Legal, Regulatory, and Privacy Issues

6 steps to protect your business from ID theft


Attention to security issues is often lacking among the self-employed and small-business owners. But protecting your company’s and your clients’ financial data is critical to avoiding a disaster that could tank your business dreams

The content on this page is accurate as of the posting date; however, some of our partner offers may have expired. Please review our list of best credit cards, or use our CardMatch™ tool to find cards matched to your needs.

6 steps to protect a very small business from ID theft

For the self-employed and owners of small businesses, whose time and energies are devoted to growing the company, data security often falls in priority.

It shouldn’t. Protecting your business and your clients’ financial data is critical to averting the kind of disaster that could tank your business dreams.

The dangers are real. According to the IRS, business identity theft cases have increased from around 350 in 2015 to about 10,000 cases in 2017, potentially costing $137 million total.

“Fraudsters are stealing as much as $1 billion a year from small and mid-sized businesses in North America and Europe, and the numbers are only going to increase,” says Mike Gross, director of product innovation for global fraud and identity at credit reporting giant Experian.

“Because the largest institutions have sophisticated fraud prevention solutions in place, the latest fraud attacks are looking to exploit the next tiers of businesses that are typically not as well defended.”

Solopreneurs, freelancers and businesses with few employees often have scarce resources available for ID theft prevention. But there are a number of practical, affordable steps you can take to make it tougher for criminals to steal your valuable information.

1. Operate with an EIN.

While a corporation or limited liability company must have a separate employer identification number (EIN) for tax identification purposes, a freelancer or small-business owner may operate as a sole proprietorship under his or her Social Security number, even if the business has employees.

Just because you can operate a business without an EIN doesn’t mean you should. It’s generally a better idea for sole proprietors to use an EIN, which can be obtained easily through the IRS website. Keeping business and personal finances separate is a good idea for many reasons, including identity theft prevention.

“That protects the business owner,” says Paige Hanson, chief identity education lead with the consumer business unit of Symantec. “If the business becomes a victim of identity theft, it won’t be tied to your identity. If the business identity is stolen, hopefully it won’t trickle down to you personally.”

To help keep finances separate, once armed with an EIN, you can apply for a business credit card (here is our list of the best business credit cards) to help track finances and detect fraud more easily.

2. Secure sensitive files – online and offline.

From bank statements to tax return filings to customer lists, your business may have a number of paper and electronic files that hold sensitive information.

Gross suggests taking some basic measures to protect paper documents, such as using a secure mailbox, shredding any documents you don’t need and keeping sensitive files in a locked area or other secure location.

It’s a message not lost on barber Domenic Sciortino, owner of Mt. Rose Barberama in York, Pennsylvania. He keeps copies of important documents in a safe and shreds statements, credit card offers and other unnecessary paperwork that could give fraudsters access to his business or allow them to open credit lines in his business name.

“We’re very careful about that,” he says. “We don’t have duplicates anywhere and I know exactly” where sensitive information is kept.

To combat digital fraud, make sure your computer systems have appropriate firewall, anti-virus and anti-malware technology, says Suzanne Barber, director for the Center for Identity and a professor in electrical and computer engineering at the University of Texas, Austin.

Because the largest institutions have sophisticated fraud prevention solutions in place, the latest fraud attacks are looking to exploit the next tiers of businesses that are typically not as well defended.

Free software is available, but it may not include all of the components you need, or it may come with adware or spyware.

Off-the-shelf security packages such as those from Symantec and McAfee are usually sufficient for small businesses, and some products now offer protection that extends to mobile phones and other devices. Be sure to update patches in a timely manner by allowing automatic updates.

Also, check with your internet service provider to find out how it protects your data. Find out which third-party security vendors it uses, then check the vendors’ websites to learn how frequently they update their solutions and whether certain content types are protected – for example, email attachments.

You’ll also want to learn the type of protection your internet service provider offers. Does it use firewalls and anti-virus, anti-spam and anti-spyware software? Think about your online activities and make sure the ISP has the right solutions for you.

3. Establish good internal controls.

Businesses with employees need to pay extra attention to security.

Barber says it’s important to use passwords or otherwise restrict employee access to certain documents, such as customer lists or accounting files. She also recommends establishing a clear protocol to follow in the event of a data breach, including assigning someone to manage the breach and outlining what actions are needed to be taken.


How to deal with tax-related ID theft: According to Federal Trade Commission, unexpected tax-related notices should be a red flag that your business’s identity has been stolen. If the IRS thinks you have already filed your business’s tax return, that may also be an indicator that your ID has been stolen.

