STEALING a company's credentials is easy to do because businesses are continuously publishing all their information and branding in the public domain for marketing purposes, according to Debtsource, a specialist B2B credit management business.
According to Debtsource, a specialist B2B credit management business, CEO Frank Knight, this type of commercial identity theft refers to someone stealing someone else’s personal information, typically for their financial gain.
He said this already has devastating consequences at a personal level which included a lengthy process to recover control of one’s finances.
However, the consequences could be far more serious in the case of commercial identity theft.
“Technology has made it relatively simple for anyone to appropriate the details of directors and the company branding. As a result, one company approaching another to open a credit account can appear completely legitimate when, in fact, you’re really dealing with a faceless criminal who’s simply created a fake company profile,” Knight said.
The CEO said this could involve a bogus invoice or bank statement or supplying counterfeit documents in order to be offered a customer credit facility. He said all these, to the untrained eye, passed every test of legitimacy.
Knight pointed out that in addition to its more positive attributes, “digitalisation has dramatically sped up everything to a point where a business loses its filter under a bombardment of data – a situation worsened by hybrid working”.
He said this has broken down the internal controls that companies and individuals had prior to Covid-19.
Knight explained that such breakdowns in controls stimulated temptation. “A computer-savvy individual with inside knowledge can easily develop a plan to commit fraud– and in the presence of weak controls, can likely get away with it. This is facilitated by two things: technology; and internal controls in businesses not at a level they should be to cope with new forms of threats – whether that business is a large corporate, a privately-owned or small business.”
Consequently, he said management should overtly perform checks, balances and reviews at every level of the organisation. “Staff need to be certain their work will be double checked and any fraud unearthed sooner rather than later. To institute close controls, a tone of zero tolerance to unethical activities has to be instilled from the top to the bottom of the company. Owners or executives have to lead by example.”
Pre-Covid, most companies had strong controls over their office-bound personnel, requiring paper-based or online forms before authorising anything. Though employees never enjoyed it, it was there for a reason. Knight explains that the suddenness of the 27 March 2020 lockdown permitted no time for companies to adapt their controls before staff all went off home.
As best they could, he said companies had to re-engineer their procedures and processes to accommodate a remote working environment just to survive, and with that came new risks. Suddenly employees were able to override controls “because they’re not in the office” when, for example, loading payments.
He said that to deal with such a nefarious act, the first and easiest was to simply apply some common sense.
He suggested that a credit application form should not be looked at by a salesperson “with only a sales perspective”. Rather, he said credit application policies should include vetting the application carefully from a fraud perspective, double checking where it came from, where were their premises and verify details through a Google search.
Knight said that while simple common sense should be sufficient in the case of an SME with only a few credit accounts, there were also sophisticated tools used for larger companies that have more reason to be concerned about fraud. “We apply a multi-solution approach - including recoveries aspect and credit insurance - as a one-stop solution covering the entire credit cycle.”.
He urged that even if a company did not have a concern regarding identity theft or bad debts, any company that extended credit in one form or another - or just has customers - should use such a service to know who their customers were under KYC regulations.
“It is not just a matter of fraud, but there are international anti-terrorism and money laundering issues. It is reported that South Africa is on the verge of being placed on the international anti-money laundering greylist, and any company can be sanctioned from a compliance perspective.”
Debtsource said it was not sufficient that governance systems be in place at a company. “That isn’t enough to deter fraud–it must be strong governance that is rigorously enforced and that it be seen by staff to be rigorously enforced from the top,” Knight said.
Wessel Matthee, Information Security and Compliance Manager at digital financial transactions company Entersekt, said the World Economic Forum (WEF) and Accenture Global Cybersecurity Outlook study for 2022 was clear that focussing on cyber security (having the tech in place to fend off attacks), was no longer enough. “Rather, the report advises businesses to focus on cyber resilience–a term which entails having the tech, security experts, company culture and leadership commitment to successfully deal with attacks.”
However, Matthee said the WEF report noted that not only were cyber security resourcing efforts proving insufficient against increasingly sophisticated attacks but there seemed to be a disconnect between how business leaders and security leaders respectively perceive their organisations’ threat-readiness. “It shows that “while 92% of business executives surveyed agree that cyber resilience is integrated into enterprise risk-management strategies, only 55% of security-focused leaders surveyed agree with the statement.”
BUSINESS REPORT