Challenges small businesses face with regards to identity theft:
• They don't anticipate they could be targets and they are complacent about a number of areas of the business that could make them targets.
• Their internal controls tend to be much more lax than larger businesses.
• They can have good credit ratings or valuable assets that make them attractive targets.
• Fewer staff means red flags often don't get raised and fraudsters can slide in under the radar.
• They can be a little too willing to suspend disbelief when easy money is apparently coming in the door.
Reid Lester, lawyer at Laishley Reed LLP
Examples of crimes committed involving identity theft:
(Note there are a range of frauds, some of which are directly labelled 'identity theft,' and others that are similar in nature.)
• A law firm is retained by a client that asks the firm to collect on a debt for it. After a demand letter is sent, the debtor pays the debt by way of certified cheque. The "client" then gets the firm to wire the funds to a foreign destination. It turns out the "certified cheque" was counterfeit and the law firm is out of pocket the full amount. A variation on this scam involves a "client" paying a small business with a cheque for an amount larger than the amount owed. The "client" then says, "Oh, sorry for the overpayment. Could you please take what we owe you out of that cheque and then wire the balance to a bank on the other side of the country?" The cheque is counterfeit, and the small business is then out of pocket for the value of the wire transfer.
• A municipality pays its contractors by electronic fund transfer (EFT). The municipality therefore has the account info for each contractor. A person calls the municipality to advise that the contractor has moved offices and changed bank accounts. The office clerk at the municipality duly changes the account info in the computer system and the next large payment to the contractor goes to a "rogue" bank account and the money is immediately withdrawn.
• A company deals with a lot of EFTs. It is in the process of moving head offices, so it is not checking and reconciling its bank account statements at the end of each month like it should. A rogue manages to obtain a cheque or a letter from the business that has authorized signatures on it. The rogue then scans the signatures onto a letter, which it faxes to the company's bank, asking the institution to wire a large amount of money to a foreign bank. The bank does this. In this case, because the company is not checking its accounts regularly, this same fraud happens twice more before the fourth attempt is detected and prevented.
• A fraudster rents out virtual office space and uses the same name as that of a real business. This can be done by using a similar name, or by obtaining certain information from the real business that it then uses to pass itself off as the legitimate business. This type of information can be obtained in the mail, or by going through the legitimate company's garbage, or through the use of an insider at the legitimate company. The fraudster then takes advantage of the legitimate company's good credit rating to order a bunch of product, only to have the invoices sent to the legitimate company for payment.
• An insider at a small business obtains certain confidential bank-account information and uses this info to arrange for funds to be wired to different accounts controlled by fraudsters. This info can also be given out inadvertently by the small business either by chatting a little too openly on the phone, or by not keeping such information strictly confidential when dealing with vendors, or by responding to "phishing" e-mails that solicit this type of info.
• With electronic registration of real property transfers, there are a lot of instances of mortgage fraud these days where a fraudster manages to register a transfer of title to a property to himself, or to an alias, and then obtain a hefty mortgage on the property.
Reid Lester, lawyer and partner at Laishley Reed LLP
How to prevent identity theft:
• Secure the business premises and have cheques and other important materials under lock and key in the office.
• Shred all confidential documents.
• Establish internal procedures, if possible, concerning the use of electronic fund transfers (EFTs), the use of passwords pertaining to bank accounts, the payment of invoices, the use of cheques, and the use of confidential information. Segregate duties if you can: don't give too much responsibility to "trusted" employees without having proper oversight. It can help to get professional advice in this regard (lots of consultant can do this type of thing).
• Limit internal access to confidential information. Use a point person for the bank, for example.
• Be suspicious even of certified cheques, and maintain a healthy skepticism of people you don't know well. In the case of certified cheques, it only takes a couple of days for the issuing bank to reject a counterfeit, so don't assume a certified cheque is as good as cash. It pays to wait a few days. If the vendor/customer is in too much of a hurry, there is probably something wrong.
• Never give out confidential banking or other sensitive information over the phone or by e-mail unless you are very confident of the security features of the system you are using. If someone has solicited this information from you, be very skeptical.
• Carry fidelity insurance for most types of fraud losses, and ensure you have adequate limits of liability. Speak to an insurance broker to ensure it understands your business and your particular needs.
• Conduct background checks on employees.
• Train employees on current fraud schemes, how to detect them and what to do when they are detected.
• "Wipe" hard drives of computers, digital photocopiers, fax machines, PDA devices, and other electronic equipment before disposal, sale and/or return to a leasing company, where applicable.
• Implement appropriate policies (such as privacy and data retention) and periodically test for compliance of such policies.
• Ensure proper encryption of laptops, PDAs, and other portable devices, particularly in case they get in the wrong hands.
• When sending information electronically, it should be done over a secure line, preferably with encryption in case hackers get access to the information
• Ensure a written plan exists to clearly outline the steps the organization will take should fraudulent activity be suspected to ensure evidence is identified and preserved before it is tampered with, destroyed or disposed of.
Debbie Dresen, lawyer and partner at Davis LLP; Edward Nagel, a forensic accountant with Toronto-based Nagel + Associates
Recent high-profile cases of fraud and stolen information:
January, 2007: TJX Companies Inc., the parent company to Winners Merchants Inc. and HomeSense in Canada, issued a press release to announce it had suffered an unauthorized intrusion into its computer systems that process and store information related to customer transactions. The company stated that the intrusion involved the portion of TJX's computer network that handled credit card, debit card, cheque and merchandise return transactions for customers. The company had alerted law enforcement of the crime, and with the authorities' agreement, had notified its contracting banks, credit card, debit card and cheque processing companies of the suspected intrusion.
February, 2008: Bell Canada Enterprises recovered stolen data relating to 3.4 million Ontario and Quebec customers. Apparently the information was all electronic: on a hard drive, memory stick and CD.
June, 2009: Alberta Health Services (AHS) reported two physically locked-down laptops stolen from the lab at the University of Alberta Hospital. Less than a month later, private medical files of 11,000 Albertans within AHS were in jeopardy as a virus intermittently took snapshots of screens of computers that access the data. Authorities warned that the information could have been transmitted to unknown locations.
August, 2009: Toronto Hydro sent 685,000 letters to inform customers that the name, address, account number and the amount of the last bill of some of their customers got into the hands of a third party not associated with Toronto Hydro. The letter does not use the word "stolen" or "theft" but that appears to be what occurred.
Compiled by Edward Nagel, a forensic accountant and partner at Nagel + Associates