corporate id fraud 2010

Corporate Identity FraudA CPP white paper

May 2010

�

Corporate Identity Fraud May 2010

Contents

1.1 Foreword

1.� Industry Facts

1.3 Research methodology

1.4 SME Key Findings

Only 56% of SMEs were aware of company identity fraud

46% think corporate identity fraud is on the increase with only 4% thinking it is not on the rise

Over a fifth (22%) of SMEs consider that their company is at risk from corporate identity fraud

Fraudulent applications for corporate credit cards and spending are the most common consequences

Only 14% of SMEs have heard and use Companies House PROOF scheme

87% of SMEs were not aware of Company House loopholes

Limited awareness of Principle One of the Data Protection Act 1998

Half of SMEs do not have anyone responsible for Data Protection or do not know if they have anyone responsible for Data Protection

1.5 Documentary Key Findings

Company hijacking occurs with the submission of false documents to Companies House using:

Change of registered address (form AD01)

Change of directors/secretary (form CH01 to CH04)

Companies House does not verify information filed on signed forms and accepts them in good faith

Only 3% of companies in England and Wales and less than 0.4% in Scotland file corporate documents via PROOF

Companies should not rely on Companies House records alone in determining whether to lend goods or services on credit, as Companies House is a public register and not a credit reference agency

-

-

-

-

-

-

-

-

-

-

-

-

-

-

3


1.6 Case Studies

1.7 Minimising the risk

1.8 Conclusion

1.9 References

1.10 Avoiding Corporate Identity Fraud

1.11 Further Information

1.1� About CPP

Contents

4


The theft of entire

corporate identities costs businesses an estimated £50 million a year

1.1 Foreword

This study surveyed 507 small and medium-sized companies within the UK to investigate awareness of and responses to corporate identity fraud; that is, the impersonation of another organisation for financial or commercial gain.1

According to Business Link and the Metropolitan Police, the theft of entire corporate identities (‘company hijacking’) costs businesses an estimated £50 million a year. Many of these frauds are facilitated by changing key company information on the register of companies administered by Companies House. This can be done by paper forms as well as electronically.

Companies House says it receives half a million paper documents a month and over 50 of those are fraudulent. However Companies House does not check details of paper documents for validity and accepts paper submissions in good faith. It does not automatically notify directors or company secretaries that paper forms have been filed for their company.

Although electronic measures are being put into place to minimise the risk of corporate identity fraud, these themselves are also potentially susceptible to fraud.

1 Fraud Advisory Panel, ‘Fraud Facts’ (2008); Fellowes, ‘Mind your own business: a practical guide to identity fraud prevention for business’ (2009).

Introduction

5


1.� Industry Facts

To date there are very few industry statistics reporting on the issue of corporate identity fraud – this is one of the reasons CPP decided to investigate the matter to determine the scale of the fraud and whether SMEs were properly safeguarded against fraudsters. This study complements a previous report titled ‘Company Identity Theft: How safe are UK Businesses?’ issued in 2006 by CPP that reported high levels of concern, but mixed understanding of what it is and what it can lead to.

Of the limited information in the marketplace, Business Link and the Metropolitan Police estimate the theft of entire corporate identities costs businesses an estimated £50 million a year.

1.3 Research Methodology

The research undertaken in this study was in two distinct parts.

Survey of small/medium enterprises (SMEs)

The field research involved an online survey conducted by research company Research Now among 507 SMEs across the UK between 25 February and 3 March 2010. The questions concerned awareness of corporate identity fraud, profiles of victims of corporate identity fraud and the levels of data protection that SMEs currently put in place to protect against corporate identity fraud.

Documentary research

The documentary research conducted by Invenio Research Limited was concerned with the selection of available literature on corporate identity fraud.2 The bibliographic framework explored comprised books, journal articles, ‘grey’ literature (such as conference proceedings and newspapers),3 official publications4 and statistics.

The findings of this research are based on a non-random sample of convenience and whilst they give insight into fraudulent behaviour and victim impact, they do not necessarily give rise to findings that may be generalised to a wider population.

2 C Hart, Doing a Literature Search (Sage, London 2004).3 C Auger, Information Sources in Grey Literature (4th edn Bowker-Saur, London 1998).4 D Butcher, Official Publications in Britain (Bingley, London 1991).

6


46% think corporate

identity fraud is on the increase

1.4 SME Key Findings

Only 56% of SMEs were aware of company identity fraud

When we broke this down by sectors, Legal Services were the most aware at 75%, followed by Financial Services (70%), IT and Communications and Transport and Distribution (69%). The sectors least aware were Health and Social Care Services with just over a third aware.

Regionally businesses in Newcastle were least aware (38%) verses 71% in Liverpool.

