Our Wired World

Six Steps to Protect Your Business From ID Theft

Fraud is a booming business, focusing now on smaller, more vulnerable targets

by Gwen Moran

Ms. Moran is affiliated with creditcards.com, a consumer-service company whose mission is ‘to help consumers seize greater opportunity through smarter, more informed spending.’ Visit here

For the self-employed and owners of small businesses, whose time and energies are devoted to growing the company, data security often falls in priority.

It shouldn’t. Protecting your business and your clients’ financial data is critical to averting the kind of disaster that could tank your business dreams.

The dangers are real. According to the IRS, business identity theft cases have increased from around 350 in 2015 to about 10,000 cases in 2017, potentially costing $137 million total.

Fraud is a $1 Billion Enterprise

“Fraudsters are stealing as much as $1 billion a year from small and mid-sized businesses in North America and Europe, and the numbers are only going to increase,” says Mike Gross, director of product innovation for global fraud and identity at credit reporting giant Experian. “Because the largest institutions have sophisticated fraud prevention solutions in place, the latest fraud attacks are looking to exploit the next tiers of businesses that are typically not as well defended.”

Soloists, freelancers and businesses with few employees often have scarce resources available for ID theft prevention. But there are still a number of practical, affordable steps you can take to make it tougher for criminals to steal your valuable information.

1. Operate with an EIN
While a corporation or limited liability company must have a separate employer identification number (EIN) for tax identification purposes, a freelancer or small-business owner may operate as a sole proprietorship under his or her Social Security number, even if the business has employees.

Just because you can doesn’t mean you should. It’s generally a better idea for sole proprietors to use an EIN, which can easily be obtained through the IRS website. Keeping business and personal finances separate is a good idea for many reasons, including identity theft prevention.

“That protects the business owner,” says Paige Hanson, chief identity education lead with the consumer business unit of Symantec. “If the business becomes a victim of identity theft, it won’t be tied to your identity. If the business identity is stolen, hopefully it won’t trickle down to you personally.”

To help keep finances separate, once armed with an EIN, you can apply for a business credit card to help track finances and detect fraud more easily.

2. Secure sensitive files — online and offline.
From bank statements to tax return filings to customer lists, your business may have a number of paper and electronic files that hold sensitive information. Gross suggests taking some basic measures to protect paper documents, such as using a secure mailbox, shredding any documents you don’t need and keeping sensitive files in a locked area or other secure location.

It’s a message not lost on barber Domenic Sciortino, owner of Mt. Rose Barberama in York, Pennsylvania. He keeps copies of important documents in a safe and shreds statements, credit card offers and other unnecessary paperwork that could give fraudsters access to his business or allow them to open credit lines in his business name. “We’re very careful about that,” he says. “We don’t have duplicates anywhere and I know exactly” where sensitive information is kept.

To combat digital fraud, make sure your computer systems have appropriate firewall, anti-virus and anti-malware technology, says Suzanne Barber, director for the Center for Identity and a professor in electrical and computer engineering at the University of Texas, Austin.

Free software is available, but it may not include all of the components you need, or it may come with adware or spyware. Off-the-shelf security packages such as those from Symantec and McAfee are usually sufficient for small businesses, and some products now offer protection that extends to mobile phones and other devices. Be sure to update patches in a timely manner by allowing automatic updates.

Also, check with your Internet service provider to find out how it protects your data. Find out which third-party security vendors it uses, then check the vendors’ websites to learn about how frequently they update their solutions and whether certain content types are protected – for example, email attachments.

You’ll also want to find out the type of protection they offer. Are they using firewalls and anti-virus, anti-spam and anti-spyware software? Think about your online activities and make sure the ISP has the right solutions in place for you.

3. Establish good internal controls
Businesses with employees need to pay extra attention to security. Barber says it’s important to use passwords or otherwise restrict employee access to certain documents, such as customer lists or accounting files. She also recommends establishing a clear protocol to follow in the event of a data breach, including assigning someone to manage the breach and outlining what actions are needed to be taken.

