Corporate Identity Fraud: SMEs Unaware of Risks

Corporate
Identity Fraud
A CPP white paper

May 2010

Contents
1.1 Foreword

1. Industry Facts

1.3 Research methodology

1.4 SME Key Findings
- Only 56% of SMEs were aware of company identity fraud
- 46% think corporate identity fraud is on the increase with only 4% thinking
it is not on the rise
- Over a fifth (22%) of SMEs consider that their company is at risk from
corporate identity fraud
- Fraudulent applications for corporate credit cards and spending are the most
common consequences
- Only 14% of SMEs have heard and use Companies House PROOF scheme
- 87% of SMEs were not aware of Company House loopholes
- Limited awareness of Principle One of the Data Protection Act 1998
- Half of SMEs do not have anyone responsible for Data Protection or do not
know if they have anyone responsible for Data Protection

1.5 Documentary Key Findings
- Company hijacking occurs with the submission of false documents to
Companies House using:
- Change of registered address (form AD01)
- Change of directors/secretary (form CH01 to CH04)
- Companies House does not verify information filed on signed forms and
accepts them in good faith
- Only 3% of companies in England and Wales and less than 0.4% in Scotland
file corporate documents via PROOF
- Companies should not rely on Companies House records alone in determining
whether to lend goods or services on credit, as Companies House is a public
register and not a credit reference agency

Corporate Identity Fraud May 2010

Contents 3
1.6 Case Studies

1.7 Minimising the risk

1.8 Conclusion

1.9 References

1.10 Avoiding Corporate Identity Fraud

1.11 Further Information

1.1 About CPP


Introduction 4
1.1 Foreword
This study surveyed 507 small and medium-sized companies within the UK to investigate
awareness of and responses to corporate identity fraud; that is, the impersonation of
another organisation for financial or commercial gain.1
According to Business Link and the Metropolitan Police, the theft of entire corporate identities
(‘company hijacking’) costs businesses an estimated £50 million a year. Many of these
frauds are facilitated by changing key company information on the register of companies
administered by Companies House. This can be done by paper forms as well as electronically.
Companies House says it receives half a million paper documents a month and over 50 of
those are fraudulent. However Companies House does not check details of paper documents
for validity and accepts paper submissions in good faith. It does not automatically notify
directors or company secretaries that paper forms have been filed for their company.
Although electronic measures are being put into place to minimise the risk of corporate
identity fraud, these themselves are also potentially susceptible to fraud.

The theft
of entire
corporate
identities costs
businesses an
estimated £50
million a year

1 Fraud Advisory Panel, ‘Fraud Facts’ (2008); Fellowes, ‘Mind your own business: a practical guide to identity fraud prevention
for business’ (2009).


5
1. Industry Facts
To date there are very few industry statistics reporting on the issue of corporate identity
fraud – this is one of the reasons CPP decided to investigate the matter to determine the
scale of the fraud and whether SMEs were properly safeguarded against fraudsters. This
study complements a previous report titled ‘Company Identity Theft: How safe are UK
Businesses?’ issued in 2006 by CPP that reported high levels of concern, but mixed
understanding of what it is and what it can lead to.
Of the limited information in the marketplace, Business Link and the Metropolitan Police
estimate the theft of entire corporate identities costs businesses an estimated £50 million
a year.

1.3 Research Methodology
The research undertaken in this study was in two distinct parts.
Survey of small/medium enterprises (SMEs)
The field research involved an online survey conducted by research company Research
Now among 507 SMEs across the UK between 25 February and 3 March 2010. The
questions concerned awareness of corporate identity fraud, profiles of victims of corporate
identity fraud and the levels of data protection that SMEs currently put in place to protect
against corporate identity fraud.
Documentary research
The documentary research conducted by Invenio Research Limited was concerned with
the selection of available literature on corporate identity fraud.2 The bibliographic
framework explored comprised books, journal articles, ‘grey’ literature (such as conference
proceedings and newspapers),3 official publications4 and statistics.
The findings of this research are based on a non-random sample of convenience and
whilst they give insight into fraudulent behaviour and victim impact, they do not
necessarily give rise to findings that may be generalised to a wider population.

2 C Hart, Doing a Literature Search (Sage, London 2004).
3 C Auger, Information Sources in Grey Literature (4th edn Bowker-Saur, London 1998).
4 D Butcher, Official Publications in Britain (Bingley, London 1991).


