COVID-Related Business ID Theft Rising Fast

COVID-Related Business ID Theft Rising Fast

Alongside all of the harm the COVID-19 pandemic has caused to our family, friends, and businesses, the unfortunate truth is that hackers and scammers are profiting off of the chaos. From data breaches of government sites, to hacks against the healthcare industry, to COVID-related phishing themes, consumers have reported over $98 million lost in COVID-19 scams since January. What is not included in that number, however, is the dramatic increase in COVID-related ID theft against businesses.

Business ID theft is not a new problem. Dun and Bradstreet, a data analytics company that handles credit checks for many businesses, reported a 100% increase in ID theft against businesses in 2019. This year, however, the problem has grown out of control, with a stunning 258% spike in business identity theft since the beginning of 2020. This is in large part directly related to the COVID-19 pandemic, because scammers will steal business information to illegally gain access to relief funds and loans.

According to reports, there are groups of cyber scammers that target small businesses for ID theft throughout the United States. The groups will start by looking up business records through the Secretary of State website, identity the officers and owners connect to the company, then find corresponding tax ID and social security numbers on the dark web. These groups will then forge official documents with this information and submit them to the Secretary of State with a mailing address that they control. Traditionally, they will use these documents to update profiles on credit monitoring sites, like Dun and Bradstreet, and apply for credit lines with companies like Staples, Home Depot and Office Depot. Now, however, these groups have switched their tactics and are carrying out business ID thefts for COVID-related federal assistance, such as unemployment payments or relief loans for small businesses.

As we’ve wrote about before, hackers and scammers will often take advantage if times of crisis, confusion, and uncertainty in order to make money or seed further chaos. Given the dramatic rise of business ID theft throughout the COVID pandemic, small businesses should take steps to protect themself against this threat. The most effective way to detect and prevent ID theft is to regularly monitor and update your business information. This includes keeping an eye on your financial records and credit lines to spot potential fraudulent activity, as well as checking your business records with the federal and state government. If you spot a any changes your records that you don’t recognize, it’s a likely sign someone is in the process of stealing your business’ identity.

It can be hard to regularly monitor your records and stay vigilant when you are trying to keep your business afloat throughout the pandemic, but this is exactly what scammers are hoping for. You don’t need to be checking your credit report every single day, but it is essential to keep as close an eye as possible on your records to ensure you and your business are protected from fraud.

Identity Management 101

Identity management should be considered an essential part of any business’s cybersecurity policy. No, it’s not the process of deleting your old college party photos from Facebook (although that’s not a bad idea). Instead, it’s a way to manage who has access to what information and when 

Misuse of credentials—either intentionally or unintentionally—is a prime vector for security issues. It would certainly be a lot easier to just give every employee access to all of your systems and files but having this sort of “open door policy” exposes your organization to serious risk. The Ponemon Institute’s Cost of Insider Threats report show that privilege misuse is an increasing cause of data breaches and costs organizations an average of $8.76 million. 

To help prevent this, it’s important that any identity management policy a business uses should incorporate the concept of least privilege. This means exactly what it sounds like: every user should be given the least amount of privileges to applications and systems necessary to complete their work. And managing access privileges is not a one-time thingIf a user only needs access to certain information for a short period of time, you want to ensure to restrict that access once they no longer need it.  

Low-Hanging Fruit

Along with employing a least-privilege policy, there are a few more simple steps every business should take when developing identity management practices:  

  1. Make sure that only those who need it have administrator privileges. On top of this, those with administrative privileges should have a separate account to access systems and software which does not require privilege, such as email or, yes, Facebook.
  2. Require users with a greater risk-level to use multi-factor authentication (MFA). This includes those with administrative privileges and users who log-in remotely.  
  3. Remove credentials for anyone who no longer needs access, such as ex-employees and short-term contractors and vendors.  
  4. Require users to create long, complex and unique passwords. There is no need to reset passwords unless they’re forgotten or you suspect they’ve been compromised. Check out NIST’s password guidelines for more information on this.  

Next Steps

While using various technologies throughout an organization streamlines activity, it also creates a more complex user environment, which poses its own security risks. To help mitigate these risks, there are a number of additional steps you can take, such as utilizing Single SignOn (SSO) and Identity Management Systems. 

Single Sign-On allows employees to use one set of credentials to access multiple applications. This may seem counter intuitive but limiting the number of credentials can actually improve security. Often, when users are required to keep multiple passwords, the overall strength of each password goes down, making it easier for credentials to be compromised. Focusing instead on maintain one strong password will help keep your systems more security.  

Lastly, there are identity and access management systems which can help automate this process. Along with managing user access, these systems can monitor user activity and enforce organizational policy on data use and sharing across the board.