Cyber crime

Are You Liable for Identity Theft? What You Should Know

photo of niek dekker
Niek Dekker
5 Min

Over the years fraudsters were mainly targeting individuals with identity theft. However, fraudsters are enhancing their methods and widening their range by now stealing business identities.

Business identity theft also referred to as commercial or corporate identity theft, has grown increasingly popular with criminals as they look to explore vulnerabilities associated with business practices.

If you have fallen victim to this cyber crime, then you might be liable.

As we explore the question “are you liable for identity theft?“, we uncover how to know if your identity has been stolen, what the determining factors are and if you are liable.

How Do You Know If Your Identity Has Been Stolen?

Over subsequent days, if your business’s identity has been compromised, then your accounts payable department will likely be the first to notice suspicious activity. However, as a CFO you can look out for these common warning signs:

Unusual Bank Activities or Transactions

According to the National CyberSecurity Society report, “criminals are changing business records to their advantage”. Typically small to medium-sized businesses fall victim to identity fraud. Once criminals gain access to your bank account details or credit card information, they attempt to commit financial fraud such as the following:

  • Transferring funds from the business account to a fraudulent account
  • Committing fraudulent Uniform Commercial Code (UCC) filings. Impacting a business entity’s credit rating
  • Updating or altering financial information to make online applications
  • Making new lines of credit, loans or credit cards in the business’s name which can negatively affect your credit history
  • Unrecognising withdrawals or purchases that the business or AP staff have not made

Ultimately, you may receive a call from creditors, debt collectors, and solicitors or receive a security alert from your bank about suspicious transactions.

Locked Accounts or Manipulated Permissions

Once cyber criminals obtain access to work, financial or ERP accounts, the first thing they’ll do is change credential logins such as passwords or remove any form of authentication in order to lock you out.

If you have email notifications switched on for when a password is updated, and you are unaware of any changes, then your accounts and ERP systems may have been compromised.

By accessing sensitive information, they may change information about your business such as registered owners, addresses, emails and revenue. Keep note that sophisticated criminals can access other accounts or networks quicker if the same password was used more than once for various accounts.

Website Defacement

Website defacement can be defined as an attack in which malicious perpetrators penetrate your business website and replace content on the site with their messages. They may also replace or delete contact information, content, web pages, logos and more.

If you identify unexpected changes on your website or missing files, this might signal that your website security has been compromised resulting in a defacement attack. An example of a website defacement attack is the message displayed below during a defacement of a UK National Health Services website in 2018.


Source: BBC

Identity theft doesn’t stop at financial fraud. Motivations of the attacks can vary and result in severe organisational consequences.

Unusual Tax Activities

According to Norton, tax-related identity theft occurs when cyber criminals use your business or personal information, including your tax file number, to file a tax return in your business name.

Many organisations publish their corporate documents on the web. Identity thieves can use this information to file fraudulent tax returns to claim a refund or may register a new business name or logo as an official trademark under your business’s identity.

In instances where you identify any of the warning signs or if a hacker has deceived your accounts department into exposing sensitive files, then you should respond immediately.

Are You Liable for Identity Theft?

Typically cyber criminals who attempt a data breach targeting an enterprise, are unlikely to be the same perpetrators who commit identity fraud.

Most of the time, stolen data is sold exclusively on the dark web.

By accessing a business entity’s information, they may also infiltrate your business’s network accessing employee or customer information such as tax file numbers, bank details, super fund details, personal addresses and more.

In this case, cyber criminals may use stolen IDs to carry out other fraudulent activities. For example, they may use the ID to acquire a new SIM card with the same phone number belonging to the person whose identity documents were stolen.

This results in criminals using that SIM card to contact accounts payable departments to approve payment transactions. This exposes the vulnerability of call-back controls. Cyber criminals can then impersonate suppliers or legitimate individuals to attempt identity fraud.

Essentially, making the business liable for identity theft.

Even with strong internal controls & call-back procedures, you can still fall victim to identity theft and become liable for the damages that occur in the aftermath.

How Eftsure Can Help

Business identity theft is a severe consequence for all organisations. In Australia, a court may determine that your organisation had inadequate measures in place to mitigate the risk of identity cyber crime making you liable.

To reduce the likelihood that a court will find your organisation negligent, you need to be able to demonstrate that you have taken reasonable steps to avoid a business identity theft attack.

You can minimise your exposure to lawsuits by strengthening security controls, implementing prevention methods & creating a fraud awareness culture.

In addition, by adding a solution like Eftsure, we can help you limit the risks of identity theft by cross-referencing payments providing you real-time alerts of any suspicious activity, and allowing your accounts payable team to investigate before processing payments.

Contact Eftsure today, for a full demonstration of how we can protect your business from identity theft.

BEC Incident Response Guide for Finance Teams
Learn how to respond to a Business Email Compromise attack by following the necessary steps.

Download the Business Email Compromise (BEC) Incident Response Guide today to strengthen the odds of recovering your funds following a BEC attack.

Related articles

The new security standard for business payments

End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.