6
1.4 SME Key Findings
Only 56% of SMEs were aware of company identity fraud
When we broke this down by sectors, Legal Services were the most aware at 75%,
followed by Financial Services (70%), IT and Communications and Transport and

46% think Distribution (69%). The sectors least aware were Health and Social Care Services with just
over a third aware.

corporate Regionally businesses in Newcastle were least aware (38%) verses 71% in Liverpool.

identity fraud 46% think corporate identity fraud is on the increase

is on the Despite low media awareness nearly half think corporate identity fraud is on the increase.
This was highest across the Transport and Distribution (69%) and Financial Services (67%)

increase sectors. Construction (29%) and Personal Services i.e. hairdressing (33%) were the least
likely to think corporate identity fraud is on the increase.
Aligned with general awareness, businesses in Liverpool (71%) were most likely to think
this fraud is on the increase, verses only 21% in Newcastle.
Over a fifth (%) of SMEs considered that their company is at risk from
corporate identity fraud
Despite just under half thinking that corporate identity fraud is on the increase, one in five
businesses think they could be at risk. Over half the businesses in the IT and
Telecommunications sector and 38% of Transport and Distribution organisations consider
themselves at risk.
Businesses in Liverpool (33%), Newcastle (29%) and Manchester (28%) considered
themselves at most risk of fraud.
Of the 507 SME businesses questioned, only 2% reported they had been a victim of
corporate identity fraud. Of these victims, the IT and Telecommunications (7%) and Retail
(8%) sectors had the highest incidence of victims. This figure is likely to grow rapidly as
fraudsters understand that corporate identity fraud is more lucrative and potentially easier
to commit than fraud against the individual. With 2,433,549 companies in England and
Wales and 147,577 in Scotland, this equates to over 51,000 corporate victims verses more
than 100,000 individual victims of identity fraud every year in the UK.
50% of those SMEs questioned considered that their company was not at risk from
corporate identity fraud.
Fraudulent applications for corporate credit cards and spending are the
most common consequences
Of those businesses affected, the most common consequences were the application of a
corporate credit/debit card and the fraudulent spending of money (44%), the fraudulent
ordering of goods (33%) and the fraudulent acquisition of business in the company name
(33%).
Most losses reported by SMEs were between £20,000 and £30,000 reflecting the
considerable lines of credit that fraudsters can draw on from existing creditors or suppliers.


7
When questioned about the affect the fraud had on their organisation the three most
common affects were the adverse affect on the businesses credit rating, damage to
company reputation and loss of customers.
56% of SMEs believe the fraudster was an ex-employee (or associate). The most common
form of data they could have accessed was Employee Profile information (57%), Company
Bank Account details (46%) and Company Financial Statements (42%).
Only 14% of SMEs have heard and use Companies House PROOF scheme
of electronic filing
One of the ways that corporate identity fraud happens is via company hijacking. Company
hijacking occurs with the submission of false documents to Companies House and
normally involves changing the details of a company’s registered office address or the
details of its directors or company secretary. The amendments to the company records can
be done via the simple submission of a paper form. Previously known as ‘Form 287 scam’,
this has become the standard accepted form of corporate identity fraud. Although not
perfect PROOF offers some protection from these activities that can lead to fraud.
A further 12% have heard of PROOF, but still choose to file corporate documents on paper.
Almost three in ten companies (27%) haven’t heard of PROOF and subsequently default to
paper filing. A further 22% haven’t heard of PROOF but file their document online.
Sectors that have heard of PROOF but ignore the security benefits include
Accommodation (32%) and Legal Services (25%). IT and Telecommunications (38%),
Property e.g. estate agents and lettings, Financial Services and IT and Telecommunications
are the most likely to have heard of PROOF and use its services.
Regionally, businesses in Edinburgh (25%), Norwich (21%) and Manchester (21%) are
most likely to have heard of PROOF but choose to file corporate documents on paper.
87% of SMEs were not aware of Company House loopholes
Nearly nine out of ten companies were not aware of Company House loopholes that allow
somebody to register as a new director or to change company address details without first
notifying the company directors or company secretary.
These loopholes will be discussed in more detail in second half of this report.
There were only three sectors that seemed to have some awareness, albeit low, of these
loopholes including Legal Services, Catering and Accommodation and Wholesale.
Businesses in Bristol (19%) and Manchester (18%) claimed to be the most aware.
Limited awareness of Principle One of the Data Protection Act 1998
Only 37% of SMEs are aware that processing of personal data required registration with
the Information Commissioner’s Office.
Sectors least aware of Principle One included Construction (83%), Mining, forestry and
fishing (75%) and Health and Social Care Services (73%).
Businesses least aware were located in Edinburgh (85%), Cardiff (75%) and Leeds (71%).
The requirement to process personal data fairly and lawfully is set out in the first data
protection principle and is one of eight such principles at the heart of data protection


8
Principle One of the Data Protection Act means that organisations must have legitimate
grounds for collecting and using personal data, must not use the data that would have
unjustified adverse affect on the individual, be transparent about how they use the data
and give the individual appropriate privacy notices when collecting their personal data.
In addition organisations must handle people’s personal data only in ways they would
reasonably expect and make sure they do not do anything unlawful with the data.
More information on the Data Protection act can be found on the Information
Commissioner’s Office website at http://www.ico.gov.uk
Only half of SMEs have someone responsible for data protection
The other half said no (26%) or didn’t know (23%). This may help explain some of the
shortfalls reported in the protection of personal and sensitive information in this report
- 47% have employees who can access sensitive data
- 13% have no measures to protect sensitive electronic data
- 24% leave sensitive information in unlocked filing cabinets
- 61% don’t encrypt sensitive data
- 21% do not have password protection on sensitive documents
- 84% do have anti-virus software installed on PCs
- 83% do have firewalls installed
- 76% regularly back up data
- 61% do not have staff training on data handling
- 75% have nor run any training for HR or Finance on data handling
- 67% do not have a data handling policy

1.5 Documentary Key Findings
Only half of Corporate identity fraud has been described as the impersonation of another organisation
for financial or commercial gain;5 or occurring when a false corporate identity or another
SMEs have company’s identity details are used to support unlawful activity.6

someone Various different fraudulent activities are covered under this umbrella term. Of these, the
primary activity under consideration within this study is commonly referred to as
responsible for ‘company hijacking’.
How company hijacking occurs
data protection Company hijacking occurs with the submission of false documents to Companies House
and normally involves changing the details of a company’s registered office address of the
details of its directors or company secretary.

5 Fraud Advisory Panel, ‘Fraud Facts’ (2008); Fellowes, ‘Mind your own business: a practical guide to identity fraud prevention for
business’ (2009).
6 Home Office Identity Fraud Steering Committee.


9
The amendments to the company records can be done via the simple submission of a
paper form.
Change of registered address (Form AD01)
Form AD01 (see Appendix A) is used by UK companies wishing to change the location of
their registered office address and was introduced on 1 October 2009 following the
Companies Act 2006 coming into force.7 It replaced the Form 287 document which was
used previously.
Change of director/secretary (Forms CH01 to CH04)
Forms CH01 to CH04 (see Appendix A for CH01 and CH03) are used to change the details
of directors and secretaries as follows:
- Change of director’s details (CH01; formerly 288c)8
- Change of corporate director’s details (CH02; formerly 288c)9
- Change of secretary’s details (CH03; formerly 288c)10
- Change of corporate secretary’s details (CH04; formerly 288c).11
In addition the details of the registered officers (directors and company secretary) of all
limited companies in the UK are held as public information at Companies’ House. This
information can be accessed through http://www.companieshouse.gov.uk/ and through
various other agencies and includes the names, addresses and dates of birth of company
directors.
Companies House reports that in 2008-09 it employed 1,198 full-time equivalent staff,
1,159 of whom were based in Cardiff, 31 in Edinburgh and 8 in London.12 It does not,
however, have the resources to notify extant company directors or company secretary that
paper forms have been filed for their company. Moreover, Companies House does not
check the details on the paper forms for validity. As a result, such forms are taken at face
value and the register of companies updated accordingly, even if the updated information
is false. Companies House accepts information filed on signed paper forms in good faith.
It states very clearly on its website that:
“ ompaniesHouseisaregistryofcorporateinformation.Wecarryoutbasicchecks
C
tomakesurethatdocumentshavebeenfullycompletedandsigned,butwedonot
havethestatutorypowerorcapabilitytoverifytheaccuracyoftheinformationthat
corporateentitiessendtous.Weacceptallinformationthatsuchentitiesdeliverto
usingoodfaithandplaceitonthepublicrecord.Thefactthattheinformationhas
beenplacedonthepublicrecordshouldnotbetakentoindicatethatCompanies
Househasverifiedorvalidateditinanyway.”13

7 Companies Act 2006 s87.
9 Ibid.
11 Ibid.
12 Companies House, ‘Annual Report and Accounts 2008-09’ http://www.companieshouse.gov.uk/about/pdf/annrep2008_9.pdf.
13 http://www.companieshouse.gov.uk/toolsToHelp/ourServices.shtml.


