Identity Theft Protection for Small Business

Introduction -identity theft is the fastest growing crime in the UK. It affects employees, small business owners, major companies and business networks. It is the criminal act of stealing personal information with the intent to use it to create similar cloned identities without the victims' knowledge, for financial gain. Identity theft costs the UK economy more than £1 billion every year and it is estimated by official statistics that over 4 million adults have been a victim of identity fraudsters. The following article is not comprehensive and does not purport to legal advice relating to any particular circumstances. The main reason these crimes have been committed is that the victims failed to adequately protect themselves or even realise they were at risk in the first place. Identity theft can be incredibly stressful, costly and difficult to resolve as the owners attempt to prove to financial institutions that they have been a victim of crime and rather than the cause of them. It can also damage and individuals credit history report if fraudsters have obtained credit cards or loans without any intention of repaying the debt.

Why is Identification so Important? - without an identity it is almost impossible for anyone to open a bank account, get a mortgage, obtain a personal loan or credit card or buy goods and services on credit. Identities are valuable assets, which in the wrong hands, can be sold on at a premium to fraudsters or used to commit theft. The personal information of individuals and employees of businesses is stored across hundreds of individual databases for a variety of reasons. To access this personal and private information we usually need to prove of who we are via our identification. Society is becoming more and more reliant on databases to improve productivity in our everyday lives. For instance, our national insurance number, passport, driving licence and proof of address are all critical pieces of information that must be kept secret, held on database and used to check identity. They are very important in establishing trust with commercial organisations who check with credit rating organisations , electoral roll records and other fraud databases to validate our identity, before any financial applications are approved.

The Types of Identity Theft - the main types of identity theft are as follows:-

• Financial Identity Theft - if fraudsters can steal personal information information from an individual directly, or obtain it from other sources (see below), they can pretend to be you, steal your money, obtain a loan, take out a credit card to buy products and services and many other commercial transactions. As there is no single proof of identity document in the United Kingdom, fraudsters are hunting for a number of pieces of information collectively, such as date of birth, mother's maiden name, bank account number and sort code, utility bills with address details and so on. By piecing together these common elements of an individual's identity, it is possible to obtain other parts of their identity form other sources. For instance, many people use the same password to access their favourite web sites such as Facebook or Bebo. By obtaining enough information about an individual, the fraudster can impersonate the individual in order to change the address of accounts, open up new bank accounts, obtain loans and so on. When a criminal is pretending to be the victim, lenders cannot sometimes differentiate between the two - they rarely meet, as most applications are by post or online. Any lender credit checking simply reveals that the victim's credit is fine and an application can proceed. This makes its very difficult for individuals to realise what is going on before it is too late. The criminal has got away with money, the victim is wrongly blamed and the lender is never repaid.

• Business Theft - financial identity theft can also apply to businesses. For owners of small businesses, this can be damaging both to them personally and to their business enterprise. Credit cards and debit cards and loans may be taken out in the names of directors or employees of the company. In addition, the problem of keeping sensitive customer information secure is becoming an increasingly difficult challenge for business owners. If customer data is stolen or customers perceive that it a companies IT systems is insecure, the company may lose a valuable custom as prospective customers fear their personal data is vulnerable to attack. There have been many recent public news stories regarding companies IT systems that have been attacked by hackers stealing customer's credit card information and misplaced files through sloppy internal management, exposing huge numbers of customers to the risk of identity fraud. With the explosion of company websites that now provide convenient e-commerce, the fraudster's range of opportunity to exploit poorly protected IT systems is increasing.

• Criminal Identity Theft - this type of theft involves a criminal obtaining genuine identification from the victim, by stealing personal information, in order to create a false identification. When the authorities finally catch up with the criminal, the criminal presents the force of identification with the victim's name on it. Subsequent failure to appear at court means the authorities wrongly assume the victim has absconded. The victim may find it very difficult to clear their good name. They may have two present themselves in court, be fingerprinted or identified by the original arresting officers of the fraudster. In addition, the legal process to clear themselves from any criminal records database may be time-consuming, complicated and stressful.

• Synthetic Identity Theft - this is where part of a victim's genuine identity is used in combination with another in order to create a new and false identity.

Methods Used by Thieves to Obtain Personal Information - there are many ways in which criminals can steal identities in order to profit from the information contained within them. Unfortunately, the more reliant we become on technology solutions to improve our everyday lives, the more opportunities the fraudster has to dream up new ways to stealing our identities....

• Corporate Identity Theft - the names and addresses of the principles of companies are available from public company records. This provides opportunities to attempt to obtain goods and services in the name of the company.

• Raiding Bins - millions of people throwaway highly sensitive data such as old bank statements and utility bills, into their rubbish bin. Even junk mail can provide name and address information. Although most people have heard of identity theft, many do not shred or dispose of their personal details or are simply lazy and throw away vitally important information.

• Mail Forwarding - tenants living in short-term rental accommodation typically move home every six months. Many forget to redirect mail to their new home address. Unfortunately, the new occupiers may not be honest or the post may be left in a communal area for fraudsters to obtain personal information. Typical examples would be the final closing utility bills, bank statements, credit card statements and so on.

• Personal Information Online - the explosion of social networking websites such as Myspace and Facebook, actively encourages users to publish personal details about themselves! This seemingly innocent exercise of sharing with other online 'friends' represents a goldmine of information for fraudsters. Social networking provides complete anonymity for the fraudster to befriend potential victims or simply copy the information from their personal homepages. There are also other interactive websites such as forums, blogs, notice boards and subscription-based member websites - all have the potential to be exploited by fraudsters. Unfortunately, many people re-use the same password for multiple websites (so they don't have to remember lots of different passwords). Unfortunately, if the fraudsters get hold of it they can have a much easier job piecing together a victims personal identity. For instance, with their mother's maiden name they may be able to access retrieve additional personal data from other web sites.

• IT Hacking -a lack of adequate security surrounding personal data can allow hackers from anywhere on the planet to obtain personal information. Amazingly, around 15% of users still browse the Internet without any type of firewall on their PC. Many corporate servers are also do not have a firewall protection or are poorly set up, leaving small holes through which hackers can collect and extract data from. The incredible growth of key logging virus's that collect users key stroke entries and then email the secret information to a third party location, is allowing more and more personal data to be taken.

• Phishing Emails - e-mails purporting to be from a victim's bank, which uses exactly the same logo, fonts, style, text etc used in normal marketing literature, urge users to log in and amend their password and other personal details. Unfortunately, internet technology means that criminals can very easily set up a duplicate 'clone website', which look exactly like the genuine banking website the customer expects to see. When the victim clicks on the link in the phishing e-mails, they are taken to the clone website, believing they are logging in to their banks online website. To make matters worse, these websites will usually attempt to download key logging software and trojan horses in order to steal personal information directly from the user's computer.

• Boiler Room Scams - a boiler room scam involves a high-pressure telephone selling, typically offering some kind of investment opportunity which is either false or worthless. It is called a boiler room because it uses cold calling and high pressure selling techniques. The telephone fraudsters are usually based overseas, making it difficult for authorities to track down the fraudsters due to differences in national regulatory regimes and laws.

• Lottery Scams - in this fraud the victim receives a spam e-mail or telephone call, to inform them they have won a lottery prize which can only be obtained if they pay a small 'administration fee' or 'customs fee',. The victim unwittingly provides them with their personal details to pay the small administration fee, believing they will receive a large cash prize, which of course does not exist.

• Money Mule Scam - this is typically an online fraud whereby a money transfer is unwittingly initiated by the victim, in exchange for a small commission payment.

• Theft or Loss of Wallet or Purse - the deliberate or accidental loss of wallets or purses containing credit cards, personal details and drivers licence happens thousands of times a day. Unfortunately, the opportunistic criminal can sell on this information.