46% think corporate identity fraud is on the increase

Despite low media awareness nearly half think corporate identity fraud is on the increase. This was highest across the Transport and Distribution (69%) and Financial Services (67%) sectors. Construction (29%) and Personal Services i.e. hairdressing (33%) were the least likely to think corporate identity fraud is on the increase.

Aligned with general awareness, businesses in Liverpool (71%) were most likely to think this fraud is on the increase, verses only 21% in Newcastle.

Over a fifth (��%) of SMEs considered that their company is at risk from corporate identity fraud

Despite just under half thinking that corporate identity fraud is on the increase, one in five businesses think they could be at risk. Over half the businesses in the IT and Telecommunications sector and 38% of Transport and Distribution organisations consider themselves at risk.

Businesses in Liverpool (33%), Newcastle (29%) and Manchester (28%) considered themselves at most risk of fraud.

Of the 507 SME businesses questioned, only 2% reported they had been a victim of corporate identity fraud. Of these victims, the IT and Telecommunications (7%) and Retail (8%) sectors had the highest incidence of victims. This figure is likely to grow rapidly as fraudsters understand that corporate identity fraud is more lucrative and potentially easier to commit than fraud against the individual. With 2,433,549 companies in England and Wales and 147,577 in Scotland, this equates to over 51,000 corporate victims verses more than 100,000 individual victims of identity fraud every year in the UK.

50% of those SMEs questioned considered that their company was not at risk from corporate identity fraud.

Fraudulent applications for corporate credit cards and spending are the most common consequences

Of those businesses affected, the most common consequences were the application of a corporate credit/debit card and the fraudulent spending of money (44%), the fraudulent ordering of goods (33%) and the fraudulent acquisition of business in the company name (33%).

Most losses reported by SMEs were between £20,000 and £30,000 reflecting the considerable lines of credit that fraudsters can draw on from existing creditors or suppliers.

7


When questioned about the affect the fraud had on their organisation the three most common affects were the adverse affect on the businesses credit rating, damage to company reputation and loss of customers.

56% of SMEs believe the fraudster was an ex-employee (or associate). The most common form of data they could have accessed was Employee Profile information (57%), Company Bank Account details (46%) and Company Financial Statements (42%).

Only 14% of SMEs have heard and use Companies House PROOF scheme of electronic filing

One of the ways that corporate identity fraud happens is via company hijacking. Company hijacking occurs with the submission of false documents to Companies House and normally involves changing the details of a company’s registered office address or the details of its directors or company secretary. The amendments to the company records can be done via the simple submission of a paper form. Previously known as ‘Form 287 scam’, this has become the standard accepted form of corporate identity fraud. Although not perfect PROOF offers some protection from these activities that can lead to fraud.

A further 12% have heard of PROOF, but still choose to file corporate documents on paper. Almost three in ten companies (27%) haven’t heard of PROOF and subsequently default to paper filing. A further 22% haven’t heard of PROOF but file their document online.

Sectors that have heard of PROOF but ignore the security benefits include Accommodation (32%) and Legal Services (25%). IT and Telecommunications (38%), Property e.g. estate agents and lettings, Financial Services and IT and Telecommunications are the most likely to have heard of PROOF and use its services.

Regionally, businesses in Edinburgh (25%), Norwich (21%) and Manchester (21%) are most likely to have heard of PROOF but choose to file corporate documents on paper.

87% of SMEs were not aware of Company House loopholes

Nearly nine out of ten companies were not aware of Company House loopholes that allow somebody to register as a new director or to change company address details without first notifying the company directors or company secretary.

These loopholes will be discussed in more detail in second half of this report.

There were only three sectors that seemed to have some awareness, albeit low, of these loopholes including Legal Services, Catering and Accommodation and Wholesale.

Businesses in Bristol (19%) and Manchester (18%) claimed to be the most aware.

Limited awareness of Principle One of the Data Protection Act 1998

Only 37% of SMEs are aware that processing of personal data required registration with the Information Commissioner’s Office.

Sectors least aware of Principle One included Construction (83%), Mining, forestry and fishing (75%) and Health and Social Care Services (73%).

Businesses least aware were located in Edinburgh (85%), Cardiff (75%) and Leeds (71%).

The requirement to process personal data fairly and lawfully is set out in the first data protection principle and is one of eight such principles at the heart of data protection

8


Only half of SMEs have someone

responsible for data protection

Principle One of the Data Protection Act means that organisations must have legitimate grounds for collecting and using personal data, must not use the data that would have unjustified adverse affect on the individual, be transparent about how they use the data and give the individual appropriate privacy notices when collecting their personal data. In addition organisations must handle people’s personal data only in ways they would reasonably expect and make sure they do not do anything unlawful with the data.

