The "bust-out" is just one of the schemes fraudsters use to steal your business identity, a crime that has gone largely unnoticed in a legal system focused on consumer ID theft
by John Tozzi
A criminal rents space in the same building as your company. Then he applies for corporate credit cards using your firm's name. The application passes a credit check because the company name and address match, but the cards are delivered to the criminal's mailbox. He sells them on the street and vanishes before you discover your firm's credit is wrecked.
The so-called "business bust-out" scam is one way sophisticated criminals steal business identities across the country (see BusinessWeek.com, 4/17/06, "Would I Lie to You? Five Cons Still Kicking"). Identity thieves increasingly target businesses instead of individuals, experts and law enforcement officials say, but federal law and many state statutes don't consider business identity theft a crime. That's because the raft of identity theft laws passed in the last decade apply mostly to individual consumers—not business entities.
A Gap in Statutes
While business identity theft can often be prosecuted under other statutes, like mail fraud or wire fraud, businesses victimized lose many of the protections afforded to consumers under identity theft laws, like access to information about their credit. Before California last year amended its 1997 identity theft law explicitly to include crimes targeting business entities, a business whose identity had been co-opted could not even get a police report. "We were having businesses being taken over and their names being used and I could not prosecute them, at least under ID theft statutes," California Deputy Attorney General Robert Morgester says.
It's difficult to say how many businesses have been victims of identity theft because most of the research focuses on complaints by consumers. Some studies say there were as many as 8.9 million individual victims nationwide last year, and estimated annual losses approach $50 billion. But the most sophisticated identity thieves increasingly are targeting businesses because the payoffs are bigger, Morgester says. Business accounts generally have higher credit limits and make larger purchases than consumers, so hefty charges by scammers are less likely to raise red flags. While most consumer frauds won't net a criminal more than $5,000, targeting a business can bring in 10 times that or more, he says—so "From a criminal's viewpoint, it's far more cost-effective to target a business rather than a consumer."
In a July 19 proposal, the Justice Dept. asked Congress explicitly to include businesses and organizations in the federal identity theft statute. "This is a real gap," says Betsy Broader, assistant director of the Federal Trade Commission's identity theft division. "The current federal law looks at ID theft as a crime against individuals."
Small Businesses at Risk
Small businesses in particular make ripe targets because they may be less savvy about protecting sensitive information than big companies that can afford to hire dedicated privacy officers. Often, small-business owners are just too busy to worry about identity theft—until it happens to their firm. "The worst thing a small business can do is think of themselves as a small business," says Linda Foley, co-founder of the nonprofit Identity Theft Resource Center. "You have to be a small business with a Big Business mentality."
Foley says business owners can protect themselves by keeping sensitive files under lock and key (electronic or otherwise), by restricting access only to employees who need it, and by closely watching their books. But sometimes there is little a business can do to keep from becoming a victim, as in the "business bust-out" scheme described above.
The new laws in California and the proposed federal change may give law enforcement the tools it needs to go after business identity theft. But because perpetrators can be elusive and investigators have limited resources, often the crime isn't prosecuted at all. According to a 2002 study by the Government Accountability Office, local prosecutors reported only being able to pursue a "small fraction" of reported identity thefts. Morgester says some detectives have 50 identity theft cases on their desk at once, and they must focus on the handful where they think they can make an arrest and get a conviction. If the loss is relatively small—under $10,000, he suggests—police may be reluctant to take it on. At the federal level, some U.S. attorneys have thresholds of $1 million.
Victims Must Investigate
But the best solution for businesses that have been victims of identity theft can be to do the legwork of an investigation themselves, says Morgester. Often business owners must do so anyway to recover their credit and reputation. If victims follow the paper trail and bring investigators a lead, police and prosecutors will be more willing to pursue it, he says.
"There's a lot of cases where the corporation or an individual by themselves can put together 90% of the evidence," Morgester says. "We've had a number of cases where, based on the material we had brought to us by the victims, the only last step we had to do was write a search warrant and kick down a door."
John Tozzi is an intern for BusinessWeek.com.