10
The fraudulently updated data becomes part of the public record. Therefore, checks which
are made on the company against the register will show that the applying director is
registered as an official director of the company and that the address supplied is the
registered office of the company. The fraudulent data would appear legitimate in relation to
any director/address checks undertaken on the company. Any ordinary credit search
against the company would show the actual credit rating of the company.
Provided that the credit rating is healthy, orders made in the name of the company by a
seemingly bona fide director would be likely to be dispatched to the false registered office
address. The legitimate business may not know that the order had been placed or goods
dispatched until the supplier chased for payment. This fraud would impact both the
hijacked company (in terms of impact to its credit rating) and the supplier.
Companies House receives around 500,000 paper documents each month and estimates
that between 50-100 of these are fraudulent. While this is only up to 0.02% of all
documents received, Metropolitan Police estimates that the loss to industry resulting from
company hijacking is in excess of £50 million annually.14 In 2007, a Metropolitan Police
officer was seconded to Companies House in Cardiff to improve the way these cases are
identified.
The officer was placed in Companies House as part of Operation Sterling, which targeted
financial crime in London. Companies House saw the potential to fulfil an intelligence role
in a national context and, so, took on the work because the Metropolitan Police does not
have a remit outside London. This involved the Metropolitan Police training Companies
House staff. In the 18 months since Companies House took over this role it referred 904
cases to law enforcement agencies, including fraudulent changes of registered office, false
appointment and false resignation of company officials.15
The House of Commons Business and Enterprise Committee has commented that while it
understands the rationale for the withdrawal of the permanent police presence at
Companies House, it is ‘nervous’ about this apparent reduction in the overall anti-fraud
effort. It recommended, in 2009, that Companies House and both the Metropolitan and
City of London Police forces conduct regular assessments of the skills and knowledge of
the staff at Companies House in relation to the opportunities for fraud.16
The following section provides some examples of fraudulently submitted paper
documentation, typically relating to appointment of directors and change of company
registered office address.

14 ——, ‘Police tackle Companies House database scam’ (Out-Law News 11 May 2005) http://www.out-law.com/page-5686.
15 R Tyler, ‘Companies House targeted in credit scam’ Telegraph (London 17 April 2007) http://www.telegraph.co.uk/finance/
yourbusiness/2807437/Companies-House-targeted-in-credit-scam.html.
16 House of Commons Business and Enterprise Committee. ‘Companies House: Government Response to the Committee’s
Thirteenth Report of Session 2007–08’ HC (2008-09) 206 6.


11
1.6 Case studies
The following companies and individuals demonstrate examples of fraudulent activity
based on paper forms being submitted to Companies House (obtained via reports received
by UK Data from the Metropolitan Police and other sources):
Case study one: The Bruce Electrical Company Limited (0408563) – Fraudulent
change of registered office and appointment of director without consent
Miss Ghazala Shabir contacted Companies House to complain that her address of 81 St
Marks Road, Maidenhead, SL6 6DT had been used as the registered office address of the
company without her consent on Form AD01:


1
She had also been appointed without her consent as a director of the company. The
director Mr Umar Rasheed was unaware of the change of address but has taken steps to
amend it. He does not know either Ghazala Shabir or Mr Sanjeev Chhabra who was also
appointed to his company via lodgment of a Form AP01 in November 2009:


13


14
Case study two: A.D. Hunn Limited (5697775) – Fraudulent change of
registered office
A form AD01 was filed on 29 October 2009 changing the registered office address from 75
Newnham Street, Ely, Cambridgeshire, CB7 4PQ to 7 Ardfern Avenue, Norbury, London,
SW16 4RB. This was done without the knowledge or consent of the company. The register
has been amended to show the correct address


15
Case study three: SIM Associates Ltd (SC5050) – Appointment of
director without consent
Mr Steven Polwart says he has been appointed without his knowledge or consent as
director and has no knowledge of this company. He is shown as having been appointed in
2007 when there were several other changes of appointments.


16
Case study four: R.M. Bonar Ltd (SC75985) – Fraudulent change of
registered office and possible fraudulent trading
The registered office address of this company was changed by submission of Form 287 on
14 August 2009 to 18 Community Road, Bellshill, North Lanarkshire, ML4 5QR. (This post
code is incorrect).

The occupier of the address is an elderly lady who has since received numerous demands
and summonses addressed to Mr Bonar. He is shown as resigning on the same date and a
William McEwan appointed. Mr McEwan’s address is given as 18 Community Road but he
does not reside there. It was proposed to strike this company off.


17

Mr Bonar incorporated a new company Mayfield Electrical Maintenance Ltd (6995560) on
19 August 2009, five days after resigning from RM Bonar Ltd.


18
Case study five: Paul Thompson Builders Ltd (4710941) – Fraudulent
change of registered office
The registered office address of this company was fraudulently changed by submission of
paper AD01 on 12 January 2010 to 46 Manor Road, Tottenham, London, N17 0JJ.
This address has come to notice before. It is also linked to:
- 35 Parkland Road, Wood Green, London
- 91 Aldridge Avenue, Enfield, EN3 6JA
- 52 Springfield Road, London, N15 4AZ
all of which have a connection with fraudulent changes of registered office. The company
has amended the Register to show the correct address of 29 Nutter Road, Thornton-
Cleveley, Lancashire, FY5 1BQ.


19
Case study six: Mtee Limited (05909070) – Appointment of director
without consent
Mr Jamail Akhtar has complained to Companies House that he was appointed without his
knowledge or consent as director via paper Form 288a. The register shows a series of
resignations and appointments since incorporation but has filed its annual accounts and
returns where appropriate. There have also been several changes of registered office
address. The last set of accounts for year ending 31/08/2008 show a £1.1million turnover
after previously filing dormant accounts. However, this company also has nine county
court judgments (CCJs) against it.