More information on the Data Protection act can be found on the Information Commissioner’s Office website at http://www.ico.gov.uk

Only half of SMEs have someone responsible for data protection

The other half said no (26%) or didn’t know (23%). This may help explain some of the shortfalls reported in the protection of personal and sensitive information in this report

47% have employees who can access sensitive data

13% have no measures to protect sensitive electronic data

24% leave sensitive information in unlocked filing cabinets

61% don’t encrypt sensitive data

21% do not have password protection on sensitive documents

84% do have anti-virus software installed on PCs

83% do have firewalls installed

76% regularly back up data

61% do not have staff training on data handling

75% have nor run any training for HR or Finance on data handling

67% do not have a data handling policy

1.5 Documentary Key Findings

Corporate identity fraud has been described as the impersonation of another organisation for financial or commercial gain;5 or occurring when a false corporate identity or another company’s identity details are used to support unlawful activity.6

Various different fraudulent activities are covered under this umbrella term. Of these, the primary activity under consideration within this study is commonly referred to as ‘company hijacking’.

How company hijacking occurs

Company hijacking occurs with the submission of false documents to Companies House and normally involves changing the details of a company’s registered office address of the details of its directors or company secretary.

5 Fraud Advisory Panel, ‘Fraud Facts’ (2008); Fellowes, ‘Mind your own business: a practical guide to identity fraud prevention for business’ (2009).

6 Home Office Identity Fraud Steering Committee.

-

-

-

-

-

-

-

-

-

-

-

http://www.ico.gov.uk

9


The amendments to the company records can be done via the simple submission of a paper form.

Change of registered address (Form AD01)

Form AD01 (see Appendix A) is used by UK companies wishing to change the location of their registered office address and was introduced on 1 October 2009 following the Companies Act 2006 coming into force.7 It replaced the Form 287 document which was used previously.

Change of director/secretary (Forms CH01 to CH04)

Forms CH01 to CH04 (see Appendix A for CH01 and CH03) are used to change the details of directors and secretaries as follows:

Change of director’s details (CH01; formerly 288c)8

Change of corporate director’s details (CH02; formerly 288c)9

Change of secretary’s details (CH03; formerly 288c)10

Change of corporate secretary’s details (CH04; formerly 288c).11

In addition the details of the registered officers (directors and company secretary) of all limited companies in the UK are held as public information at Companies’ House. This information can be accessed through http://www.companieshouse.gov.uk/ and through various other agencies and includes the names, addresses and dates of birth of company directors.

Companies House reports that in 2008-09 it employed 1,198 full-time equivalent staff, 1,159 of whom were based in Cardiff, 31 in Edinburgh and 8 in London.12 It does not, however, have the resources to notify extant company directors or company secretary that paper forms have been filed for their company. Moreover, Companies House does not check the details on the paper forms for validity. As a result, such forms are taken at face value and the register of companies updated accordingly, even if the updated information is false. Companies House accepts information filed on signed paper forms in good faith. It states very clearly on its website that:

“�Companies�House�is�a�registry�of�corporate�information.�We�carry�out�basic�checks�to�make�sure�that�documents�have�been�fully�completed�and�signed,�but�we�do�not�have�the�statutory�power�or�capability�to�verify�the�accuracy�of�the�information�that�corporate�entities�send�to�us.�We�accept�all�information�that�such�entities�deliver�to�us�in�good�faith�and�place�it�on�the�public�record.�The�fact�that�the�information�has�been�placed�on�the�public�record�should�not�be�taken�to�indicate�that�Companies�House�has�verified�or�validated�it�in�any�way.”13

7 Companies Act 2006 s87.8 Companies Act 2006 s167.9 Ibid.10 Companies Act 2006 s276.11 Ibid.12 Companies House, ‘Annual Report and Accounts 2008-09’ <http://www.companieshouse.gov.uk/about/pdf/annrep2008_9.pdf>.13 http://www.companieshouse.gov.uk/toolsToHelp/ourServices.shtml.

-

-

-

-

http://www.completeformations.co.uk/form-287.html

10


The fraudulently updated data becomes part of the public record. Therefore, checks which are made on the company against the register will show that the applying director is registered as an official director of the company and that the address supplied is the registered office of the company. The fraudulent data would appear legitimate in relation to any director/address checks undertaken on the company. Any ordinary credit search against the company would show the actual credit rating of the company.

Provided that the credit rating is healthy, orders made in the name of the company by a seemingly bona fide director would be likely to be dispatched to the false registered office address. The legitimate business may not know that the order had been placed or goods dispatched until the supplier chased for payment. This fraud would impact both the hijacked company (in terms of impact to its credit rating) and the supplier.

