What steps to take to avoid negative economic consequences and image damage from a corporate identity theft.
What is digital identity theft?
Corporate identity theft is a widespread risk that can affect individuals as well as organisations and companies.
It is a real crime that consists in fraudulently appropriating the digital identity of a real person for the purpose of gaining an illicit advantage.
Digital identity theft: what data is stolen and how is it used?
Identity theft of company data can involve personal information, such as the tax code and personal data of company owners, or banking information that allows access to current accounts and credit cards, or even login credentials (username and password) needed to use various services such as e-mail accounts. The data stolen may also be that of employees or customers.
One of the most frequent frauds in companies consists in gaining access to the e-mail box of an employee, usually a buyer or administrator. Often the fraudster obtains this data by means of phishing, by sending an e-mail asking for mail credentials in a form that appears to come from the service provider. Once the necessary data has been obtained, a copy of all e-mails is forwarded to an e-mail box of the fraudster, who is then able to read all the company’s correspondence.
When he detects an e-mail relating to a sale to a customer or concerning some payment owed to the defrauded company, he forwards a communication to the customer in which he points out that the payment must be made to another IBAN, which is obviously from an account in his name. Having kept track of the e-mail, the fraudster is able to write a credible e-mail referring to the number and date of the order and other details of the transaction known only to the parties involved.
Other possible scams include getting hold of company credit card data or even gaining access to the company’s bank accounts. There are also cases in which stolen data is used for tax purposes to file tax returns and claim fraudulent refunds.
How to detect identity theft?
It is not always easy for companies to discover identity theft: there are several reasons for this.
In the case of customer payments diverted to other accounts, it usually takes some time before the companies involved realise. In the meantime, the sums will have already been credited to the fraudster’s account.
When the stolen data relates to company credit cards, it must be borne in mind that account statements involve many movements, so that, especially if small amounts are involved and several employees are authorised to use such cards, the sums illegally withdrawn may escape normal controls.
In any case, it is a good idea for the company to pay attention to certain signs that may constitute alarm bells such as, for example, the presence of strange transactions on bank or credit card statements, the receipt of any notifications for password reset that were not personally requested, the receipt of calls from debt collection companies for accounts that were never opened.
Identity theft: what to do to defend yourself?
Every company, whatever its size, must try to counter possible digital identity theft, which entails high economic risks, but also damages corporate image. Taking preventive measures to protect one’s identity and data is of paramount importance for both security and reputation.
The techniques that can be used are diverse and include:
- The use of complex passwords and their regular updating;
- The use of firewalls, intrusion detection systems and encryption to counter any unauthorised access to company information;
- The monitoring of users’ activities and the performance of regular security audits to highlight the presence of vulnerabilities in their systems and take appropriate countermeasures.
To reinforce one’s security levels, it may be useful to use MFA (Multi Factor Authentication) authentication, based not only on the use of a user name and password, but also on other identification factors alongside them. Other factors that can be used include biometric data, such as a fingerprint or iris scan, or an OTP (One Time Password) code, or even the possession of a device such as a smartphone or a security token or badge. By combining these different factors, a more robust security environment can be created.
A further possibility is the use of SSI (Self Sovereign Identity), a decentralised digital identity model applied via Blockchain that is based on giving the user back control of his or her personal information, bypassing the presence of an Identify Provider as is the case with the identification systems currently prevalent.
Alongside tools that serve to increase the company’s security levels, solutions can also be adopted that aim to limit damages should theft be perpetuated. For example, corporate credit cards can be replaced with pre-loaded debit cards that do not allow withdrawals beyond a given amount, or with single-issue virtual credit cards that can be used for a single purchase.
The prevention of corporate identity theft requires constant attention to IT security. Only through a combination of preventive measures and constant monitoring can the risk of falling victim to this type of crime be minimised.