0
1.7 Minimising the risk
There are some relatively well-publicised steps that can be taken by small businesses in
order to minimise the risks of company identity fraud. In particular Companies House
publishes extensive information on its Web filing, PROOF and Monitor services:
Companies House – Web filing
WebFiling was introduced in May 2001 and allows companies to file their Annual Return
online with Companies House for £15. Other information can be filed free of charge
including Director, Secretary and Registered office changes as well as abbreviated and
dormant company accounts. The service offers pre-populated screens. Information
displayed on screen may be amended online and the service has some in-built checks
such there is less chance of document rejection.
The service also confirms safe receipt of information by Companies House via two e-mails.
The first will confirm receipt of the data and the second will confirm if it has been accepted
or rejected.
Newcomers to WebFiling must first register for two codes. First, a security code, which
identifies them as a user of the service. It is sent by email when registering and is linked to
an email address. Second, a company authentication code which is sent by post to the
company’s registered address. This code is the electronic equivalent of the company
director’s signature and must be kept secure.17
However, there is a possibility that the registered office could first be changed via a paper
WebFiling was Form AD01. If this was changed to a fraudulent address and this change was not noticed
by the company itself, then the company authentication code would be sent by post to the
introduced in new registered address and into the hands of the fraudster. There appears to be no check
that the email address is actually linked to the bona fide company; so that the security
May 2001 and code could be linked to a fraudulent email address. This could be set up on a similar

allows
domain name to that of the company itself to minimise any suspicion.
There have also been recent instances in which Companies House customers have been
companies to contacted by someone claiming to be from Companies House, asking for verification of
their WebFiling Authentication Codes. Companies House personnel will never contact
file their companies by telephone to try to ascertain their WebFiling Authentication Codes.
Companies House advises businesses that should anyone contact them claiming to be
Annual Return from Companies House, then they should try to obtain a return telephone number and
contact Companies House immediately.18
online with Companies House – Protected online filing (PROOF)
Companies The Companies House PROOF scheme has been in operation since 2005. Initially

House for £15. companies could only join the scheme by submitting a paper (PR1) form. With the
introduction of the Companies Act, the PROOF scheme now has new terms and
conditions which operate under section 1070 of the Companies Act 2006 and which
permit Companies House to agree for delivery of documents by ‘electronic means’.
Companies may now opt-in to PROOF without submitting a paper form.

17 ——, ‘Why WebFile?’ (2009) 32 Company Secretary’s Review 177.
18 Companies House, ‘Urgent fraud warning’ http://www.companieshouse.gov.uk/about/miscellaneous/misc1.shtml.


1
In order to join PROOF, a company must first be registered for WebFiling. As described in
the previous section, there is a possibility that this registration process could be open to
fraud if the registered office had previously been changed by submission of a paper form
prior to the fraudster requesting an electronic security code.
Assuming that a company has successfully and securely joined PROOF, then Companies
House will reject attempts to file the following forms on paper and will send the paper
forms back to the registered company address:
- annual return
- change of registered office address
- appointment, termination or change of particulars of a company officer.
The PROOF scheme therefore covers all the paper forms that have commonly been used
by fraudsters to hijack companies.
The original means of registration to PROOF involved a paper-based sign-up which
deterred many companies from taking advantage of the protection it offers. The system
has been changed to allow companies to opt-in to PROOF via WebFiling.19
According to Companies House, companies may not join PROOF if they are subject to an
‘ongoing internal dispute’; while Companies House offers no further information as to
what this might cover, it is possible that companies may be denied registration for PROOF
while they are in the process of remedying the effects of a fraudulent paper-based change
to their registration, which is a lengthy process generally requiring a court order.
As at 19 May 2008, out of 2,615,001 live companies registered in England and Wales,
85,273 companies are in PROOF (3.26%) along with 566 out of 151,897 live Scottish
companies (0.37%).20 This data was released by Companies House following a Freedom of
Information request.
As at 4 April 2010, Companies House reports 2,433,549 companies in England and Wales,
and 147,577 in Scotland.21 No information on PROOF registrations is currently available at
this date.
PROOF case study – Paragon Interiors Group plc (1981976)
A paper form ADO1 changing the registered office (from Paragon House, Orchard Place,
Nottingham Business Park, Nottingham, NG8 6PX to Imperial Court, Exchange Street East
Unity 1A, Liverpool, Merseyside, L2 3AB) was rejected because the company had opted-in
to PROOF. The director contacted Companies House to report that the form was fraudulent
and that someone had forged his signature.
Monitoring services
Monitoring services are available that focuses on changes to information that may identify
the presence of fraudulent activity, triggering alerts on changes to registered offices,
company officers, filing of accounts, changes in credit limits, CCJs and insolvency orders.
Companies House offers a Monitor service via WebCHeck (its pay-as-you-go service) and
Companies House Direct (its subscription service). Once registered, email alerts will be
sent when the documents which have been chosen to be monitored are filed. The user
may then (for a fee) download the image of the document filed.