Companies House receives around 500,000 paper documents each month and estimates that between 50-100 of these are fraudulent. While this is only up to 0.02% of all documents received, Metropolitan Police estimates that the loss to industry resulting from company hijacking is in excess of £50 million annually.14 In 2007, a Metropolitan Police officer was seconded to Companies House in Cardiff to improve the way these cases are identified.

The officer was placed in Companies House as part of Operation Sterling, which targeted financial crime in London. Companies House saw the potential to fulfil an intelligence role in a national context and, so, took on the work because the Metropolitan Police does not have a remit outside London. This involved the Metropolitan Police training Companies House staff. In the 18 months since Companies House took over this role it referred 904 cases to law enforcement agencies, including fraudulent changes of registered office, false appointment and false resignation of company officials.15

The House of Commons Business and Enterprise Committee has commented that while it understands the rationale for the withdrawal of the permanent police presence at Companies House, it is ‘nervous’ about this apparent reduction in the overall anti-fraud effort. It recommended, in 2009, that Companies House and both the Metropolitan and City of London Police forces conduct regular assessments of the skills and knowledge of the staff at Companies House in relation to the opportunities for fraud.16

The following section provides some examples of fraudulently submitted paper documentation, typically relating to appointment of directors and change of company registered office address.

14 ——, ‘Police tackle Companies House database scam’ (Out-Law News 11 May 2005) <http://www.out-law.com/page-5686>.15 R Tyler, ‘Companies House targeted in credit scam’ Telegraph (London 17 April 2007) <http://www.telegraph.co.uk/finance/

yourbusiness/2807437/Companies-House-targeted-in-credit-scam.html>.16 House of Commons Business and Enterprise Committee. ‘Companies House: Government Response to the Committee’s

Thirteenth Report of Session 2007–08’ HC (2008-09) 206 6.

11


1.6 Case studies

The following companies and individuals demonstrate examples of fraudulent activity based on paper forms being submitted to Companies House (obtained via reports received by UK Data from the Metropolitan Police and other sources):

Case study one: The Bruce Electrical Company Limited (040�8563) – Fraudulent change of registered office and appointment of director without consent

Miss Ghazala Shabir contacted Companies House to complain that her address of 81 St Marks Road, Maidenhead, SL6 6DT had been used as the registered office address of the company without her consent on Form AD01:

1�


She had also been appointed without her consent as a director of the company. The director Mr Umar Rasheed was unaware of the change of address but has taken steps to amend it. He does not know either Ghazala Shabir or Mr Sanjeev Chhabra who was also appointed to his company via lodgment of a Form AP01 in November 2009:

13


14


Case study two: A.D. Hunn Limited (5697775) – Fraudulent change of registered office

A form AD01 was filed on 29 October 2009 changing the registered office address from 75 Newnham Street, Ely, Cambridgeshire, CB7 4PQ to 7 Ardfern Avenue, Norbury, London, SW16 4RB. This was done without the knowledge or consent of the company. The register has been amended to show the correct address

15


Case study three: SIM Associates Ltd (SC��5050) – Appointment of director without consent

Mr Steven Polwart says he has been appointed without his knowledge or consent as director and has no knowledge of this company. He is shown as having been appointed in 2007 when there were several other changes of appointments.

16


Case study four: R.M. Bonar Ltd (SC�75985) – Fraudulent change of registered office and possible fraudulent trading

The registered office address of this company was changed by submission of Form 287 on 14 August 2009 to 18 Community Road, Bellshill, North Lanarkshire, ML4 5QR. (This post code is incorrect).

The occupier of the address is an elderly lady who has since received numerous demands and summonses addressed to Mr Bonar. He is shown as resigning on the same date and a William McEwan appointed. Mr McEwan’s address is given as 18 Community Road but he does not reside there. It was proposed to strike this company off.

17


Mr Bonar incorporated a new company Mayfield Electrical Maintenance Ltd (6995560) on 19 August 2009, five days after resigning from RM Bonar Ltd.

18


Case study five: Paul Thompson Builders Ltd (4710941) – Fraudulent change of registered office

The registered office address of this company was fraudulently changed by submission of paper AD01 on 12 January 2010 to 46 Manor Road, Tottenham, London, N17 0JJ.

This address has come to notice before. It is also linked to:

35 Parkland Road, Wood Green, London

91 Aldridge Avenue, Enfield, EN3 6JA

52 Springfield Road, London, N15 4AZ

all of which have a connection with fraudulent changes of registered office. The company has amended the Register to show the correct address of 29 Nutter Road, Thornton-Cleveley, Lancashire, FY5 1BQ.

