Identity theft goes way back. Shakespeare mentions it in Othello:

“But he that filches from me my good name Robs me of that which not enriches him And makes me poor indeed.

The bard never ceases to amaze me. With your permission, I’d like to use a more recent definition from our friends at Wikipedia:

“Identity theft is a form of fraud or cheating of another person’s identity in which someone pretends to be someone else by assuming that person’s identity, typically in order to access resources or obtain credit and other benefits in that person’s name.”

Okay, got it covered past and present. Things are good.

But are they?

Last week, I received a phone call from Dean (car mechanic, extraordinaire). He was working on my tired Chevy. It was bleeding something dark and sticky. “Hey, Dean, whatcha find?”

“Don’t know.”

Dean is not one to mince words. So I instantly imagined the worst. “It’s that bad?”

“Sure is,” he confirmed. “Jim (another long-time customer) just called, mad as hell. Asked me what the (strong expletive) bill was for. And, when did I move the shop.”

Why is he telling me this? Then the light went on. Dean thinks something’s screwy with the invoicing system. Guess who installed it? And, he’s got my car. With my ride and street cred at stake, I told Dean I’d be right over.

After talking to Dean more, I got the picture. Jim was a victim of a spear-phishing attack (Epsilon breach). The attacker used detailed information about Dean’s auto-repair business to try and sucker Jim into sending money to Dean, but at a different address.

Not a good thing for either Dean or Jim. Right away, we got Jim back on the phone, and I explained what happened.

Wrong addresses are a clue

Changing addresses is a key component of identity theft. If at all possible, the crook will try to change addresses specific to the attack. Doing so, removes the possibility of figuring out what’s going on. In the case of Jim’s phantom bill, if he didn’t know Dean’s correct address, he would have sent the money directly to the criminal and Dean would not have a clue.

Consumers also beware

Being able to alter addresses is even more serious if payment-card fraud is the crime du jour. It’s a home run if the bad guy can change the address listed on the account. Why? The victim will not receive a monthly bill, nor realize anything is wrong until the collection agency is knocking on the front door.

Business identity theft

Where better to look for business identity theft information than the Better Business Bureau (BBB). Steve Cox, BBB spokesperson provides the following insight:

“Business identity theft is a very real concern in today’s marketplace. From a criminal’s perspective, it is significantly more cost-effective to steal business identities than consumer identities.

Businesses can be especially easy targets because they may not be as adept or well-equipped to protect sensitive information as larger companies that can afford to hire dedicated staff to ensure oversight and security.”

The Better Business Bureau website provides the following examples of ID theft:

  • Phishing E-mails: Phishing e-mails are an example of business ID theft designed to defraud consumers. Phishing e-mails are used to coerce financial information from the recipient or to install malware and viruses on recipients’ computers.
  • Defrauding the Business: A crafty ID thief can do a lot of damage with a company’s Employer Identification Number, including gaining access to bank and credit card accounts or opening up new lines of credit under the business’s name.
  • Defrauding Consumers: Scammers use and leverage the company’s identity and reputation to create a trustworthy façade behind which they operate their scam. Business owners are usually alerted to the identity theft by angry consumers who were ripped off by the scammers. (This is what happened to Dean.)

The BBB goes on to recommend the following steps if a business identity has been stolen:

  • Alert the Authorities: Business owners need to immediately contact their local police department if they believe the company’s identity has been compromised. If scammers are using the company’s name on phishing e-mails or with phony Web sites, business owners can also contact the FBI’s Internet Crime Complaint Center.
  • Alert Bank and Credit Card Companies: If scammers are accessing the business’s credit or bank accounts, it’s important for a small business owner to notify financial institutions involved in order to limit any further unauthorized transactions.
  • Alert the Public: If the company’s identity has been stolen and is being used to rip off customers, warning the public is a top priority to prevent additional people from becoming victims.
  • Review Credit Report: If the business is a sole proprietorship, then the same consumer protections apply as if an individual’s ID were stolen-such as access to free credit reports and the ability to place a fraud alert on the report. The Consumer Federation of America just issued a best practices document for comparing identity theft services. It might be worthwhile to check out.

Need to explain

I usually don’t use verbatim text from websites, but the information from the Better Business Bureau is golden, and not just for business records. Their suggestions apply aptly to the treatment of any sensitive personal and/or business information.

I’d like to make another point. Favoring business identity theft over attacking consumers is one more example of criminals going after “low-hanging fruit.” The BBB points out higher credit limits afforded businesses as being the reason why. Larger pots mean the bad guys are less likely to be noticed, unless they get greedy.

Final thoughts

The identity theft of Dean’s business information was narrowly thwarted, thanks to a tight-fisted Minnesotan. Hopefully, we all will follow his example.

And, thanks for all your concern. My car is feeling much better.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday