Bruce Dorris, J.D., CFE, CPA, CVA
Vice President and Program Director, Association of Certified Fraud Examiners
Consumers are often warned to keep close tabs on their personally identifiable information (PII), like social security numbers and dates of birth, but identity thieves can often steal more information by targeting employers instead of individuals. Here’s a look at some common ways fraudsters steal identities and how businesses can protect their employees’ information.
1. Business email compromise
- What it is: In a business email compromise scheme, a fraudster uses a fake email from a high-level executive (e.g., CEO, CFO, president) to trick an employee into sending money or information to a fraudster. In a new type of business email compromise scheme that first emerged in 2016, fraudsters use cloned emails to contact a company’s human resources department and ask for employees’ payroll data, W-2s, or other PII. This information is then used to commit identity theft.
- How to prevent it: To prevent these scams, businesses should educate their employees about business email compromise scams. In addition, they should implement a two-step verification procedure for certain transactions. For example, an employee who receives an email request for sensitive information should be required to verify the request with a telephone call before responding. Finally, businesses should be careful about posting employee information on company websites or social media. Fraudsters can use information such as job duties and descriptions, organizational charts, and travel schedules to impersonate employees or trick others into providing sensitive information.
2. Dumpster diving
- What it is: Although it may seem archaic in such a technologically advanced society, fraudsters can still find a treasure trove of PII by going through the physical trash of businesses. Organizations have a wealth of sensitive information about their employees.
- How to prevent it: The best way to guard against would-be identity thieves who dumpster dive is to implement a strict shredding policy in your company that outlines what types of documents should be shredded and how the shredded documents are disposed of. In addition, social security numbers should never be used as employee identification numbers, and companies should limit the PII that is printed on paychecks, time sheets, security badges, parking permits and similar items.
3. Discarded devices
- What it is: Companies often replace their computers, copiers, printers, and other devices with newer, more efficient equipment. What some organizations do not know, however, is that like computers, some copiers and printers have internal hard drives that store data. If fraudsters find discarded equipment in the trash or purchase second-hand office equipment, they may be able to extract employees’ PII.
- How to prevent it: To avoid this risk, companies should institute a procedure for wiping the hard drives of all used equipment before reselling it or disposing of it.