The IRS will never initiate contact through email, text or social media message, so if you recieve these communications, they are likely an attempt to steal your business’s identity. To deal with the identity theft, immediately contact the IRS and report fraud, as well as keeping records or the dates you’ve made calls or sent letters. Check your credit report often and put a fraud alert on your business’s account.

For retail businesses, Barber suggests business owners review security footage for suspicious activity, such as an employee taking a customer’s card away from the register to run a transaction. You should also regularly check any credit card terminals or ATM kiosks for card skimmers.

Even businesses without a lot of employees need good controls.

New Orleans jewelry designer Anne Renee Timmons-Harris, founder of A.R.T. Precious Collectible Jewelry, works from home with her husband and co-founder. Experience makes her extra cautious.

In the early days of the business, she received an online order that just didn’t “feel right.”

She tracked down the person whose card was used and called him. When she told him why she was calling, he “spilled his coffee in his lap because he hadn’t placed the order,” she says.

She realized that if it was that easy for someone’s card to get stolen, she couldn’t take any chances with her own identity.

Even though only she and her husband have access to their files, they change passwords at least quarterly and use random password generators, saving passwords offline on a jump drive to keep them away from internet hackers.

4. Ask vendors about their information practices.

You may be asked to provide sensitive data on credit applications or other documents when you work with vendors. Hanson recommends asking about your vendors’ security practices to ensure you’re not putting sensitive data in the hands of a company that doesn’t adequately protect it.

It’s perfectly reasonable to inquire about where customer data is kept and how it’s protected. If the vendor can’t answer those questions to your satisfaction, it might be a red flag that your data would be less than secure with them.

5. Deter device-centered hacking.

The “bring your own device” trend – in which employees use their personal mobile phones and other devices for work – introduces extra risks to a business. Gross says such devices need to be password-protected to ensure that sensitive company information can’t be accessed if the device is lost or stolen.

Mobile payment solutions such as Square and PayPal Here that allow you to connect a card reader to a smartphone or tablet also may increase security risks.

“The risk is definitely real with mobile payment solutions, and account takeover fraud should be an immediate concern for small-business owners,” Gross says.

[An EIN] protects the business owner. … If the business identity is stolen, hopefully it won’t trickle down to you personally.

He suggests that business owners closely protect their account credentials because a fraudster gaining access to that account could easily divert funds from legitimate transactions to another account.

If you’re considering using a mobile payment system, look for one that uses the best possible encryption methods and devices that require the highest level of authentication available to limit the ability of others to misuse your device, says Barber.

Consider employee access controls, too.

Sciortino, for example, uses a tablet and one mobile payment system for eight stylists. He uses separate passwords for each stylist, so they can all use the tablet-based system, but no one has access to any information but their own.

6. Check your statements and profiles regularly.

Keeping an eye on your accounts is one of the best methods of halting fraud before it gets out of hand. Experian and other credit reporting agencies offer monitoring services that can help. is a nationwide program from the Identity Theft Protection Association and the National Association of Secretaries of State to help combat business identity theft, data breaches and other types of fraud.

According to the organization’s website, you can also use your state’s online Business Identity Search to enter your business name and review information about your business.

Some states offer free email alerts to notify you when information related to your business identity changes.

It’s also a good idea to review your banking agreements to determine whether your business accounts have protection against fraud, which can differ from consumer protections.

In addition, review your insurance policies to see what, if any, coverage you have in case of a data breach that exposes customer information or if you incur other losses from fraud or ID theft.

Besides regularly reviewing his bank statements to make sure no fraudulent transactions have occurred, Sciortino uses a business credit profile monitoring service to alert him if there are changes to his company’s credit record, such as new lines of credit or negative reporting.

“It lets me know if anything affects it – I get a notice right away,” he says.

See related:Protecting your business from credit card fraud, 8 steps to build your business credit profile

Editorial Disclaimer

The editorial content on this page is based solely on the objective assessment of our writers and is not driven by advertising dollars. It has not been provided or commissioned by the credit card issuers. However, we may receive compensation when you click on links to products from our partners.

What’s up next?

In Legal, Regulatory, and Privacy Issues

6 steps to getting a credit card chargeback

A chargeback from your credit card issuer gives you a refund when the retailer won’t. Here’s how to navigate the sometimes confusing chargeback rules.

See more stories
Credit Card Rate Report
Cash Back

Questions or comments?

Contact us

Editorial corrections policies

Learn more