Identity theft strikes small businesses

Martin & Hillyer LLP, a small law firm in Burlington, Ont., made headlines last year when its identity was stolen and its phone system was hacked.

A fraudster racked up more than $200,000 in long-distance calls to Africa by uncovering the phone system password and making the calls, all under the name of Martin & Hillyer. Bruce Hillyer, partner at the law firm, was unaware of the crime until Bell Canada contacted him after the second instance. "There really is no way of knowing what happened," Mr. Hillyer says of how the hacker accessed his phone system and entered the correct password.

In an undisclosed settlement with Bell, Mr. Hillyer can only say he is satisfied with how much he had to pay the phone company for the crime committed against his. To ward off similar instances, immediately after the incident, the company turned off its phone system after-hours and staff were reminded to safeguard their passwords.

Martin & Hillyer also sent Bell a written statement that it would not be financially liable should similar incidents occur in the future. Mr. Hillyer's company has not been targeted again, but he recently received a call from a police officer in the Hamilton-Wentworth area of Ontario because a similar incident had happened there.

Identity theft among small and medium-sized businesses is increasing across Canada and it has been dubbed the crime of the 21st century in government documents. Similar to identity theft against an individual, it involves a fraudster assuming the identity of a business and often stealing company assets, client lists and credit information or using a firm's identity to secure business or payments. The fraudster could be a third party, an employee, a competitor or even a supplier. The result is not just the financial damage, but often the company's reputation.

Small business owners are more at risk of identity theft than larger ones because they often have fewer resources to devote to internal controls, says Debbie Dresen, a lawyer and partner at Davis LLP, based in Edmonton.

For example, an IT department of a small business might have one employee in charge of the Web, technology and passwords, while at a larger company there would be safeguards put in place to segregate duties to minimize fraud, including identity theft. Ms. Dresen says small businesses are also vulnerable to both corporate and personal identity theft because the owners often use information such as personal credit cards and social insurance numbers in their business dealings.

For fraud attorneys like Mathieu Piché-Messier, a Montreal lawyer and partner at Borden Ladner Gervais LLP, helping clients resolve identity theft is a growing part of his business, particularly in the past two years. If a company's identity is stolen, his firm helps the business mitigate losses, including recovering assets.

Last year, for example, a small business owner client received a phone call pointing out he had not paid the electricity bill for one of his office buildings. The client discovered he never received the bill because the building had been sold without his knowledge. A fraudster had falsified the company minutes, made himself the new CEO and sold the building to an accomplice, walking off with the proceeds of the sale.

Mr. Piché-Messier's firm was able stop the sale because it was contacted immediately. The firm began legal proceedings and called its contacts at the commercial fraud division of the Montreal police.

Another client, this one a seafood company, received an order for $500,000 worth of goods. After completing a credit check, Mr. Piché-Messier's client shipped the order and billed the company. The customer responded that it had never placed nor received the order. Mr. Piché-Messier found that the customer's credit information and a different address had been supplied by a fraudster. By the time his law firm was contacted, the seafood and the fraudster had vanished.

"Once an identity is stolen, if the client takes too much time, it's like starting an overall investigation cold," Mr. Piché-Messier says. "We have to determine if the money is close by or in the Bahamas. When the client's reflex is to call us right away, we can use Anton Piller or a Mareva Injunction, (court orders) that freeze the assets and keep the money in the jurisdiction. And in addition to all possible legal recourses we can also call our contacts at the RCMP or the OPP (Ontario Provincial Police)."

But going to the police may not provide immediate results, says Reid Lester, a lawyer at Laishley Reed LLP, based in Toronto. Compared with the United States, they tend to be understaffed in the area of identity theft in Canada, he explains, and investigations can take a long time, 12 to 18 months, even for cases involving employee dishonesty. Where the fraudster is unknown to the company, as is often the case, Mr. Lester says the likelihood of finding the perpetrator is greatly reduced and some companies don't even bother to report it. Another problem, Mr. Lester says, is that police often assign a greater priority to fraud against individuals than they do on companies that have been victimized.

But federal laws are starting to crack down on identity theft, says Edward Nagel, a forensic accountant with Toronto-based Nagel + Associates. In June, 2009, Bill S-4 was changed to make identity theft a criminal offence, which includes a maximum jail sentence of five years.

Smaller companies often fail to report the crimes because they feel it will adversely affect their business, says Joseph Compeau, lecturer of information systems at the University of Western Ontario's Ivey School of Business, which makes it difficult to track how frequently identity theft occurs.

Research by the RCMP's Phonebusters, the Canadian anti-fraud call centre, shows that in the first 11 months of 2009, there was $10-million worth of reported identity theft, compared with $9.7-million in all of 2008 and $6.7-million in 2007. The figures represent only those individuals and companies that have reported the crimes. Mr. Lester, for instance, deals with a lot of businesses that have fidelity insurance, which protects clients against certain types of fraud losses. In those cases, the victims must come forward to report the loss to the insurer in order to get paid for their claims. But there is no obligation for the insurer or the victim to report the loss to the police.

Mr. Compeau says part of the reason for the rise in identity theft is the volume of e-commerce. Orders are automatically placed and filled without the necessary checks being used to certify it's a veritable order. The ease of using customer and product order numbers with a password has left gaping holes for fraudsters to infiltrate, and false orders can be placed from anywhere in the world. Without a human interface, only the computer system needs to be hacked.

Small businesses should have a security audit done to ensure a third party can't replicate passwords or signing authority and steal company identities. Mr. Compeau also recommends that when automatic order fulling is used, an audit trail is left to show that what was ordered and billed was actually received. "Thieves take advantage of any gaps," Mr. Compeau says. "Small businesses have to realize they are vulnerable. The same way an individual looks at her credit card bill, a business owner has to do the same thing, just on a bigger scale."

To prevent business identity theft, a lot can be solved by simply using common sense. "As a forensic accountant, it is always surprising to see how many offices I visit where employees have files, boxes and confidential information out in the open," says David Malamed, forensic accountant and partner at Toronto's Grant Thornton LLP. "When you are done with a file, put it back in its folder, back in the box and lock it up. If I can see it on your desk, just think who else can see it, who else has access, who else can take it."

Other straightforward advice is to simply limit access to confidential information to those who need it, and have regular training.

"You don't know, what you don't know," he says. "Identity thieves are training (themselves) and getting smarter, you and your business need to as well. Don't become the next victim."

Companies need to ensure that they are only keeping information they need, especially as it pertains to confidential data about customers and themselves, Ms. Dresen says. Not only does this mean there is less information for fraudsters to steal, it also reduces the liability of business owners. In Alberta, Bill 54 came into effect last October and requires small business owners to report a privacy breach that could reasonably result in a real risk of significant harm to an individual.

Special to the Globe and Mail