19 ——, ‘Stop the Fraudsters – opt into PROOF via WebFiling’ (2009) 33 Company Secretary’s Review 56.
20 http://www.companieshouse.gov.uk/freedomInformation/infoReleasedPDFs/discLog62.pdf
21 http://www.companieshouse.gov.uk/about/busRegArchive/businessRegisterStatisticsMarch2010.pdf.


1.8 Conclusion
The Federation of Small Businesses (FSB) still believes that electronic filing is flawed since
Companies House only records that company documents have been received rather than
checking the accuracy of those documents. Moreover, according to the FSB, companies
cannot get fraudulent information removed from their file without a court judgment ‘even
if there is overwhelming evidence that [corporate] identity theft has taken place’.22
The FSB is calling for a central, well-advertised and accessible method of reporting fraud
and e-crime, which they can trust to understand the issue and to take proper follow-up
action. It is also calling for a local police contact to specialise on fraud and e-crime with
small businesses.23
Although corporate identity fraud costs an estimated £50 million annually, only 56% of
respondents had an awareness of its existence. 2% of respondents reported that they had
been victims of corporate identity fraud; of these, the most common consequences were:
- application for corporate credit/debit card and fraudulent spending of money
- fraudulent ordering of goods
- fraudulent acquisition of business in the company name
In addition, victims reported changes of company address and fraudulent bank loans in
the company name. Although none of the victims were put out of business, common
consequences were an adverse affect on the company credit rating, damage to reputation
and loss of customers. Most losses were estimated at between £20,000 and £30,000.
With regard to the Companies House PROOF scheme:
- 14% of SMEs were aware and used PROOF
- 27% of SMEs were unaware of it and still filed all documents on paper
- 12% of SMEs were aware of it, but did not use PROOF
- 24% of SMEs did not know about PROOF but filed documents online anyway
Therefore, only 36% of SMEs filed all documents online, leaving 64% potentially exposed
to the paper filing vulnerability. 92% of SMEs were unaware, or did not know, of the paper
filing vulnerability. This shows a very low level of awareness of the problem and a
consequent high level of risk for around two-thirds of SMEs. However, only 50% of SMEs
considered that their company was not at risk from corporate identity fraud even though a
higher proportion had not subscribed to the PROOF scheme.
It is not just Companies House fraud that puts businesses at risk. Fraudsters may acquire
other information about the business, including employee information or customer
information and supplier accounts. Although changing registration details at Companies
House may facilitate fraud, even without doing so, fraudsters may acquire financial products,
order goods and services on credit. Organisations can be vulnerable to corporate identity
fraud committed internally by employees, externally by individuals or organised criminals
or in collusion.24

22 ——, ‘Companies House must stop corporate hijacking, says FSB’ (Out-Law News 23 June 2005)
http://www.out-law.com/page-5840.
23 A Blake, ‘Firms warned of identity fraud’ Western Mail (17 March 2010).
24 Fraud Advisory Panel, ‘Fraud Facts’ (2008).


3
In addition, fraud can be committed by ex-employees who may be able to gather relevant
information during their employment. Indeed, 56% of employers who were victims of
corporate identity fraud believe that an ex-employee (or an associate) was to blame.
Around half (47%) of SME employees have access to sensitive company data, (such as
bank details and employee information) and many are authorised to remove such data
from the office, including electronically on an unencrypted storage medium (22%), on a
laptop (17%) or in print (22%). However, only 32% of SMEs report that ex-employees
could have had access to company data before they left. This is inconsistent with 47% of
current employees who have access to such data. In any event, the range of information
that could be abused for fraudulent purposes includes company (46%) and employee
(25%) bank account details, employee profile information (57%) and customer account
information (41%).
When it comes to taking steps to protect sensitive electronic data, 13% of SMEs have no
protection measures in place. The most common measures taken by the remainder are
anti-virus software (84%), firewalls (83%) and regular data back-ups (76%). Although 66%
of SMEs use password-protection on sensitive data, only 26% of SMEs encrypt that data.
With regard to paper-based data, 65% of SMEs lock documents in cupboards or filing
cabinets and 22% in unlocked filing cabinets.
Finally, only 37% of SMEs were aware that processing of personal data required
registration with the Information Commissioner’s Office, although 50% claimed to have a
person responsible for data protection. 41% of SMEs have a data handling policy.
It is clear that there is a market in sensitive company information, despite data protection
legislation. According to Merseyside Police, organised criminals pay £5 per document
which provides opportunities for both personal and corporate identity fraud.25
SMEs need to be aware of these shortcomings and the associated risks. They should
check with Companies House to ensure that their registered details are accurate, enrol for
the PROOF scheme and sign up to an alert system which will warn of any changes to
company details. Companies should not rely on Companies House records alone in
determining whether to lend goods or services on credit, as Companies House is merely
a public register and not a credit reference agency.
SMEs should develop policies to secure data and access to data. Sensitive company
documents should be kept in a secure place with limited access to key employees and
securely destroyed before disposal. Similarly, procedures relating to the access and use
data of held electronically should be developed including mobile devices and storage
(smartphones, USB/mobile disk storage), laptops, web access and email.
Corporate identity theft is of concern to businesses many of which are unaware of its
potential risks or consequences. Awareness must be raised and simple steps taken to
minimise risk and to ensure compliance with data protection legislation.

