Company Identity Theft

According to Business Link and the Metropolitan Police, the theft of entire corporate identities ('company hijacking) costs businesses an estimated £50 million a year. Many of these thefts are facilitated by changing key company information on the register of companies administrated by Companies House. This can be done by paper forms as well as electronically.

Companies House says it receives half a million paper documents a month and over 50 of those are fraudulent. However Companies House does not check details of paper documents for validity and accepts paper submissions in good faith. It does not automatically notify directors or company secretaries that paper forms have been filed for their company.

Although electronic measures are being put into place to minimise the risk of business identity theft, these themselves are also potentially susceptible to fraud.

Corporate identity fraud has been described as the impersonation of another organisation for financial or commercial gain; or occurring when a false corporate identity or another company’s identity details are used to support unlawful activity.

Various different fraudulent activities are covered under this umbrella term. Of these, the primary activity under consideration within this study is commonly referred to as ‘company hijacking’.

Company hijacking occurs with the submission of false documents to Companies House and normally involves changing the details of a company’s registered office address of the details of its directors or company secretary.

The amendments to the company records can be done via the simple submission of a paper form.

In addition the details of the registered officers (directors and company secretary) of all limited companies in the UK are held as public information at Companies’ House. This information can be accessed through http://www.companieshouse.gov.uk/ and through various other agencies and includes the names, addresses and dates of birth of company directors.

Companies House accepts information filed on signed paper forms in good faith. It states very clearly on its website that:
“ Companies House is a registry of corporate information. We carry out basic checks to make sure that documents have been fully completed and signed, but we do not have the statutory power or capability to verify the accuracy of the information that corporate entities send to us. We accept all information that such entities deliver to us in good faith and place it on the public record. The fact that the information has been placed on the public record should not be taken to indicate that Companies House has verified or validated it in any way.”

The fraudulently updated data becomes part of the public record. Therefore, checks which are made on the company against the register will show that the applying director is registered as an official director of the company and that the address supplied is the registered office of the company. The fraudulent data would appear legitimate in relation to any director/address checks undertaken on the company. Any ordinary credit search against the company would show the actual credit rating of the company.

Provided that the credit rating is healthy, orders made in the name of the company by a seemingly bona fide director would be likely to be dispatched to the false registered office address. The legitimate business may not know that the order had been placed or goods dispatched until the supplier chased for payment. This fraud would impact both the hijacked company (in terms of impact to its credit rating) and the supplier.

Because company directors' details are public, they're even more vulnerable to identity theft as it will be easier for fraudsters to gain and change their information. Directors' details are available through Companies House, therefore it would be easy for a fraudster to obtain their details and use them to commit fraud.

A directors' personal and business details are linked, this makes it easier for criminals to find both set of details to commit fraud.

There have been numerous cases in the past where criminals sell details of directors or a business, or even both and then these details are then used to commit fraud. Even when the director finds they have been a victim and restored their accounts, these details may still be in circulation meaning the chances of having their identity stolen again is fairly high.

Unfortunately it's not just through company hi-jacking that a business can have its identity stolen. There are many different ways that fraudsters can gain enough information and details of a company and its directors in order to commit identity fraud. The unawareness of these methods is one of the reasons why the theft of entire corporate identities is on the rise, which has left almost 100,000 UK small businesses victim to identity theft alone.

The other methods of stealing a company's identity include:

• Phishing
• Supplier re-direction
• Account setup/takeover
• Address Fraud
• Application Fraud
• Employee Fraud

The extent and ease to which these methods are used means businesses are targeted from all angles making the protection of you and your business difficult to control.

Below I've detailed exactly what these methods entail to give you a better understanding of exactly how they might be carried out.

• Phishing
  - Phishing emails are becoming increasingly common. These emails trick you into revealing company information often posing as your bank or other well-known international companies you are familiar with. When you click through to these emails and input data the fraudster is then armed with information about you/your business and alongside stealing your identity, can also order goods, take out credit - the list goes on.
• Supplier re-direction
  -Once the fraudster has your information they can wreak havoc with your business, Supplier Redirection is when fraudsters build up a long-term investigative cycle of impersonated contact between a business and a key contact e.g. accountant or other supplier. They are then able to collate sufficient information to fully impersonate the business and re-direct supplier goods and services. Goods are purchased in your name, the fraudster has the goods and you are left to pay the bill!
  
  Don't forget, once the fraudster has your business information they have many ways of benefiting from this information.
• Account setup/takeover
  -A fraudster has obtained enough sensitive information on a business to access their bank account. The identity thief will make contact with your card company posing as you. The fraudster is then free to run up numerous charges all in your name.
• Address Fraud
  -Address fraud is an increasing method of identity fraud and one in which we currently don’t take enough action to reduce.
  
  Documents are often obtained from redirection of mail, theft by postmen or opportunists when a door is left open or documents are wrongfully discarded. However there is still a large amount of this fraud due to people forgetting to redirect post or not being alert enough when it comes to shared mail boxes. Sensitive information such as card details, recent energy bill statements etc can be obtained and used in order to steal your identity.
  
• Application Fraud
  -Application Fraud is when a fraudster impersonates you or your organisation to obtain loans or credit cards. This can involve changing a registered company address to temporary premises in order to contact suppliers and re-direct goods and services. The worrying aspect of this method of fraud is that the change of address may mean you're completely unaware of what is happening. It has been found that it can even take up to 15 months to discover you have been a victim of identity theft*.
• Employee Fraud
  -Employee fraud is difficult to accept, but has the potential to cause millions of pounds worth of damage, amongst other risks. Employee fraud comes about due to employees knowing relevant information about the Company they work for and its directors.

*CPP, 2010

For more information on these types of identity theft please look out for future hubs by Real-Insurance on what happens when these methods of fraud occur and what you can do to reduce your risk of becoming victim.