-

-

-

19


Case study six: Mtee Limited (05909070) – Appointment of director without consent

Mr Jamail Akhtar has complained to Companies House that he was appointed without his knowledge or consent as director via paper Form 288a. The register shows a series of resignations and appointments since incorporation but has filed its annual accounts and returns where appropriate. There have also been several changes of registered office address. The last set of accounts for year ending 31/08/2008 show a £1.1million turnover after previously filing dormant accounts. However, this company also has nine county court judgments (CCJs) against it.

�0


1.7 Minimising the risk

There are some relatively well-publicised steps that can be taken by small businesses in order to minimise the risks of company identity fraud. In particular Companies House publishes extensive information on its Web filing, PROOF and Monitor services:

Companies House – Web filing

WebFiling was introduced in May 2001 and allows companies to file their Annual Return online with Companies House for £15. Other information can be filed free of charge including Director, Secretary and Registered office changes as well as abbreviated and dormant company accounts. The service offers pre-populated screens. Information displayed on screen may be amended online and the service has some in-built checks such there is less chance of document rejection.

The service also confirms safe receipt of information by Companies House via two e-mails. The first will confirm receipt of the data and the second will confirm if it has been accepted or rejected.

Newcomers to WebFiling must first register for two codes. First, a security code, which identifies them as a user of the service. It is sent by email when registering and is linked to an email address. Second, a company authentication code which is sent by post to the company’s registered address. This code is the electronic equivalent of the company director’s signature and must be kept secure.17

However, there is a possibility that the registered office could first be changed via a paper Form AD01. If this was changed to a fraudulent address and this change was not noticed by the company itself, then the company authentication code would be sent by post to the new registered address and into the hands of the fraudster. There appears to be no check that the email address is actually linked to the bona fide company; so that the security code could be linked to a fraudulent email address. This could be set up on a similar domain name to that of the company itself to minimise any suspicion.

There have also been recent instances in which Companies House customers have been contacted by someone claiming to be from Companies House, asking for verification of their WebFiling Authentication Codes. Companies House personnel will never contact companies by telephone to try to ascertain their WebFiling Authentication Codes. Companies House advises businesses that should anyone contact them claiming to be from Companies House, then they should try to obtain a return telephone number and contact Companies House immediately.18

Companies House – Protected online filing (PROOF)

The Companies House PROOF scheme has been in operation since 2005. Initially companies could only join the scheme by submitting a paper (PR1) form. With the introduction of the Companies Act, the PROOF scheme now has new terms and conditions which operate under section 1070 of the Companies Act 2006 and which permit Companies House to agree for delivery of documents by ‘electronic means’. Companies may now opt-in to PROOF without submitting a paper form.

17 ——, ‘Why WebFile?’ (2009) 32 Company Secretary’s Review 177.18 Companies House, ‘Urgent fraud warning’ <http://www.companieshouse.gov.uk/about/miscellaneous/misc1.shtml>.

WebFiling was introduced in May 2001 and

allows companies to

file their Annual Return

online with Companies

House for £15.

�1


In order to join PROOF, a company must first be registered for WebFiling. As described in the previous section, there is a possibility that this registration process could be open to fraud if the registered office had previously been changed by submission of a paper form prior to the fraudster requesting an electronic security code.

Assuming that a company has successfully and securely joined PROOF, then Companies House will reject attempts to file the following forms on paper and will send the paper forms back to the registered company address:

annual returnchange of registered office addressappointment, termination or change of particulars of a company officer.

The PROOF scheme therefore covers all the paper forms that have commonly been used by fraudsters to hijack companies.

The original means of registration to PROOF involved a paper-based sign-up which deterred many companies from taking advantage of the protection it offers. The system has been changed to allow companies to opt-in to PROOF via WebFiling.19

According to Companies House, companies may not join PROOF if they are subject to an ‘ongoing internal dispute’; while Companies House offers no further information as to what this might cover, it is possible that companies may be denied registration for PROOF while they are in the process of remedying the effects of a fraudulent paper-based change to their registration, which is a lengthy process generally requiring a court order.

As at 19 May 2008, out of 2,615,001 live companies registered in England and Wales, 85,273 companies are in PROOF (3.26%) along with 566 out of 151,897 live Scottish companies (0.37%).20 This data was released by Companies House following a Freedom of Information request.

As at 4 April 2010, Companies House reports 2,433,549 companies in England and Wales, and 147,577 in Scotland.21 No information on PROOF registrations is currently available at this date.

PROOF case study – Paragon Interiors Group plc (1981976)

A paper form ADO1 changing the registered office (from Paragon House, Orchard Place, Nottingham Business Park, Nottingham, NG8 6PX to Imperial Court, Exchange Street East Unity 1A, Liverpool, Merseyside, L2 3AB) was rejected because the company had opted-in to PROOF. The director contacted Companies House to report that the form was fraudulent and that someone had forged his signature.

