Tips to combat business identity theft
Business-to-business fraud is nothing new, and companies of all sizes should know by now the importance of safeguarding themselves from fraud, which is perpetrated in many forms. Criminals are constantly changing tactics, and data is all too readily available – the result is that companies are more vulnerable than ever to having their data, business identity, or information stolen by fraudsters. According to Dun & Bradstreet, instances of business identity theft were up 46% year-over-year in 2017.
While there are many methods of business fraud, including cybersecurity attacks and employee theft, business identity theft is of particular concern to business owners and finance professionals such as credit managers. Criminals who steal a business’s identity work to obtain new or take advantage of an existing line of credit, allowing them to order goods they never intend to pay for. When companies fall prey to this type of fraud, the victims can include the reputation and financial standing of the business whose identity was compromised, the supplier that is not going to get paid, and other companies overall that in turn make up for the losses by passing higher prices to other businesses and consumers.
Credit and risk professionals who receive suspicious orders or requests for credit can help stop their companies from becoming victims of business identity theft through targeted prevention and detection by following these fraud-prevention tips:
The 5Cs of Fraud Prevention
1. Confirmation: Is the business who it says it is? Is the person placing the order even who they say they are? It’s important to remember that companies do not commit business-to-business fraud, but rather people take steps to commit malfeasance. This can include individuals who start out with the intent to defraud, but also cases where the individual evolved to committing fraud. Therefore, when you receive a new application for credit, it’s common sense to perform due diligence and identify signals or what are often called red flags. So, while a quick check of a state’s Secretary of State business registration database used to be the go-to source to confirm if a business is registered, in good standing to operate in the state, or has a valid address, it has been reported that some Secretary of State databases have weak verification protocols and have had their records compromised in the past. These days, performing what can be best described as multi-sourcing is a best practice. This can include searching for a business license, professional license (if the business is in a regulated industry), real estate property records, and website domain registries. In addition, reviewing a business credit report from a bureau such as Dun & Bradstreet that leverages tens of thousands of multiple sources and has developed predictive signals can be helpful in confirming background information on a company.
2. Condition: Is the business (and/or its executives) active? After you’ve confirmed that the business exists and is in good standing, the next step is to find out its status or activity, and see if it matches what you expect. For example, does it post regularly on social media, and should it? (Don’t put too much trust in social media, which can be easily manipulated, but it supports the multi-sourcing process.) Does it have credible and valid contact information on its website or an “About Us” section that names the company’s owner or executives, and lists its address? (Again, be careful, as websites can also be easily produced). It’s true that some smaller businesses may not want to list their address or other identifying information on their website, but that has fast become the exception. The balance between brand, recognition, marketing, and credibility has overruled, in most instances, the fear of having data compromised. Remember - if a company wants to do business with you, it should be willing to provide reputable references and legitimate confirmation of its condition, as well as references from its bank, accountant, attorney, etc.
3. Consistency: Are stated facts consistent with other sources or what you expect? If you’ve confirmed that the person is real, is whom they say they are, and the business exists and is operating legitimately, the next step is to look for consistency – or a lack thereof. For example, does the company president also run a dozen other businesses registered at the same location? If so, does that make sense? Does the credit applicant’s email address match the company’s website? Or are they using a personal email address? If it’s not a first-time credit application, has the “ship to address” somewhat mysteriously changed? Does the credit application state the company has been around for five years, but you notice on a domain registry the website was registered six months ago? These can be an indication of misrepresentation at the least, and fraud at the most. These minute details can be easy to overlook especially in today’s fast-paced environment, but if you receive an unusual order from what (at first pass) appears to be a legitimate company, at a suspicious or inconsistent physical or virtual address, it is a definite red flag that is worth the time to research.
4. Character: Are there any past issues that could make current or future transactions risky? It’s important in the quick-adapting fraudster environment to gain situational awareness and understand trends. Remember, companies are made up of people. When it comes to character, things such as online complaints, adverse news stories, civil and criminal cases, and other unfavorable information in a business credit report can reveal notable skeletons in the closet. However, many businesses have faced tough times and have good intentions, though, so having unfavorable information from a while ago doesn’t necessarily mean that the owners have poor character or are a potential fraud risk. Still, someone who begs their salesperson for an order to be placed ASAP to try and bypass the usual due diligence steps, and or is willing to accept what are normally unfavorable terms (i.e., net 15 when your norm is net 30) may be posing as a dream customer to put one over on you.
5. Continuity: Not all fraudulent acts are one-and-done. Some fraudsters default on the first payment; others may pay within terms the first two or three times to establish credibility, then ask for higher credit limits only to commit fraud after they’ve gained your trust. (But keep in mind, a customer who stops paying isn’t necessarily a case of fraud.) If a company’s status changes and it now poses a risk, you need to know about it to judge this case as well as inform your future decisions. Monitor your customer accounts to get alerted the moment negative conditions are evident as well as understand aging receivables, especially trends. You just might save your company some grief if you flag the account as high-risk to prevent any fraud from occurring. It’s important to maintain a series of checks and proper controls to address and combat business identity theft and business credit fraud. Remember the game is not in your favor, even counting the number of orders that do pay, to make up for the ones that skipped out on the bill.
Combating fraud requires both a proactive and detective approach. The 5Cs of fraud prevention, used by many organizations and offering insight and guidance on how to address and combat fraud, can provide companies with a strategic framework to guide their risk management efforts.