Corporate identity theft: a new realm in risk management

November 7, 2011

By Liz Osborne, Thomson Reuters Accelus contributing author

Nov. 7 (Thomson Reuters Accelus) – These days most people are aware of the dangers of someone stealing and misusing their identity to perpetrate fraud — but less people are familiar with the equivalent crime at a corporate level. Corporate identity theft (CIT) is the fraudulent and deliberate misrepresentation of a company’s identity. It is sometimes also referred to as a “white-collar crime” as it is generally conducted in a “cyber environment” and is not the domain of the stereotypical burglar.

Over the years we have seen a marked increase in this area due to the relative simplicity of the crime and the large degree of “trust” people have in doing business online. It is anticipated that in Australia alone consumers will transact more than A$10 billion dollars in 2012.

CIT occurs when a person or a group take on a company’s identity for their own malicious purposes. Usually CIT occurs so that criminals can extract money, data or any other kind of information from the organisation in order to profit through illegal means.

Corporate identity theft comes in various forms. The speed at which people can transact business online is now measured in nanoseconds. With the ever-changing advances in information and technology platforms, criminals have become very adept at keeping up with — and in some cases exceeding — current best security practises online.

It is often said that with the rapidly changing technological environment, the same technology that you rely on to conduct your business also leaves you exposed to criminals to work out your systems and fraudulently try to do business with you.


There are many ways in which corporations can be susceptible to ID theft. With the assistance of the internet, it is relatively simple to search a host of registries for information on a business. These include statutory documents, patents, trademarks, web domains as well as information that a company volunteers about itself. Fraudsters can use this information to gain a general understanding of how a company operates and where it has to file information.

Company logos and websites can be easily downloaded and replicated with a few clicks if steps are not taken to protect content.

It is well known that successful or recognised organisations, including government departments, have deep pockets. Criminals recognise that these private and public sector organisations have access to unlimited credit lines to make credit purchases. If a company’s systems are compromised it then becomes a simple task for the hacker to be able to make fraudulent purchases, with items being shipped to rented premises under the business’s name.

Fraudsters are able to change the names of directors or the registered business address of a company by filing out the requisite forms as required by the relevant regulators. Once this happens, it is hard to detect and difficult to reverse.


Phishing is a common technique that fraudsters use to steal company identities — both personal and corporate. Generally this happens via two main areas: email and internet.


Fraudsters often use email to target specific people in an organisation, such as the chief financial officer (CFO) or other staff members who have the authority to sign and make significant purchases.

The fraudster would normally send an email with a trojan virus attached to the CFO posing as another person in an organisation that the recipient recognises and trusts, such as the head of human resources. The purpose behind such an email is often to gain personal information. Once the email is opened the Trojan virus allows the fraudster to gain a “back door” entry or hack into the company’s systems.

With a simple Google search, there are various ways to learn how to hack into systems, how to hire a hacker or even programs that people can buy over the internet to enable people to hack into data centres.


With web-based phishing scams, fraudsters will create a copy of a web site and send emails to target specific people in an attempt to get them to visit the site and divulge personal information. This information is then “skimmed” and used by the criminal group behind the phishing operation, or on-sold and then exploited.

Once again there are numerous ways for fraudsters to learn these skills online. With information comes power, and with information being readily available to the tech-savvy criminals, public (and private) resources are being used to assist them in achieving their criminal end result.


There can be many motivators for corporate ID theft, ranging from disgruntled employees, (whose mission is to destroy the reputation and brand of a company) through to monetary gain, disgruntled clients or activists who have a platform that they want the world to see them through.

This can occur by accessing bank accounts, gaining inside knowledge of documents, selling off data held by departments or through the replication of the company’s internal systems.

Once access is gained, criminals have the ability to scrutinise and learn the internal systems of an organisation, identify the loopholes and then exploit these vulnerabilities for their own benefit.


Needless to say, the impact upon any business that falls victim to corporate identity theft can be highly damaging. Organisations can be left devastated and the reputation or brand of the company can be destroyed.

Unfortunately, no organisation is immune from being subjected to CIT. In Australia there are no mandatory laws for companies to disclose when their systems have been compromised. They are not required to make this public and, unlike our overseas counterparts, there are no penalties if they do not disclose this type of incident.

Organisations sharing this data can lead to wider fraudulent activity as, in many cases, criminals will apply for credit at a number of companies or use similar methods to steal corporate identities.

While the requirement to share knowledge is not mandatory, it is uncommon for an organisation to disclose that it has fallen victim to fraud for fear of embarrassment or the ensuing reputational fallout. In recent times there have been some very public “hacking embarrassments”, however, including those involving Sony Corporation, Vodafone and internet service provider Distribute.IT.


Aside from sharing information with clients and other businesses, we urge companies to consider taking the following preventative steps:

Adopt strict policies and procedures which involve interrogating internal systems to detect “soft spots” that may be vulnerable to fraudulent activity.

Employ an “ethical” hacker to aggressively test the integrity of an organisation and its software.

Train fraud investigation teams and staff to recognise “red flags”.

Human error — or social engineering — is at the top of the list for hackers who hope to gain access into organisations. The easiest way into an organisation is through weak usernames and passwords or compromising a staff member.

Staff are your assets. Protect them and get them to help protect your assets. Educate your staff on the need to be security savvy.

Carefully manage your data and manage risk. Get professional advice to help you implement systems to prevent and manage security breaches.


While corporate ID theft is the weapon of choice of many organised crime gangs around the world, with careful planning and common sense initiatives — and with robust systems and procedures in place — you can make a difference and significantly reduce your vulnerability to this type of activity.

(Liz Osborne is a director at fraud and security risk management consultancy Risq Group. RISQ is a global firm specialising in investigations and forensics, business intelligence, crisis and security management, risk consulting and technology.)

(This article was produced by the Compliance Complete service of Thomson Reuters Accelus.  Compliance Complete ( ions/regulatory-intelligence/compliance- complete/) provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 230 regulators and exchanges.)

No comments so far

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see