What You Need To Know About Small Business Identity Theft
In the United States, small business is king.
That’s not to say that the Walmarts and IBMs of the world are on their way out of the picture, or even that large enterprises don’t hold the lion’s share of dollars in circulation. But the U.S. Census Bureau and Small Business Administration report that 99.7% of all U.S. employers are classified as small businesses. And, while many of them employ very few people, the same bureaus report that small businesses account for 42.9% of existing jobs and 64% of newly created jobs in the private sector.
So, even though your average small business may just consist of a handful of employees and relatively small annual revenue, the SMB community accounts for an incredible amount of money. And where there is money, there are always people seeking to get their hands on it, sometimes through not-so-legal means.
Why Small Businesses?
Although the small business community holds a large amount of the nation’s money, the amount that passes through each business is much smaller than that of a global enterprise. As a result, small businesses are not regulated with the same level of scrutiny as large corporations.
In most cases, there are few SEC reporting requirements, no stockholders to answer to and little ongoing regulatory oversight in place to ensure businesses are operating as intended and keeping the public’s interest at heart. Without the associated controls in place, small businesses are easier targets for fraudsters.
What’s more, any business owner knows the resources required to start and manage a company can be staggering. In order to function, a business needs access to money, electricity, water, and telecom services such as phone and Internet.
As with personal credit accounts, these services are offered based on the provider’s best guess that the business will be able to pay back these expenses. Businesses even carry their own payment and credit histories, just like we do as individuals. So, naturally, defrauding these companies looks very much like stealing a person’s identity.
Stealing or Creating Business Identities is Relatively Easy
Like an individual, a business has a profile consisting of identifying credentials. Instead of a Social Security number, it has an Employer Identification Number (EIN), which is associated with a business name, address and contact information – just like you and me.
However, when we apply for a personal loan with our SSN, name and other details, lenders have access to volumes of information about any previous credit we’ve been extended and our payment histories. The same cannot be said for small businesses.
Many of these entities have just a few employees and limited or no recorded history, leaving lenders and service providers with little information to inform their decisions. So when a fraudster submits an application for a loan or for valuable hardware to run a business, all that’s needed is an EIN – either real or fabricated – and much of the business information that can commonly be found on a business’ website.
In an independent study conducted by XOR Data Exchange analyzing data from nearly 6 million small business applications, more than 25% of fraudulent applications contained recycled business information. Submitting an application using stolen or fake information required only using an existing EIN or “tumbling” an EIN by adding an additional digit to create a new, fake business with the same name.
Application Frequency is the Biggest Fraud Indicator – Not Credit History
When we apply for a loan, it’s not uncommon to submit an application to multiple lenders in order to hedge against a declined application or in order to select the best interest rate available to us. However, it would be uncommon for us to submit applications for an auto loan, mortgage, credit card and cell phone service all in the same day.
Many small businesses have no credit history as recorded by the major U.S. business credit bureaus. However, these businesses do have application and payment histories with the service providers they need to remain operational, such as utilities and telecom services. By considering the application histories of these services, fraud patterns are more easily identified.
Of the 6 million applications analyzed by XOR, the most prominent identifying feature of fraud proved to be the velocity of applications. For instance, in a single day, week or month, applications may have been submitted at every online lender and wireless carrier using the same information. And when service providers identified fraud or closed an account due to non-payment, a fraudster needed only submit a new application using a different EIN, sometimes with the same name and address.
Credit-worthiness is Not All About History
During the past few years, we’ve heard discussions about lenders and service providers taking into account our personal social media and other alternative factors in deciding to approve or deny our loan or service applications. The same may be said of small business applications.
While the intent of XOR’s study involved identifying small business fraud patterns and answering lingering questions for service providers, the final goal was to develop two predictive models to measure fraud and credit risk. By gathering applications from across industries and businesses that don’t normally share data with each other (similar to the way a credit bureau collects information about us), XOR was able to test different indicators of credit-worthiness to help better determine the risk associated with serving a business with little or no credit history.
The top indicators of credit-worthiness were determined to be application history, geography and components of the business’ online presence, such as social media profiles, publicly listed hours of operations and the use of specific words that indicate the business’ legitimacy. Unsurprisingly, these reflect the details many small business service providers look for when evaluating an application; however, these are not items you will find by pulling a credit report for a business and are not included in the credit scores used by the traditional U.S. business credit bureaus.
Protecting Your Business
If your organization provides a service to small businesses in the form of money, hardware, or even employees’ time and effort, then you should be investing in risk management efforts. This may mean changing your applicant evaluation process to include more diligence or bringing in analytics efforts to ensure, when you approve an application, you’re making a good investment.
Even if you’re not serving small businesses, there is a 99.7% chance that you own or work for one; so it’s important you know how your business’ identifying elements are being used. Think of the items required to submit a loan application and protect them like you would your personal details. You may not be able to avoid giving out your business’ address, but think twice about where your information goes when you send someone your EIN.
Mike Cook is the founder and CEO of XOR Data Exchange, an Austin, Texas-based startup building permission-based data exchanges to solve business challenges in fraud and credit risk. His pride and joy is XOR’s Compromised Identity Exchange, a platform allowing breached organizations to connect their breach with at-risk entities such as banks, lenders and credit card issuers to proactively prevent identity theft and fraud.