Identity Theft and Your Tax ID Number

Identity theft keyboard
Getty Images/Peter Dazeley

You would think that since a business isn't a person, identity theft would not be an issue. However businesses do have an identity, and they can be victimized by an identity thief just like a person can.

In fact a business even has its own Social Security number (called a Federal tax ID, Employer Identification Number, or EIN) that can be stolen by an identity thief, and make things miserable for a business owner.

Corporate identity theft (or business identity theft) can close your business' doors and even come back personally if your business isn't structured to protect you from that risk.

The Tempting Target

There are many reasons an identity thief may choose to target a business. A larger company may have several credit cards on a single account, and not bother looking over the itemized list of charges before they pay the bill. Even small companies tend to have generous credit terms and are not necessarily monitored as closely by the bank, since banks expect companies to make large-ticket purchases.

An identity thief also knows how easy it is to get information about your business. For example, most companies display their business license in the lobby, sometimes because they are required by law to do so. Getting a company's EIN is fairly simple, since it's public record. This may even be available online.

Of course, other companies are eager to extend your company credit because it means more business for them. In fact the process to get a line of credit with another company may be overly simple; sometimes all it takes is a request on your company's letterhead (also easy to obtain,) that includes the business license number and tax ID.

Together, these factors make your business a very tempting target.

A Case in Point

When an identity thief attacks a company, they can hit hard and fast. The case of Village View Escrow, Inc. is a perfect example. An identity thief was able to hack into their computers, and in less than two days the company lost almost $500,000. Although the owner of the company could not recall a single international transfer in the previous two years, Professional Business Bank (now Bank of Manhattan) allowed 26 of them go through without even calling to ask about the unusual activity.

This is precisely the sort of activity that the Red Flags Rule requires financial institutions to look out for. Unfortunately for Village View, although Professional Business Bank takes pride in being "pro-businesses", they were either unable or unwilling to help with the problem. Four months after the loss, the company has found very few resources that would help. The owner had no choice but to let employees go, and even decline her own salary in an effort to keep the doors open.

Of course, the banking industry is highly regulated, and most likely they followed the "letter of law", but with the changing landscape in identity theft, companies need to have a more flexible and adaptive way to deal with the new crimes like account takeover.

Which is yet another cost of business identity theft.

Nobody's Talking

Looking on the Internet (i.e. doing a Google search) will bring up several hits about business identity theft, but when you look through the links that come up most of them deal with personally protecting yourself, the occasional state law, the Fair Credit Reporting Act (FCRA), FACTA and such. But discussions about how a company can be directly affected by corporate identity theft are very few. Most businesses are not even aware these types of things can happen…until it happens.

That's when they learn that their insurance, bonding, licensing authorities and other professional organizations are of little help. Like Valley View, they can easily find themselves struggling to stay afloat.

The reason nobody is talking is simple: nobody can figure out how to stop it.

A good deal of business identity theft is committed by individuals or organizations that are outside of the United States' jurisdiction. The problem moves from a financial arena, to the business world, and crosses over to become a legal problem. But once it goes international, politics come into play as well.

From the company's perspective, there are few things that can be done to help protect against business identity theft. Investing in a good IT staff will help, but any senior computer tech will tell you companies don't want to invest in technology as long as their network is running. Data encryption can help protect your information, but can be costly to implement. Identity theft insurance is geared almost exclusively to the individual. It seems as if the safest thing to do is keep all your business records in ancient Sanskrit, locked up in a steel safe stored in an underwater cavern guarded by a herd of rabid dinosaurs.

But even then, there are no guarantees.