[BreachExchange] Preventing Business Identity Theft

Wed Jun 22 19:51:25 EDT 2016

http://www.insideindianabusiness.com/story/32269963/preventing-business-identity-theft

How would you respond to receiving an $800,000 notice of deficiency
requiring immediate payment for unpaid payroll taxes for 100 employees who
never even worked for your company? This scenario is exactly what happened
to a Captain D’s Seafood franchisee in Georgia. Thieves stole his Employer
Identification Number (EIN) and used it in a tax refund scheme reporting
more than $4 million in fictional salaries to the IRS and state tax
agencies.

An EIN is a business form of a Social Security number. It is commonly
required and used to uniquely identify each business. EINs are readily
available in public documents such as business filings and business credit
reports.

For the tax refund scheme to work, the fraudulent wages and withholding on
the phony W-2 must appear to come from a legitimate employer, requiring an
employer’s business name, address and EIN. With the increase of e-filing
and electronic tax filing software, an actual W-2 document is not even
required.  The criminal simply enters the information into the form,
electronically submits the fraudulent return, then waits to collect the
refund check.

The IRS does have an employee/employer matching process in place to reduce
this type of fraud; however, it doesn't begin until after the January 31
deadline for W-2 distribution to employees. Criminals file these fraudulent
returns as early as possible, allowing them to receive the refunds before
the matching process even begins.

In 2013, the Treasury Inspector General for Tax Administration (TIGTA)
estimated that the IRS may have issued nearly $2.3 billion each year in
potentially fraudulent tax refunds based on stolen EINs and estimates $11.4
billion over the next five years. In 2011 alone, 277,624 EINS used were
stolen from legitimate businesses.

Other ways your stolen EIN can be used:

Establish fraudulent corporate credit cards accounts.
Establish fraudulent business banking accounts.
Establish fraudulent personal credit.
Employees can fraudulently use it to purchase tax-free wholesale goods.  If
your business is audited by the IRS, you can’t account for these goods or
for not paying taxes on them.

Business identity theft is one of the newest threats to businesses across
the country. Once a business’ identity has been compromised, the criminals
can go on a spending spree buying electronics, office equipment, gift
cards, liquidating lines of credit or opening new lines, filing fraudulent
tax returns and more. In severe cases, businesses have even had to close
their doors because of insolvency caused by these criminal activities. It
takes vigilance and proactive steps to combat these criminals.

The best way to minimize the threat of this happening to your business or
organization is by addressing any weaknesses in your security practices.
Both physical security and cybersecurity must be considered. This dual
approach provides the best protection against a growing threat.

>From the physical security front, the following steps are recommended:

Protect company documents by limiting their access to only authorized
personnel. Keep them in a secure environment and shred before disposing of
them.
Never provide your business' Employer Identification Number (EIN) unless
you made the initial contact. Protect it like you would your Social
Security number.
Annually monitor business credit reports with the credit bureaus: Dun &
Bradstreet; Equifax; Experian; and Transunion.
Review your commercial banking agreements. Know your bank’s policies for
fraudulent transactions and how it would impact your business’ liability.
Consider online banking. It provides the opportunity to daily monitor your
accounts and quickly discover any fraudulent activity.  Make sure you use
strong passwords. Also consider email or text alerts for real time
notification of banking activity.
Keep all banking and checking supplies in a secure location and only
accessible by authorized persons.
Review banking statements as soon as they arrive. Even the smallest
transaction could be fraudulent. Criminals commonly start with small
purchases to see if the transaction is caught before graduating to larger
purchases.
Keep your company and personal finances separate. Most banks and credit
card issuers exclude business-related purchases made with a personal card
from their "100 percent fraud protection" guarantees.
Annually check with your Secretary of State to ensure that your business
entity’s details are current. Update changes as soon as they happen.

>From the cybersecurity side, consider the following practices:

Have your server in a locked room with access only for authorized personnel.
Install a security system with monitoring.
Install both hardware and software firewalls.
Encrypt your data.
If your employees take their laptops outside of the office, encrypt their
hard drives.
Use strong passwords with 8+ elements including upper and lowercase
letters, numbers and characters.  Update them once per quarter.

With the sophistication of technology and the progress at which it is
improving, implementing effective security systems is a necessary cost of
doing business. While there is no such thing as a system that cannot be
hacked, many criminals who desire profit won’t waste time or resources
going after a difficult target; instead, they will move on to easier ones.

Business identify theft, like most kinds of fraud, thrives in an
environment of complacency. To avoid the potentially devastating
repercussions of it, you need to take proactive steps to combat these
criminals.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160622/14c5cd04/attachment.html>