Technology means corporate fraud is easier than ever

According to a survey¹ by life assistance business CPP, of 200 small and mediumsized enterprises (SMEs) in September 2011, only one third of respondents thought they were at risk of identity fraud, while awareness of fraud varied wildly across industry sectors.

So consider this: a practice runs a tight ship with good controls over its finances. However, one day, it receives demands for payment for debts that it doesn’t recognise. After much investigation, it appears a third party has used the practice to fund its criminal activities. It later transpires the owner’s identity has also been cloned and someone else has a driver’s licence, credit cards and a new bank account in the owner’s name – and has used them to the owner’s disadvantage.

Businesses under attack

Companies House says it sees 50 to 100 cases of identity theft every month. Worryingly, these cases only cover incorporated businesses and not sole traders, (incorporated) partnerships, and, of course, there may be cases not yet discovered.

The cost of fraud is estimated at around £75b a year², according to the National Fraud Authority (NFA) in its 2012 Annual Fraud Indicator. While these figures include all forms of fraud – insurance, mortgage, benefit and credit card, as well as identity fraud (there are too many other types to list) – it’s clear all sectors of the UK economy and businesses are at risk.

Technology has made fraudsters’ lives much simpler and has multiplied the number of risks businesses – and individuals – have to counter.

It’s surprisingly easy to hijack a company by changing details such as a director’s name and address and the registered business address. Companies House takes all documentation at face value – there’s no checking of submissions at its end. Suppliers – of goods, services or finance – will often check a customer against official records and for a proven credit rating established by the legitimate business. If the data given by the fraudster stacks up, then the deal is done, leaving the victim to pick up the pieces. The supplier will not necessarily know until it’s too late that the delivery address is not the true address of the business.

Types of fraud

Naturally, there are numerous forms of fraud and they aren’t necessarily the “instant hit” some might expect. Indeed, they can be the result of a long-term sting where a firm is set up, or hijacked, with the intention of placing several small orders with a supplier. The orders are paid for quickly to build up confidence, before a series of large orders are placed and not paid for.

Another variant involves a phoenix company, where the directors create a business, wind it up with substantial debt, and then set up an almost identical company to start the process again.

Criminals can also hijack a business with investment and personnel to take control from within.

One of the simplest frauds to watch for, however, involves the owners of a newly registered company who submit fictitious returns to Companies House featuring “too good to be true” accounts. This creates a perfect credit rating from which they can source credit that is never repaid.

Find the weakness

To minimise the risks, businesses need to understand where fraudsters probe for weaknesses.

• Waste: The easiest and most obvious method of locating the information required to set up a fraud is to search business waste in the bins outside the premises.

• Websites: Websites can be replicated so the unwary are tricked into entering personal information or bank data, which can then be harvested and used illegally.

• Credit: As seen earlier, it is quite possible to use the good name of a legitimate business to obtain goods or services. A derivative of this, however, is to use an identity to set up a false internet merchant account, allowing a third party to take money from customers who think they are trading with the legitimate company.

• Hacking: Unsecured computers (or networks) can be targeted for the sensitive information they contain – staff or client (patient) details – which can then be used for other identity-based crimes.

Protect the business

Not many place the destruction of sensitive paper-based information high on the agenda; a name and address found in bins combined with other personal information can make for easy pickings. It’s easy to use the internet to build on information found on discarded paper to establish someone’s home address, telephone number, date of birth (which in itself is often used as a password or pin code), place of birth, family members, past employers, education and so on.

Considering many financial institutions use elements of this information to verify a caller, it’s not hard to see how identities can be manipulated. So as well as shredding documents, ensure social media sites, for instance, are protected by making minimal identifying information freely available.

In a similar vein, businesses should review security on their computers and networks to prevent authorised attacks. As a minimum, internet routers should be protected with encryption keys and MAC address filtering to prevent snoopers accessing a network; both the firewall on the router and on the computer should be turned on; good anti-virus software should be installed and kept up to date; any security software offered by a bank should be installed; and, if possible, businesses should seek technical help to disable USB ports on computers to stop data being exported on to USB memory sticks. It also makes sense to limit access to sensitive data and ensure whenever it is moved the data is encrypted in case it is lost in transit.

When logging on to a bank, users should navigate to the home page directly, rather than through a search engine. Further, when on a payment page or on a bank website, users should look in the navigation bar for “https” rather than “http”. This indicates the page is secure.

If the business is incorporated, then spend time on the Companies House website (http://bit.ly/ MjZ4kC). It offers three levels of protection to registered businesses: WebFiling, an online filing service that does away with paper forms to return statutory information; PROOF, which, once a business is registered, means that Companies House will only accept electronic submissions; and Monitor, which keeps subscribers updated on documents filed at Companies House.

Credit referencing agencies such as Equifax (www.equifax.co.uk) and Graydon (www.graydon.co.uk) provide assistance. Graydon’s CreditWatch, for example, will either monitor a subscriber’s own business or that of a customer and alert you with any critical changes. Alternatively, its intelligence network offers credit data on customers in given business sectors. The agencies can also help check on individuals with shady pasts who want to keep them hidden. While these paid-for services may not themselves prevent an attempt to steal an identity, they should alert the subscriber immediately to any changes, authorised or not, before any criminality can be committed.

Few consider that fraud comes from internal as well as external threats. During a time of economic stress, the risk of employee-based fraud grows. The 2011 CPP survey found instances of staff accessing HR databases and removing the data on USB sticks, as well as cases of staff stealing thousands of pounds from their employer. It is, therefore, important to run checks on business partners, as well as staff, that includes their credit history and any criminal past. References should be sought and read. The Metropolitan Police offers tips on its website (http://bit. ly/pBJbSb).

Already a victim?

Time is of the essence once a business becomes a victim, and it will need to make reports to not only the police, but also Companies House, its bank and suppliers. However, it may be worth taking legal advice first. The police aim for a conviction in fraud cases, but the victim will want restitution. The two don’t always go hand in hand, and the time taken to get a conviction could make recovery difficult.

It’s also important to repair a credit file, and this necessitates obtaining a credit report and Companies House record. On a personal level, individuals should telephone one of three credit reference agencies to help clear a credit record. The agencies are Callcredit (0870 060 1414); Experian (0844 481 8000); or Equifax (0800 121 4752). They will all help with guidance on the steps that need to be taken. Individuals are entitled to their credit file for £2. Business credit reports vary in price.

Lastly, where a client’s information has been compromised, he or she should be informed so that appropriate measures can be taken.

• 1. CPP Survey (http://bit.ly/L4N6q0).