How to deal with tax-related ID theft: According to Federal Trade Commission, unexpected tax-related notices should be a red flag that your business’ identity has been stolen. If the IRS thinks you have already filed your business’ tax return, that may also be an indicator that your ID has been stolen. The IRS will never initiate contact through email, text or social media message, so if you recieve these communications, they are likely an attempt to steal your business’ identity. To deal with the identity theft, immediately contact the IRS and report fraud, as well as keeping records or the dates you’ve made calls or sent letters. Check your credit report often and put a fraud alert on your business’ account.

She tracked down the person whose card was used and called him. When she told him why she was calling, he "spilled his coffee in his lap because he hadn't placed the order

For retail businesses, Barber suggests business owners review security footage for suspicious activity, such as an employee taking a customer’s card away from the register to run a transaction. You should also regularly check any credit card terminals or ATM kiosks for skimming equipment.

Even businesses without a lot of employees need good controls. New Orleans jewelry designer Anne Renee Timmons-Harris, founder of A.R.T. Precious Collectible Jewelry, works from home with her husband and co-founder. Experience makes her extra cautious. In the early days of the business, she received an online order that just didn’t “feel right.” She tracked down the person whose card was used and called him. When she told him why she was calling, he “spilled his coffee in his lap because he hadn’t placed the order,” she says.

She realized that if it was that easy for someone’s card to get stolen, she couldn’t take any chances with her own identity. Even though only she and her husband have access to their files, they change passwords at least quarterly and use random password generators, saving passwords offline on a jump drive to keep them away from Internet hackers.

4. Ask vendors about their information practices
You may be asked to provide sensitive data on credit applications or other documents when you work with vendors. Hanson recommends asking about their security practices to ensure you’re not putting sensitive data in the hands of a company that doesn’t adequately protect it.

It’s perfectly reasonable to inquire about where customer data is kept and how it’s protected. If the vendor can’t answer those questions to your satisfaction, it might be a red flag that your data would be less than secure with them.

5. Deter device-centered hacking
The “bring your own device” trend – where employees use their personal mobile phones and other devices for work – introduces extra risks to a business. Gross says such devices need to be password-protected to ensure that sensitive company information can’t be accessed if the device is lost or stolen.

Mobile payment solutions such as Square and PayPal Here that allow you to connect a card reader to a smartphone or tablet may also increase security risks. “The risk is definitely real with mobile payment solutions, and account takeover fraud should be an immediate concern for small-business owners,” Gross says.

He suggests that business owners closely protect their account credentials because a fraudster gaining access to that account could easily divert funds from legitimate transactions to another account.

If you’re considering using a mobile payment system, look for one that uses the best possible encryption methods and devices that require the highest level of authentication available in order to limit the ability of others to misuse your device, says Barber.

Consider employee access controls, too. Sciortino, for example, uses a tablet and one mobile payment system for eight stylists. He uses separate passwords for each stylist, so they can all use the tablet-based system, but no one has access to any information but their own.

6. Check your statements and profiles regularly
Keeping an eye on your accounts is one of the best methods of halting fraud before it gets out of hand. Experian and other credit reporting agencies offer monitoring services that can help.

BusinessIDTheft.org is a nationwide program from the Identity Theft Protection Association and the National Association of Secretaries of State to help combat business identity theft, data breaches and other types of fraud. Some states offer free email alerts to notify you when information related to your business identity changes. According to the organization’s website, you can also use your state’s online Business Identity Search to enter your business name and review information about your business.

It’s also a good idea to review your banking agreements to determine whether your business accounts have protection against fraud, which can differ from consumer protections. In addition, review your insurance policies to see what, if any, coverage you have in case of a data breach that exposes customer information or if you incur other losses from fraud or ID theft.

Besides regularly reviewing his bank statements to make sure no fraudulent transactions have occurred, Sciortino uses a business credit profile monitoring service to alert him if there are changes to his company’s credit record, such as new lines of credit or negative reporting. “It lets me know if anything affects it — I get a notice right away,” he says.



We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, do not disclose confidential or personal information such as bank account numbers or social security numbers. Anything you post may be disclosed, published, transmitted or reused.
If you are commenting using a Facebook account, your profile information may be displayed with your comment depending on your privacy settings. By leaving the ‘Post to Facebook’ box selected, your comment will be published to your Facebook profile in addition to the space below.
The editorial content on CreditCards.com is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company’s business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.