Monitoring services

Monitoring services are available that focuses on changes to information that may identify the presence of fraudulent activity, triggering alerts on changes to registered offices, company officers, filing of accounts, changes in credit limits, CCJs and insolvency orders.

Companies House offers a Monitor service via WebCHeck (its pay-as-you-go service) and Companies House Direct (its subscription service). Once registered, email alerts will be sent when the documents which have been chosen to be monitored are filed. The user may then (for a fee) download the image of the document filed.

19 ——, ‘Stop the Fraudsters – opt into PROOF via WebFiling’ (2009) 33 Company Secretary’s Review 56.20 <http://www.companieshouse.gov.uk/freedomInformation/infoReleasedPDFs/discLog62.pdf>21 <http://www.companieshouse.gov.uk/about/busRegArchive/businessRegisterStatisticsMarch2010.pdf>.

---

��


1.8 Conclusion

The Federation of Small Businesses (FSB) still believes that electronic filing is flawed since Companies House only records that company documents have been received rather than checking the accuracy of those documents. Moreover, according to the FSB, companies cannot get fraudulent information removed from their file without a court judgment ‘even if there is overwhelming evidence that [corporate] identity theft has taken place’.22

The FSB is calling for a central, well-advertised and accessible method of reporting fraud and e-crime, which they can trust to understand the issue and to take proper follow-up action. It is also calling for a local police contact to specialise on fraud and e-crime with small businesses.23

Although corporate identity fraud costs an estimated £50 million annually, only 56% of respondents had an awareness of its existence. 2% of respondents reported that they had been victims of corporate identity fraud; of these, the most common consequences were:

application for corporate credit/debit card and fraudulent spending of money

fraudulent ordering of goods

fraudulent acquisition of business in the company name

In addition, victims reported changes of company address and fraudulent bank loans in the company name. Although none of the victims were put out of business, common consequences were an adverse affect on the company credit rating, damage to reputation and loss of customers. Most losses were estimated at between £20,000 and £30,000.

With regard to the Companies House PROOF scheme:

14% of SMEs were aware and used PROOF

27% of SMEs were unaware of it and still filed all documents on paper

12% of SMEs were aware of it, but did not use PROOF

24% of SMEs did not know about PROOF but filed documents online anyway

Therefore, only 36% of SMEs filed all documents online, leaving 64% potentially exposed to the paper filing vulnerability. 92% of SMEs were unaware, or did not know, of the paper filing vulnerability. This shows a very low level of awareness of the problem and a consequent high level of risk for around two-thirds of SMEs. However, only 50% of SMEs considered that their company was not at risk from corporate identity fraud even though a higher proportion had not subscribed to the PROOF scheme.

It is not just Companies House fraud that puts businesses at risk. Fraudsters may acquire other information about the business, including employee information or customer information and supplier accounts. Although changing registration details at Companies House may facilitate fraud, even without doing so, fraudsters may acquire financial products, order goods and services on credit. Organisations can be vulnerable to corporate identity fraud committed internally by employees, externally by individuals or organised criminals or in collusion.24

22 ——, ‘Companies House must stop corporate hijacking, says FSB’ (Out-Law News 23 June 2005) <http://www.out-law.com/page-5840>.

23 A Blake, ‘Firms warned of identity fraud’ Western Mail (17 March 2010).24 Fraud Advisory Panel, ‘Fraud Facts’ (2008).

-

-

-

-

-

-

-

�3


In addition, fraud can be committed by ex-employees who may be able to gather relevant information during their employment. Indeed, 56% of employers who were victims of corporate identity fraud believe that an ex-employee (or an associate) was to blame.

Around half (47%) of SME employees have access to sensitive company data, (such as bank details and employee information) and many are authorised to remove such data from the office, including electronically on an unencrypted storage medium (22%), on a laptop (17%) or in print (22%). However, only 32% of SMEs report that ex-employees could have had access to company data before they left. This is inconsistent with 47% of current employees who have access to such data. In any event, the range of information that could be abused for fraudulent purposes includes company (46%) and employee (25%) bank account details, employee profile information (57%) and customer account information (41%).

When it comes to taking steps to protect sensitive electronic data, 13% of SMEs have no protection measures in place. The most common measures taken by the remainder are anti-virus software (84%), firewalls (83%) and regular data back-ups (76%). Although 66% of SMEs use password-protection on sensitive data, only 26% of SMEs encrypt that data.

With regard to paper-based data, 65% of SMEs lock documents in cupboards or filing cabinets and 22% in unlocked filing cabinets.

