advertise here



Industry Comment Research   RSS Feed

Webinars Buyers' Guide Podcasts

Related Publications Foward Features




  In partnership with:

May/June 2006 issue

Aping to defraud – corporate identities at stake


Mick James

There are plenty of scam artists willing to shame your name by trading on your reputation. It takes a concerted effort to stop these corporate ID thieves.

The depleted stacks of £9.99 shredders in Woolworths and Granny carefully cutting the addresses off her birthday card envelopes show that the lessons about personal identity theft are getting through.

For most of us, deleting the phishing and 419 scams from our inboxes is a morning chore on a par with filling the kettle. But however carefully they monitor individuals' identities, corporations seem to have a blind spot when it comes to protecting their own. As a result, corporate identity theft is a rapidly growing and multi-headed threat, and one for which many firms are ill-prepared.

According to detective chief inspector Oliver Shaw of the City of London Police's Economic Crime Department, corporate identity theft is an “increasing crime pattern”.

“It's getting harder for criminals to get access to the confidential information they need to perpetrate fraud and cash transfers,” he says. “People shred information, banks have cracked down on call centre security, and it's forced the criminals to adopt new ways to obtain information.”

Increasingly, criminals are adopting what Shaw calls “social engineering“ to, for example, position themselves between a company and its relationship banking manager.

“They contact both the account holder and the bank representative, and mimic the account holder when talking to the bank and vice versa,” he says. “They do it over time. Over weeks and months they slowly build up the confidence until they can change the address or the contact number. When they've got the confidence they go for the big hit.”

Gift of the gab
These frauds rely on pure salesmanship – the ‘gift of the gab’, and in some cases the ability to mimic voices.

“In some cases they'll put in cold calls,” says Shaw. “They can pick up on the smallest detail in case they are challenged later. A big problem we face is the number of recruitment consultants who use exactly the same techniques as the fraudsters; it muddies the waters.”

Identity theft is commonly associated with the internet, and Shaw has seem some classic internet cases. These include fake charity sites set up immediately after the tsunami. He stresses that the internet is just one of many tools that ID thieves use, and it is a ready source of fake ID passports and even P60s (employees' annual summary of pay and tax deductions by employer) through sites like foolthem.com.

But some of the most audacious identity thefts do not involve IT at all. “We've seen cases where fraudsters have contacted Companies House using the correct forms to get the official address of a company changed,” he says.

In one case this led to a fraudster successfully selling a company's Russian offices – the buyer discovered the fraud only when armed guards confronted him at the front door.

Companies House has been criticized, notably by the Federation of Small Businesses, but lacks the resources to investigate every application for appointment of directors or change of company address. However, it has put in new safeguards. Companies can sign up the Monitor system, which notifies them of any changes to their details, and can also opt for Proof, whereby documents will only be accepted via a secure electronic filing system. However, only 4,000 companies have signed up so far.

“It's going to involve a sea-change in people's perception of security,” says Shaw. “Big companies have the IT back-up, they have their IT professionals constantly searching the internet to pick up the phishing and the pharming sites. Small retailers don't have the resources to do that, or even to keep checking their credit rating.”

Uncritical use of Companies House data is a major opportunity for fraud. Although Companies House insists it is not a credit checking agency, the accounts data filed with it is used by established agencies. It's relatively easy for fraudsters to cycle cash through a company account and build up a business that has all the trappings of success.

Castles in the air
“With a lot of the frauds I deal with, the entire company is fraudulent,” says Kevin Mawer, a recovery and reorganization partner at accountants Grant Thornton. “Do you need to steal an identity when you can create one?”

One fraudster Mawer dealt with was even nominated for an entrepreneur of the year award, after successfully persuading people to invest in a company that was built on thin air.

“The fraudster tells such a good story in the round, people don't focus on a single suspicious document,” he says. “I've seen some very good bankers misled by some very poor data.”

One area of identity theft that Grant Thornton is increasingly seeing is the fraudulent 'white knight' who poses as a company turnaround specialist.

“These guys get a company that is nearly insolvent and say, 'Hand us the documents, we'll sort it out for you',” he says. “The directors think the company has been liquidated, but in fact it's being used for carousel fraud, or advance fee fraud. The people that lose the most are those that supply goods on credit.”

“These guys will pose as insolvency practitioners, and say, we'll take the assets and you can buy the assets back off us later,“ says Mawer. “They'll try to find your weakness in terms of your own greed.”

Counterfeit counter
One of the biggest areas of identity theft is counterfeiting. This is particularly a problem in the developing world, where intellectual property protection is not yet on a par with the West. Cases include a glue manufacturer whose products were counterfeited right down to the photograph of the owner's wife mending her bicycle on the packaging. The fraudsters even issued fake business cards to their staff.

“Small brands have never had to bother with this, but all of a sudden websites pop up pretending to be you,” says Bryan Fite, global security architect at Reed Elsevier, publisher of Infosecurity. “You've invested in your brand and now someone is living on that and diverting people from your site. What if they launch a crazy 'introductory offer' and impact that segment of the market - how are you ever going to be able to raise the price?”

According to Fite, the problem with corporate identity theft is its cross-disciplinary nature. “Companies think that it's being taken care of,“ he says. “IT assumes the lawyers are doing it and vice versa.”

This silo structure leads to gaps that criminals can exploit. “People move at a hundred miles an hour to create domain names, but they forget legal protections like trademarks,” he says. “Even as you move to a new (logical) world, you can't forget physical protection.”

Even where companies become aware of, say trademark infringements, they may not be fast enough to prevent serious harm. “Lawyers are used to dealing over a period of months. If they think there's an infringement, they'll send a cease and desist letter,” he says. “A few weeks go by and they might call IT to ask what's the purpose of the site? Is it installing cookies or collecting passwords?”

Other currencies
Another problem is the nature of the assets under threat. “In a corporate ID scam there are other forms of currency,” says Fite. “In what we call g-commerce - gangster commerce - there are these other currencies. Say I'm a spammer, I need fresh, good email addresses. The use of your good name might not even be for fraud, it might be just to generate clicks. What's stolen might not be an asset an accountant would recognize.”

Fite believes the answer is to take an asset-based approach. “One of the biggest challenges IT security professionals have is not to be seen as extremists,” he says. “You need to become more aligned with the business, to learn their language; your colleagues are not going to learn the risk language.”

This approach requires owners of IP assets such as brands, domain names, address lists and so forth to declare their value. “The most fundamental concept is that you don't spend a million dollars defending a $50 asset,” says Fite.

The other problem is getting people to declare the true value of the assets they control. People tend to devalue their assets when informed of the security requirements. However, acquisitions and divestments force companies to value intellectual property, and new governance regimes like Sarbanes-Oxley are increasingly being recognized as covering the value of brands.

“If your brand is tarnished, it can harm your stock price,” says Fite. “In fact, the end-goal of a scam might be to diminish the brand to make the stock drop.”

Companies may also have to accept the need for due diligence to protect their good name being used to harm others.
Fite counsels companies to create cross-functional groups that bring together departments like IT, legal and marketing, who rarely speak to each other. “Marketing is where the IP is created, so ideally that's where you'd plug in your programme,” he says. “Then when you create a new asset you get legal to do the trademarks and IT to do the domain names. People need to understand the issue and commit the resources. It's not going to come from the tech side.” •

About the author
Mick James is a freelance journalist who contributes to a number of publications in the areas of management, consultancy, finance and IT.

 

Back to features index



 

 
Search this Site:
Google Custom Search



Click here...