Be warned: Identity theft is laughably easy


Covid-19 was a boon to perpetrators of commercial identity theft around the world. The Global Consumer Pulse Study reports that 37% of South African consumers have recently been targets of Covid-19 related digital fraud. TransUnion reports that the percentage of suspected fraudulent digital transaction attempts against businesses that originate from South Africa increased by 44% from March 2019 to March 2021.

Worryingly, a FICO Consumer Fraud Survey 2021: South Africa found that only 8% of respondents said the type of fraud they were most concerned about was a fraudster tricking them into sending a payment, even though this kind of scam is growing fast and is a major focus for banks.

This type of identity theft refers to someone stealing your personal information typically for their financial gain. It can have devastating consequences personally — including a lengthy process to recover control of your finances. But the consequences can be far more serious in the case of commercial identity theft, says Frank Knight, CEO of Debtsource – a specialist B2B credit management business.

“Commercial identity theft involves stealing a company’s credentials. It’s easy to do because businesses are continuously publishing all their information and branding out into the public domain for marketing purposes.”

Technology has made it relatively simple for anyone to appropriate the details of directors and the company branding. As a result, one company approaching another to open a credit account can appear completely legitimate when in fact you’re really dealing with a faceless criminal who’s simply created a fake company profile.

This can involve a bogus invoice or bank statement, or supplying counterfeit documents in order to be offered a customer credit facility. All these, to the untrained eye, pass every test of legitimacy.

Knight points out that in addition to its more positive attributes, “digitalisation has dramatically sped up everything to a point where a business loses its filter under a bombardment of data – a situation worsened by hybrid working”. This has broken down the internal controls that companies and individuals alike had prior to Covid-19.

Such breakdowns in controls stimulate temptation, explains Knight: “A computer-savvy individual with inside knowledge can easily develop a plan to commit fraud – and in the presence of weak controls can likely get away with it. This is facilitated by two things: technology; and internal controls in businesses not at a level they should be to cope with new forms of threats – whether that business is a large corporate, a privately-owned business or an SME.”

Consequently, management should overtly perform checks, balances and reviews at every level of the organisation. “Staff need to be certain their work will be doublechecked and any fraud unearthed sooner rather than later. To institute close controls, a tone of zero tolerance to unethical activities has to be instilled from the top to the bottom of the company. Owners or executives have to lead by example.”

Nor should the concept of ‘unethical behaviour’ be limited to actual crimes like stealing, “but it must include any inappropriate behaviour between employees, and any behaviour outside the workplace on social media that is out of sync with the ethos of the company”. A business becomes tainted by their employees’ personal behaviour.

Pre-Covid, most companies had strong controls over their office-bound personnel, requiring paper-based or online forms before authorising anything. Though employees never enjoyed it, it was there for a reason. Knight explains that the suddenness of the 27 March 2020 lockdown permitted no time for companies to adapt their controls before staff all went off home. As best they could, companies had to re-engineer their procedures and processes to accommodate a remote working environment just to survive, and with that came new risks. Suddenly employees were able to override controls “because they’re not in the office” when for example loading payments.

Knight lists some actions one can take to avoid either having one’s corporate identity stolen or dealing with a company whose identity has been appropriated.

The first and easiest is to simply apply some common sense. Knight gives an actual case of a large state-owned enterprise that placed a R10 million order wherein the procurement individual wanted to meet at a random coffee shop to discuss the deal. “In that case you should probably be circumspect – at a minimum there ought to be an official tender process.”

He suggests that a credit application form should not be looked at by a salesperson “with only a sales perspective”. Rather, credit application policies should include vetting the application carefully from a fraud perspective, double checking where it came from, where are their premises, and verify details through a Google search. It’s easy to complete an application with a false phone number that an accomplice answers for references. If there’s an email – check whether the return address is something utterly unrecognisable.

“Furthermore, credit policies must include a prohibition on permitting the goods to be collected but rather delivered to their premises and not some empty shop – which is also something that happens regularly, or the delivery address could even be an open field that an ordinary driver wouldn’t think twice about unloading into. It takes a group effort on everyone’s part to guard against fraud,” he says.

In addition, credit policy should include regularly talking to individual customers. “If something seems unusual, phone up the number on their website and ask if they actually applied for credit facilities,” he suggests.

“While simple common sense should be sufficient in the case of an SME with only a few credit accounts, there are also sophisticated tools we use for larger companies that have more reason to be concerned about fraud. We apply a multi-solution approach – including recoveries aspect and credit insurance – as a one-stop solution covering the entire credit cycle,” says Knight.

He urges that even if a company doesn’t have a concern regarding identity theft or bad debts, any company that extends credit in one form or another – or just has customers – should use such a service to know who their customers are under KYC regulations.

“It is not just a matter of fraud, but there are international anti-terrorism and money laundering issues. It is reported that South Africa is on the verge of being placed on the international anti money laundering greylist, and any company can be sanctioned from a compliance perspective.”

It is not sufficient that governance systems be in place at a company. “That isn’t enough to deter fraud – it must be strong governance that is rigorously enforced and that it be seen by staff to be rigorously enforced from the top,” he concludes.

 

Staff writer