25 Merseyside Police, ‘Business Identity Fraud’ (14 August 2009) http://www.merseyside.police.ul/index.aspx?articleid=1400.


4
1.9 References
——, ‘Police tackle Companies House database scam’
(Out-Law News 11 May 2005) http://www.out-law.com/page-5686
——, ‘Companies House must stop corporate hijacking, says FSB’
(Out-Law News 23 June 2005) http://www.out-law.com/page-5840
——, ‘Why WebFile?’ (2009) 32 Company Secretary’s Review 177
——, ‘Stop the Fraudsters – opt into PROOF via WebFiling’ (2009)
33 Company Secretary’s Review 56
C Auger, Information Sources in Grey Literature
(4th edn Bowker-Saur, London 1998)
A Blake, ‘Firms warned of identity fraud’ Western Mail (17 March 2010).
Business Link, ‘Personal and corporate identity theft’ http://www.businesslink.gov.uk/
bdotg/action/detail?type=RESOURCESitemId=1075422219
D Butcher, Official Publications in Britain (Bingley, London 1991)
Companies House, ‘Urgent fraud warning’
http://www.companieshouse.gov.uk/about/miscellaneous/misc1.shtml
Companies House, ‘Annual Report and Accounts 2008-09’
http://www.companieshouse.gov.uk/about/pdf/annrep2008_9.pdf
Fellowes, ‘Mind your own business: a practical guide to identity fraud prevention for
business’ http://intellishred.fellowes.co.uk/misc/6109%20IDFW%20Guide%20Booklet_
Online%20version_Layout%201.pdf
Fraud Advisory Panel, ‘Fraud Facts’ (2008)
C Hart, Doing a Literature Search (Sage, London 2004)
House of Commons Business and Enterprise Committee. ‘Companies House: Government
Response to the Committee’s Thirteenth Report of Session 2007–08’ HC (2008-09) 206
Merseyside Police, ‘Business Identity Fraud’ (14 August 2009) http://www.merseyside.
police.ul/index.aspx?articleid=1400
R Tyler, ‘Companies House targeted in credit scam’ Telegraph (London 17 April 2007)
http://www.telegraph.co.uk/finance/yourbusiness/2807437/Companies-House-targeted-
in-credit-scam.html


5
1.10 Avoiding Corporate Identity Fraud
Michael Lynch is an identity fraud expert at CPP and offers the following advice to
consumers to help protect them from identity fraud. Michael is responsible for the UK
Identity Protection portfolio at CPP Group Plc (CPP).
Michael has been with CPP for 14 years. His experience in financial services extends to
customer service, new product and market development and affinity relationships.
During his time at CPP, Michael has helped bring to market the UK’s market leading
service, Identity Protection, which now protects over one million UK consumers from the
consequences of this rapidly growing crime. In addition, Michael had used his expertise to
create a commercial identity theft product aimed at protecting businesses of all sizes. He
has also developed a strong understanding of consumer perception and reaction to
identity theft and its consequences. Michael has also been responsible for breaking some
major identity theft stories in the media including the availability of fraudulent documents
online, car cloning, junk mail and postal theft. Committed to forging industry co-operation
to reduce the opportunities for identity theft he is leading the call for consumers to change
their behaviour to counter what is becoming an increasingly sophisticated and intrusive
crime.
Michael is media trained across print and broadcast and is available for media interviews
on the issue of identity fraud.
Top tips
CPP offers the following advice on protecting businesses against corporate identity fraud
Stay on top of your records
Companies House sees 50 to 100 cases of identity theft a month, so stay on top of
documents filed regarding your business. You should also sign up for their PROOF
scheme. Reconcile your bank statements and company credit card statements as well
Ensure your protection is up-to-date
Outdated anti-virus or spyware protection is useless. Use only the very latest protection.
Also, train your staff to recognise and avoid phishing e-mails and let customers know your
security policy so that they can identify phishing emails as well
Keep it secure
Make sure your business’ mobiles and laptops are password protected. All it takes is for
you or an employee to leave a device in a taxi, exposing your business to identity theft
Verify before trading
Don’t accept handwritten orders or faxes, only professional documents. Also confirm the
telephone area code of the business you’re dealing with. It’s not unheard of for a
‘business’ to claim to be a local address, but is actually operating on another continent
Shred it
It sounds obvious, but you’d be surprised how many companies don’t take this most basic
of precautions. If paper documents are no longer needed, destroy them with a cross-cut
shredder or micro shred shredder. Apply the same idea to old uniforms. Dispose of them
so that they can’t be used by fraudsters


