Treasury Today Country Profiles in association with Citi

Corporate identity theft

Illegally using personal or company data for financial gain is a serious crime with far-reaching consequences for individuals and corporations alike. We look at why it is essential for companies to encourage a security-conscious culture in order to prevent identity fraud.

In June 2009, a woman was indicted for defrauding the US state of West Virginia of $2m, simply by obtaining a passport in someone else’s name and then using it to set up two bogus companies. The businesses, called Deloite Consulting Corporation and Unissys Corporation, were used to divert funds from Deloitte and Unisys respectively and resulted in a top-to-bottom audit of West Virginia’s payment processes. The case brings home the need for corporations to have robust authentication processes in place, not only for accounting purposes but also for staff, systems and third parties. We review some of the risks and actions that can be taken to address them below.


The biggest risk to companies of unauthorised individuals gaining access to and using information comes from a lack of security at user level. According to research carried out by Wichita University, 75% of regular computer users have a set of predetermined passwords that they use regularly, and 60% do not vary the complexity of their password depending on the site they are using. This means that, unless companies have a clearly stated password protocol – and evidence suggests that many overlook this fundamental issue – employees who frequently access sensitive data are inadvertently risking attacks from identity thieves with sophisticated code-cracking programmes. The following actions may help to prevent such attacks:

  • Ensure that passwords are ‘strong’ – meaning that they are at least eight characters long (ideally 14 characters or more), do not contain real or company names or a complete dictionary word, are significantly different from previous passwords and contain a mixture of upper and lower case letters, numbers and characters.

  • Change passwords regularly.

  • Use different passwords for all user accounts.

  • Do not allow systems to save passwords.

  • Strictly enforce the policy throughout the business.

Data access

Careful management of staff access to data also plays an important part in preventing identity fraud. The increasing use of portable technology has resulted in several cases of significant data loss – most notably from HM Revenue and Customs in the UK where the personal details of 25m people went missing in 2007. To combat this, it is vital to develop a security conscious working culture where data is seen as a highly important asset, and protecting it is second nature.

Hewlett-Packard, one of the world’s largest technology services companies, employs over 200,000 people in 80 countries. Because of its commitment to flexible working practices and recent experience of laptop theft, it has developed a universal policy for protecting mobile technology, which may contain sensitive data:

  • Agree on a code of conduct concerning:

    • What data can be removed from company premises?

    • What hardware and software can and cannot be used on company equipment? For example, USB ports may be disabled and Bluetooth capabilities switched off.

    • How are employees expected to work within company policies and security measures?

  • Apply a multilayered approach to mobile asset security, covering:

    • Physical theft prevention – locking hardware out of sight, using inconspicuous carry cases etc.

    • Virtual data security – encrypted and password protected files, use of firewalls and protective software programmes.

    • Tracking assets and identifying unauthorised equipment changes using specialist software.

    • Effective backup systems to minimise losses if a mobile device goes missing.

    • Development of a ‘worst case scenario’ post-theft plan, including remote data deletion capabilities.


Taking effective measures against accidental data breaches depends on ensuring that the workforce has a clear idea of their roles and responsibilities and the consequences of non-compliance with protocol. Protecting systems globally against potential identity thieves – either internal or external – requires an additional layer of security.

For this, many corporations are turning to biometrics – there are a number of solutions available, ranging from fingerprint identification to iris scanning – to preserve the security of their systems. The US-based Financial Services Technology Consortium, backed by Wells Fargo and Bank of America, has recently launched a project to investigate the use of biometrics for authenticating identification, and the EU has committed SEK5.7m to a research project headed by Swedish firm Precise Biometrics, whose remit is to design a comprehensive identity management system which combines fingerprint identification and cryptography.

A number of financial service providers have already adopted this new technology:

  • National Australia Bank’s telephone banking customers are using voice recognition to verify their identity rather than passwords and PINs, which are easier to use fraudulently.

  • HSBC has introduced facial recognition software to protect access to data centres at its UK headquarters, in response to concerns about identity theft.

  • Société Générale has committed to developing biometric system controls for its dealers following its losses in 2008, which were allegedly caused by junior trader Jerome Kerviel. Kerviel is rumoured to have placed unauthorised trades using colleagues’ access details.

Third parties

Perhaps the most widely-covered aspect of identity theft is fraudulent activity by third parties – individuals who set up companies impersonating existing brands, or who issue false communications to customers with the aim of obtaining bank and other personal details.

Impersonation can take a number of forms. For example, NEC in China, Japan and Taiwan fell victim to identity theft when a group of fraudsters persuaded managers in more than 50 factories that they represented the corporation – they went as far as duplicating electronic devices and producing their own product line before they were discovered. Meanwhile, cybersquatting – setting up websites with names similar to existing companies – is a growing concern for businesses with a significant online presence. Recently, Barclays and Citibank both took action when domain names similar to theirs were used for fraudulent purposes.

Finally, there are a number of company ‘hijackers’ – usually targeting banks and other financial institutions – who contact customers direct through hoax emails, asking for bank account and other details. Thanks to regular communications from banks and building societies warning customers not to reply to these emails and reiterating company policy on how they will ask for account details, the damage done by this kind of deception is limited.

Companies who fall victim to third-party identity theft usually have recourse either to criminal law, for obvious deception cases involving hoax emails or impersonation, or to civil law. Legislation under the Uniform Domain Name Resolution Policy (UDRP) and arbitration carried out by the World Intellectual Property Organisation help businesses to recover domain names and restore brand integrity.


In order to protect corporate identity and limit the opportunity for data misuse, companies must be vigilant. This means:

  • Enforcing security policy internally, from password protocol to shredding sensitive documents.

  • Viewing company data as a valuable asset and establishing stringent measures over access and management.

  • Maintaining regular and effective communication, both internally and externally, with updates on potential threats to identity.

  • Purchasing any domain names that might be used by a third party posing as the company, such as common misspellings of the company’s name.