Finally, only 37% of SMEs were aware that processing of personal data required registration with the Information Commissioner’s Office, although 50% claimed to have a person responsible for data protection. 41% of SMEs have a data handling policy.

It is clear that there is a market in sensitive company information, despite data protection legislation. According to Merseyside Police, organised criminals pay £5 per document which provides opportunities for both personal and corporate identity fraud.25

SMEs need to be aware of these shortcomings and the associated risks. They should check with Companies House to ensure that their registered details are accurate, enrol for the PROOF scheme and sign up to an alert system which will warn of any changes to company details. Companies should not rely on Companies House records alone in determining whether to lend goods or services on credit, as Companies House is merely a public register and not a credit reference agency.

SMEs should develop policies to secure data and access to data. Sensitive company documents should be kept in a secure place with limited access to key employees and securely destroyed before disposal. Similarly, procedures relating to the access and use data of held electronically should be developed including mobile devices and storage (smartphones, USB/mobile disk storage), laptops, web access and email.

Corporate identity theft is of concern to businesses many of which are unaware of its potential risks or consequences. Awareness must be raised and simple steps taken to minimise risk and to ensure compliance with data protection legislation.

25 Merseyside Police, ‘Business Identity Fraud’ (14 August 2009) <http://www.merseyside.police.ul/index.aspx?articleid=1400>.

�4


1.9 References

——, ‘Police tackle Companies House database scam’ (Out-Law News 11 May 2005) <http://www.out-law.com/page-5686>

——, ‘Companies House must stop corporate hijacking, says FSB’ (Out-Law News 23 June 2005) <http://www.out-law.com/page-5840>

——, ‘Why WebFile?’ (2009) 32 Company Secretary’s Review 177

——, ‘Stop the Fraudsters – opt into PROOF via WebFiling’ (2009) 33 Company Secretary’s Review 56

C Auger, Information Sources in Grey Literature (4th edn Bowker-Saur, London 1998)

A Blake, ‘Firms warned of identity fraud’ Western Mail (17 March 2010).

Business Link, ‘Personal and corporate identity theft’ <http://www.businesslink.gov.uk/bdotg/action/detail?type=RESOURCES&itemId=1075422219>

D Butcher, Official Publications in Britain (Bingley, London 1991)

Companies House, ‘Urgent fraud warning’ <http://www.companieshouse.gov.uk/about/miscellaneous/misc1.shtml>

Companies House, ‘Annual Report and Accounts 2008-09’ <http://www.companieshouse.gov.uk/about/pdf/annrep2008_9.pdf>

Fellowes, ‘Mind your own business: a practical guide to identity fraud prevention for business’ <http://intellishred.fellowes.co.uk/misc/6109%20IDFW%20Guide%20Booklet_Online%20version_Layout%201.pdf>

Fraud Advisory Panel, ‘Fraud Facts’ (2008)

C Hart, Doing a Literature Search (Sage, London 2004)

House of Commons Business and Enterprise Committee. ‘Companies House: Government Response to the Committee’s Thirteenth Report of Session 2007–08’ HC (2008-09) 206

Merseyside Police, ‘Business Identity Fraud’ (14 August 2009) <http://www.merseyside.police.ul/index.aspx?articleid=1400>

R Tyler, ‘Companies House targeted in credit scam’ Telegraph (London 17 April 2007) <http://www.telegraph.co.uk/finance/yourbusiness/2807437/Companies-House-targeted-in-credit-scam.html>

�5


1.10 Avoiding Corporate Identity Fraud

Michael Lynch is an identity fraud expert at CPP and offers the following advice to consumers to help protect them from identity fraud. Michael is responsible for the UK Identity Protection portfolio at CPP Group Plc (CPP).

Michael has been with CPP for 14 years. His experience in financial services extends to customer service, new product and market development and affinity relationships.

During his time at CPP, Michael has helped bring to market the UK’s market leading service, Identity Protection, which now protects over one million UK consumers from the consequences of this rapidly growing crime. In addition, Michael had used his expertise to create a commercial identity theft product aimed at protecting businesses of all sizes. He has also developed a strong understanding of consumer perception and reaction to identity theft and its consequences. Michael has also been responsible for breaking some major identity theft stories in the media including the availability of fraudulent documents online, car cloning, junk mail and postal theft. Committed to forging industry co-operation to reduce the opportunities for identity theft he is leading the call for consumers to change their behaviour to counter what is becoming an increasingly sophisticated and intrusive crime.

Michael is media trained across print and broadcast and is available for media interviews on the issue of identity fraud.

