Although the theft of personal information -- such as Social Security numbers, dates of birth and credit card numbers -- has been a big problem for individuals for a number of years, the equivalent for businesses has become a multibillion-dollar headache.
"The thieves have discovered that businesses have fewer legal protections," said Michael Barnett of the Identity Theft Protection Association, which provides information about identity theft to consumers, businesses, law enforcement and others.
A study released earlier this year by Javelin Strategy and Research found that although identity fraud among small businesses has decreased since 2008, businesses were still hit at a rate of 4.1 percent in 2010, compared with 3.5 percent of consumers.
The mean amount of the fraud for small business was $4,851, with the mean out-of-pocket cost for the victim at $1,574, about twice that of a consumer. Banks, credit card companies and insurers ended up eating most of the business losses.
In contrast to individuals, businesses have larger amounts of money to steal and bigger lines of credit. Because of their relative size, large orders of goods often aren't noticed.
For example, thieves rented an office in the same building as a California law firm. They then used that address (with a different suite number) to have $70,000 worth of computers and office furniture delivered using the law firm's line of credit. They loaded the furniture into a truck and disappeared.
Invisus, a company based in Utah, has launched an identity-theft prevention program to help businesses keep crucial information out of the hands of thieves. The 10-year-old cyber fraud and risk management company serves businesses with fewer than 200 employees.
Cybercrime and identity theft is a far more likely loss for businesses than fires or floods, said Jami Harrison, the Invisus CEO.
The effect is not just on the business but on owners who use their personal information to obtain lines of credit for their businesses, he said.
Invisus offers a package of services for about $25 per month. As part of the service, the company monitors black markets for stolen identities and schools owners in prevention tactics. Should an identity be stolen, Invisus walks the business through the process of recovery, said Harrison.
Financial institutions should realize that they benefit by helping small businesses prevent fraud, said Philip J. Blank, Javelin's managing director. Not only do banks, credit unions and credit card companies lose money to fraud when their clients are victims, but when it occurs, around 20 percent of small businesses switch banking and credit card accounts. Some victims -- about 32 percent in the Javelin survey -- refuse to bank online and revert to writing checks, driving up costs.
Blank recommends banks and credit unions provide small businesses with free or incentive-based antivirus, anti-spyware or firewall software and other protections.
Another scheme that targets small businesses involves thieves using information from business registrations with state governments, or even altering that information, something that typically can be done for as little as a $5 fee. With that information, scammers have been able to open lines of credit in order to buy goods that can be easily resold for cash.
In Colorado, scam artists from California revived the registration of a defunct company using the name of the former owner as an officer. They then took out lines of credit, ordered goods and then disappeared with what they bought on the business' dime.
Large computer companies and big-box stores are typical targets for purchases of goods with stolen credit, said Ralph Gagliardi, agent-in-charge of the identity theft and mortgage fraud units of the Colorado Bureau of Investigation. The thieves access "credit cards or lines of credit, or, if it is a cellphone company, they would buy up phones on credit."
As authorities have caught on and started altering procedures, including requiring passwords for business registration changes, thieves have continued to modify their tactics, said Gagliardi.
In Utah, the state Division of Corporations has long had a password system that controls who can make changes in business registrations. Division spokeswoman Jennifer Bolton said she is not aware of any reports of thefts related to registrations.