alter their records. Colorado officials believe they are the first state to take that step. “[T]he technology is not terribly complicated,” says Andrew Cole, a spokesman for the state secretary’s office. “It’s kind of almost embarrassing to say we’re the first. It’s not like we reinvented the wheel.”
Other states are making security enhancements as well. In Georgia, a new policy requires that all corporations provide at least one email address with their business filings. Whenever any change is made to the records, an email is sent to every email address ever associated with the business. Email addresses can’t be deleted, which prevents potential crooks from blocking the warnings.
North Carolina officials realized that crooks were especially focused on targeting dissolved companies since their long history helped improve their access to credit, and the fact that they weren’t actively monitored made criminals less likely to be caught.
In a departure from past policy, if a business owner today tries to revive his dissolved corporation, he’ll get a notice from the secretary’s office alerting him to the change and requesting that he follow-up if it wasn’t authorized. The state is also using fraud detection software to identify questionable changes to its records. An address that was updated in the middle of the night, for example, may be a red flag that someone edited it from abroad, a possible indicator of fraud.
Meanwhile, state secretaries across the country are launching education campaigns to warn business about the issue. Later this year, the National Association of Secretaries of State will launch a website in conjunction with Barnett’s organization, businessidtheft.org, that will provide tips on business identify theft prevention and links to agencies that businesses should contact in the event they are victimized.
Marshall, of North Carolina, also says business owners should examine their state records monthly to make sure they haven’t been altered.
The new proactive approach represents a challenge for state governments, who have historically sought records systems that were simple and unlikely to cause complications for business owners. Now, that old approach is appearing vulnerable. “The more technology we embrace, the more anonymity comes with it,” Marshall says. “We all want to do things faster, easier and cheaper. But there comes a point when you’ve got to realize what we’re giving up.”
Barnett says that, because business don’t have the same type of protections as consumers, they might actually be on the hook for some of the debt racked up in their name. It can be a difficult crime to track, since many businesses don’t want to come to the authorities when they’ve been victimized for fear of concerning their shareholders. In many cases, experts say, some corporations just consider identify theft as a cost of business.
Meanwhile, it’s often difficult to prosecute those who commit business identify theft, since many states lack laws that specifically identify it as a crime. It was only in 2006 that California became the first state to specifically add businesses to the statute that makes identity theft a crime.
Colorado Secretary of State Scott Gessler said it only cost $70,000 to $80,000 to create the password system, but the payoff will be huge. Now, he’s urging his fellow state secretaries to do the same. “I tell my brethren, you better do something,” Gessler says. “They’re no longer in Colorado. They’re coming to your states instead.”
Homepage photo via Shutterstock.