• Credit Card Skimming - dishonest employees in shops or businesses may use credit or debit card skimming technology, to take a copy of the magnetic strip of card and record the user's entering their 4 digit PIN number using a hidden camera.

• Impersonation of Recently Deceased Person - one of the fastest growing scams is for criminals is to impersonate recently deceased people. The fraudster uses the identity of the deceased person in order to obtain loans or credit cards. Naturally, the last thing on a grieving family's mind is identity theft. Yet fraudsters LOOK IN local papers for announcements relating to funerals. There is also a natural time delay between the time of death and when the grieving family get around to sorting out the financial and administrative affairs of their loved one. Unfortunately, this gives the fraudsters time to attempt to obtain personal information and exploit it. CIFAS, the U.K.'s fraud protection service provides a protective registration service for families who believe their loved ones identity may have been stolen.

Identity Theft Protection - there are some basic steps which individuals and business owners can take to limit the risk of identity theft:-

• Paper Based Records Management - companies have a statutory duty of care to protect their employees data under the Data Protection Act. Shred any sensitive documents that do not need to be kept or plans to be disposed off or recycled. Larger companies may have Human Resources Department holding detailed information on the company's employees. Policies should be set up to limit access to this data by HR or restricted personnel only. In addition, the protection of customer data is equally vital. Understand the flow of information through the sales process and at which point sensitive customer data is stored and where it is backed up.

• Online Security - check that all networks are secure through the use of firewalls, passwords and user policy restrictions set up (regarding what users can access and cannot access). In addition, ensure laptops are set up with boot login passwords, as well as spyware removal and firewall protection. Hard disks can be encrypted in the event that the laptop is lost or stolen. Ban all websites with associated keywords that may place cookies, scripts or other malicious scripts on employee's computers. This can be achieved through the use of commercial software which is set up to identify websites containing keywords or key phrases such as gambling or casino and so on.

• Clean Desk Policy - a clean desk policy is essential to avoid the risk of the theft of sensitive customer or employee data which may reside on or within a person's desk. It may be possible for unauthorised persons or dishonest maintenance staff to access an employees untidy, insecure desk out of hours.

• Check Your Credit Rating - by regularly using paid services such as checkmyfile.com it is possible to see whether or not your credit rating has changed recently. This will include lender 'searches' relating to credit applications for loans and credit cards.

• Subscribe to Protection Services - there are a number of business services which can limit the damage caused by an identity being exploited. These include CPP, LloydsTSB and Norwich Union among many others.

Laws to Combat Identity Theft - different countries are using different approaches to address a common global problem. The notable highlights are as follows:-

• USA Actions - in the United States the Identity Theft and Assumption Deterrent Act 1998 was introduced to act as a deterrent and recognize that victims of identity crimes needs to be better educated, and compensated where appropriate. It allows for fines of up to $250,000 and 15 years imprisonment for some offences.

• UK Identity Cards - in the UK there has been great debate as to the value of a national identity card scheme. Ignoring the financial cost of setting up and managing the scheme, the arguments surrounding its ability to reduce identity theft for individuals and businesses also remains highly contentious. Supporters of the scheme argue that it will eliminate the paper-based processes and checks currently used by many government agencies such as the DVLA, benefit system and passport office, which have all exposed systemic weaknesses in protecting personal data. However, opponents of the scheme have argued that the government has consistently failed to protect the nation's data. Creating a centralised identity database will represent a potential fraudster's goldmine and represent a huge target for all criminals trying to find new and innovative ways to steal information from it. They point to the following examples of miss-management:-
  • Lost a computer disc, of address and account details of UBS's Personal Equity Plan (Pep) investors, by Inland Revenue (September 2005)
  • Lost computer disc of personal and bank details of 25 million people - almost every child in the country as well as their parents and carers, by HM Revenue & Customs (November 2007)
  • Lost computer disc of details of 40,000 benefits claimants by West Yorkshire Council (December 2007)
  • Lost computer disc of 2,000 criminal suspects by the Loss Crown Prosecution Service (February 2008)