6
Track yourself online
One common way of hijacking a business is to set up a doman name suimiliar to that
company’s. Consider registering common misspellings and variations of your business’
name
Mind your old computer hardware
Don’t simply throw these away. Make sure the hard drives are wiped clean first to prevent
identity thieves from finding the information they need to hijack your business
Verify before hiring
This includes any staff you’re thinking of taking on, from top-level executives to cleaners.
Anyone who will have access to your office should have references, qualifications, past
employment – and identity – thoroughly checked
Think before you post
With the explosive popularity of social networking sites, many businesses now have their
own page. This is a lure to identity thieves. Be careful what you reveal about your company
and employees

1.11 For further information please contact:
Nick Jones
Head of Communications
CPP Group Plc
Holgate Park
York
YO26 4GA
Tel 01904 544 387
E-Mail nick.jones@cpp.co.uk
Corporate: www.cppgroupplc.com


7
CPP is an award- 1.1 About CPP
winning organisation:
The CPPGroup Plc
- Finalist in the National
Insurance Fraud Awards, The CPPGroup Plc (CPP) is an international marketing services business offering bespoke
Counter Fraud Initiative of customer management solutions to multi-sector business partners designed to enhance
the Year category, 009 their customer revenue, engagement and loyalty, whilst at the same time reducing cost to
- Finalist in the European deliver improved profitability.
Contact Centre Awards,
Large Team and Advisor of This is underpinned by the delivery of a portfolio of complementary Life Assistance
the Year categories, 009 products, designed to help our mutual customers cope with the anxieties associated with
the challenges and opportunities of everyday life.
- Named in the Sunday
Times 008 Whether our customers have lost their wallets, been a victim of identity fraud or looking for
PricewaterhouseCoopers lifestyle perks, CPP can help remove the hassle from their lives leaving them free to enjoy life.
Profit Track 100 Globally, our Life Assistance products and services are designed to simplify the complexities
- Finalists in the National of everyday living whether these affect personal finances, home, travel, personal data or
Business Awards, 3i Growth future plans. When it really matters, Life Assistance enables people to live life and worry less.
Strategy category, 008
Established in 1980, CPP has 10 million customers and more than 200 business partners
- Finalist in the National across Europe, North America and Asia and employs 1,900 employees who handle
Business Awards, Business millions of sales and service conversations each year.
of the Year category, 007,
009 and Highly In 2009, Group revenue was £292.1 million, an increase of more than 12 per cent over the
Commended in 008 previous year.
- Named in the Sunday Times In March 2010, CPP debuted on the London Stock Exchange (LSE).
006, 007, 008 and 009
HSBC Top Track 50 What We Do:
companies
CPP provides a range of assistance products and services that allow our business partners
- Regional winner of the to forge closer relationships with their customers.
National Training Awards,
007 We have a solution for many eventualities, including:
- Winner of the BITC Health, - Insuring our customers’ mobile phones against loss, theft and damage
Work and Well-Being
Award, 007 - Protecting the payment cards in our customers’ wallets and purses, should
these be lost or stolen
- Highly Commended in the
UK National Customer - Providing assistance and protection if a customer’s keys are lost or stolen
Service Awards, 006
- Providing advice, insurance and assistance to protect customers against the
- Winner of the Tamworth insidious crime of identity fraud
Community Involvement
Award, 006. Finalist in 008
- Assisting customers with their travel needs be it an emergency (for example
lost passport), or basic translation service
- Highly Commended in The
Press Best Link Between - Monitoring the credit status of our customers
Business and Education, - Provision of packaged services to business partners’ customers
005 and 006. Winner
in 007
- Finalist in the National
Business Awards,
For more information on CPP visit:
www.cppgroupplc.com
Innovation category, 005


Appendix A 8


Appendix A 9


Appendix A 30


Corporate Identity Fraud: SMEs Unaware of Risks

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Ähnlich wie Corporate Identity Fraud: SMEs Unaware of Risks

Ähnlich wie Corporate Identity Fraud: SMEs Unaware of Risks (20)

Mehr von CPPGroup Plc

Mehr von CPPGroup Plc (7)

Corporate Identity Fraud: SMEs Unaware of Risks