Top tips

CPP offers the following advice on protecting businesses against corporate identity fraud

Stay on top of your records Companies House sees 50 to 100 cases of identity theft a month, so stay on top of documents filed regarding your business. You should also sign up for their PROOF scheme. Reconcile your bank statements and company credit card statements as well

Ensure your protection is up-to-date Outdated anti-virus or spyware protection is useless. Use only the very latest protection. Also, train your staff to recognise and avoid phishing e-mails and let customers know your security policy so that they can identify phishing emails as well

Keep it secure Make sure your business’ mobiles and laptops are password protected. All it takes is for you or an employee to leave a device in a taxi, exposing your business to identity theft

Verify before trading Don’t accept handwritten orders or faxes, only professional documents. Also confirm the telephone area code of the business you’re dealing with. It’s not unheard of for a ‘business’ to claim to be a local address, but is actually operating on another continent

Shred it It sounds obvious, but you’d be surprised how many companies don’t take this most basic of precautions. If paper documents are no longer needed, destroy them with a cross-cut shredder or micro shred shredder. Apply the same idea to old uniforms. Dispose of them so that they can’t be used by fraudsters

�6


Track yourself online One common way of hijacking a business is to set up a doman name suimiliar to that company’s. Consider registering common misspellings and variations of your business’ name

Mind your old computer hardware Don’t simply throw these away. Make sure the hard drives are wiped clean first to prevent identity thieves from finding the information they need to hijack your business

Verify before hiring This includes any staff you’re thinking of taking on, from top-level executives to cleaners. Anyone who will have access to your office should have references, qualifications, past employment – and identity – thoroughly checked

Think before you post With the explosive popularity of social networking sites, many businesses now have their own page. This is a lure to identity thieves. Be careful what you reveal about your company and employees

1.11 For further information please contact:

Nick Jones Head of Communications CPP Group Plc Holgate Park York YO26 4GA

Tel 01904 544 387E-Mail [email protected] Corporate: www.cppgroupplc.com

mailto:[email protected]

�7


1.1� About CPP

The CPPGroup Plc

The CPPGroup Plc (CPP) is an international marketing services business offering bespoke customer management solutions to multi-sector business partners designed to enhance their customer revenue, engagement and loyalty, whilst at the same time reducing cost to deliver improved profitability.

This is underpinned by the delivery of a portfolio of complementary Life Assistance products, designed to help our mutual customers cope with the anxieties associated with the challenges and opportunities of everyday life.

Whether our customers have lost their wallets, been a victim of identity fraud or looking for lifestyle perks, CPP can help remove the hassle from their lives leaving them free to enjoy life. Globally, our Life Assistance products and services are designed to simplify the complexities of everyday living whether these affect personal finances, home, travel, personal data or future plans. When it really matters, Life Assistance enables people to live life and worry less.

Established in 1980, CPP has 10 million customers and more than 200 business partners across Europe, North America and Asia and employs 1,900 employees who handle millions of sales and service conversations each year.

In 2009, Group revenue was £292.1 million, an increase of more than 12 per cent over the previous year.

In March 2010, CPP debuted on the London Stock Exchange (LSE).

What We Do:

CPP provides a range of assistance products and services that allow our business partners to forge closer relationships with their customers.

We have a solution for many eventualities, including:

Insuring our customers’ mobile phones against loss, theft and damage

Protecting the payment cards in our customers’ wallets and purses, should these be lost or stolen

Providing assistance and protection if a customer’s keys are lost or stolen

Providing advice, insurance and assistance to protect customers against the insidious crime of identity fraud

Assisting customers with their travel needs be it an emergency (for example lost passport), or basic translation service

Monitoring the credit status of our customers

Provision of packaged services to business partners’ customers

For more information on CPP visit:

www.cppgroupplc.com

-

-

-

-

-

-

-

CPP is an award- winning organisation:

Finalist in the National Insurance Fraud Awards, Counter Fraud Initiative of the Year category, �009

Finalist in the European Contact Centre Awards, Large Team and Advisor of the Year categories, �009

Named in the Sunday Times �008 PricewaterhouseCoopers Profit Track 100

Finalists in the National Business Awards, 3i Growth Strategy category, �008

Finalist in the National Business Awards, Business of the Year category, �007, �009 and Highly Commended in �008

Named in the Sunday Times �006, �007, �008 and �009 HSBC Top Track �50 companies

Regional winner of the National Training Awards, �007

Winner of the BITC Health, Work and Well-Being Award, �007

Highly Commended in the UK National Customer Service Awards, �006

Winner of the Tamworth Community Involvement Award, �006. Finalist in �008

Highly Commended in The Press Best Link Between Business and Education, �005 and �006. Winner in �007

Finalist in the National Business Awards, Innovation category, �005

-

-

-

-

-

-

-

-

-

-

-

-

www.cppgroupplc.com

�8


Appendix A

�9


Appendix A

30


Appendix A

corporate id fraud 2010

Documents