A pile of invoices is rarely an attractive sight but they are particularly unwelcome when the goods have not been ordered in the first place. In 2002, Yoko Warburton, the finance manager at Nichirin, a Manchester car parts business, had an unwelcome surprise when she started receiving bills for millions of pounds-worth of computer equipment.

Her company’s identity had been hijacked in a scam which involved the filing of fraudulent documents with Companies House. “We discovered that our bona fide directors had all been struck off by someone else filling in falsified forms,” says Warburton, whose business also had its registered address changed. With the new details in place the criminals had run up huge debts. It was that simple. There was no high-tech breach of a computer system or complicated fraud involving well-protected personal and corporate information.

According to Royal & Sun Alliance corporate identity theft cost British business £50 million in 2005 and that figure is expected to rise to £700 million by 2020. The insurer commissioned a report by the Centre for Economic and Business Research (CEBR) which found that this was one of the fastest-growing risks businesses faced. Companies in the communications, banking, finance and insurance the sectors are most likely to be affected. “Those willing to hack, scam and defraud will find new and technically advanced methods to open up the necessary loopholes and steal a firm’s identity,” says Simon Wallace of the CEBR.

Companies are clearly vulnerable to attack through weak IT systems, but this is not the only way, as Warburton (and others, including Allsports founder David Hughes) have found. “It’s the paper and ink brigade that needs sorting out,” says Garry MacLaren, a Manchester-based marketing consultant. “Online fraud is a worry but if online procedures are carried out properly they should be tighter than just sending a form through the post.”

MacLaren’s business Venta was hit in the same way as Nichirin – and for the same purpose. Both companies became unwittingly caught up in VAT fraud. Venta and Nichirin’s identities were principally stolen for their VAT numbers. This would allow the fraudsters to buy and sell goods and pocket the VAT without being traced. Overall, fraud rose to record levels in 2006, according to latest figures from the accountants BDO Stoy Hayward. They said a significant cause of the increase was the high rise in value of VAT frauds. Nine cases prosecuted in 2006 cost the UK £372 million.

Nichirin did not lose money and it was not pursued for the invoices – the fraudsters had actually settled the bills. But the scam could have brought the company’s activities to a grinding halt. “We import components for automotive parts and didn’t want customs to stop our genuine shipments,” says Warburton. “That was what I was most worried about – production and customer deliveries being delayed.” Warburton says she was astonished that Companies House was open to such a simple fraud.

“They said they were very sorry but their resources were limited and because they receive thousands of documents a day, they couldn’t verify everything.” Filing false documents on the companies register is an offence under the Perjury Act (1911), but all it took in the case of Nichirin and Venta was a couple of false signatures. Companies House has taken steps to tighten up its system. In 1996, it introduced a monitoring service which alerts a company each time a document is filed on its record. But this is an additional service and one of which MacLaren was unaware.

There has also been a greater emphasis on internet filing. Companies House’s chief executive Claire Clancy says that its system is already tight with just 0.01 per cent of monthly filings being the subject of a fraud. But this represents 50 businesses each month, and for each of these, she acknowledges, fraud could have a “devastating effect”. So, they’ve turned to technology. Companies House encourages electronic filing using authentication codes and the use of its PROOF service (which stands for protected online filing), whereby only online submissions are accepted. It also urges firms to sign up to the monitoring service. These measures should make it harder for firms to be hijacked. But what of the damage caused by those working within a company?

There is growing evidence of a new threat to business – pod slurping. The popularity of iPods, memory sticks and mp3 players means many employees and contractors take an increasingly powerful portable hard drive to work. These can be used to “slurp” information from a system – downloading databases, customer records and other huge amounts of information. “Desktop security has been largely overlooked,” says Paul Vlissidis, technical director at the Manchester-based IT services business NCC Group.

“You might already have some software on the iPod to use to attack the network and then it provides the medium for taking data out of the building.” The most on-the-ball employers, particularly call centres, keep the firewire and usb ports out of reach by locking computers away. MP3 players are also banned. “But it’s expensive and unrealistic to expect every company to take that approach,” says Vlissidis. “However, in most cases the culture is different. I’m not advocating a more fascistic working environment, but if you do allow staff to listen to music in this way then the risk to you is going to be higher.”

Malicious intent, monetary gain and curiosity are generally the most common motives for this kind of activity. In the cases Vlissidis has encountered, disgruntled employees, or former employees, have been the perpetrators. But with larger numbers of temporary staff it’s easy for an outsider to gain access for a day, take the information and never be seen again. In California, the loss of customer information has a direct financial cost because companies have to inform everyone that has been affected. The absence of such legislation in the UK means there is usually no direct cost, but there are potentially more damaging long-term implications in terms of a tarnished reputation.

Although it sounds easy, pod slurping still requires nerve and guile. Corporate reputations remain most at risk from a rather less subtle form of corporate ID theft – a mock website to lure in unwitting customers. All this requires is a screen shot of the real thing and a few clickable icons. “It’s laughably easy,” says Vlissidis, “and it’s terrifyingly straightforward.”

HOW TO AVOID AN IDENTITY CRISIS
- Check your company details are correct at Companies House.
- Make use of Companies House monitoring and online filing services.
- Check prospective employees’ CVs and use recruitmentsecurity checks.
- Own all permutations of your company name so that fraudsters cannot set up a rogue website or contact your customers from an e-mail address that looks legitimate.
- Dispose of company stationery, including letterheads and bank details, in a secure way.
- Check the identity of customers if giving out goods and services on credit.
- Check your firm’s credit rating with a credit rating agency regularly so irregularities that could signal fraud can be identified quickly.
- Inform staff about the risks of corporate identity fraud and caution them about the potential dangers of giving out company information.
- Make sure that firewall and anti-virus software is up-todate to reduce the risk of computer hijacking and online fraud.

---