Businesses need robust digital identity too
Companies and small businesses are increasingly seeing their identity stolen, spoofed, faked and attacked. Criminals are using the lack of digital identity for non-humans (businesses and companies) to impersonate, clone and steal small businesses on Instagram and Etsy and to reap big bucks impersonating vendors through business email compromise scams. These scenarios show that humans aren’t the only entities who need digital identity we can trust.
Fake it till you make it?
Did you read the recent story about the fake company in the UK, Madbird? It was the dream of an influencer to run a big design agency. The company turned out to be a sham, as the story unfolded. Two employees used reverse image search to discover that most of the company’s sample portfolio was stolen from other places on the internet. When one googled the office address, it turned out to be residential. There were fake employees, with stolen headshots and bios, and even the founder fabricated his work history. Was this the case of “Fake it, till you make it” or something more sinister?
We’ve all heard about knock off purses, wallets, and clothing, but have you heard about knock off businesses? Imagine a small business sets up their business brand on Instagram or Etsy, works to create their community, develop and launch products, and find some success. Only to have a cloned account pop up offering the same things.
How easy is it to clone a business? On Etsy, just scrape product images and descriptions from a successful account. Then create a new account, add the scraped products, and start selling. You can offer a lesser product, and in some cases may not even have to fulfill the orders. This is not a once in a while scenario, it’s a problem I found discussed in multiple Etsy community threads.
And it happens to businesses on Instagram too.
These platforms don’t require business verification, which on one hand, makes it easy for anyone to create a brand for their business, but on the other side, there’s next to no protection or consequences for the criminal when they steal your business.
The Big Bucks: Business Email Compromise
I came across the Business Email Compromise (BEC) scam several years ago. The general idea is to socially engineer a company to pay a scam artist impersonating a legitimate vendor or business partner. This is a classic “man in the middle” attack, where the criminal creates a legitimate enough looking email address or otherwise gains email access in order to change a vendor’s accounts payable data to an account the criminal controls. This attack uses social engineering with a potentially big payout. A friend of mine stopped their company from sending hundreds of thousands of dollars to an unknown bank in Eastern Europe after the transaction had been officially approved. BEC is an attack that works far more than we hear about because who wants to admit they were conned?
Introducing Digital KYB
We now live in a world where you can create an entire fake company with fake employees and fake clients. Or clone an Etsy shop or Instagram small business or impersonate a vendor or just ‘update the billing information’ via a fax to the back office. How can we verify our employers, vendors and small businesses before we do business with them?
In the consumer world, banks use KYC – know your customer to verify the digital identity of everyone they do business with. It’s done in the context of banking and financial services for the purpose of having a verified identity on file in the case of money laundering or other financial crimes. This information is collected because it is required by law.
There is a lesser-used practice of collecting similar identity information on businesses, sometimes known as KYB – know your business. This is more complex, because not only do businesses need to identify the business information, but businesses exist because humans create them (even if there are several shell corporations between a business and an individual). Ideally KYB drills down to the human individual(s) behind the business. But this is not an exact science and verification for business data is far from digitally available. Due to the high cost to manually verify businesses, this is mostly done in the context of money laundering and other financial crimes.
In the above stories, it’s clear that we need a way for companies and small businesses to prove they are who they say they are. We need to make it harder for someone to impersonate, clone and steal a business identity in order to bring trust back into our business activities.
About the author
Heather Vescent is a digital identity industry thought leader and futurist with more than a decade of experience delivering strategic intelligence consulting to governments, corporations and entrepreneurs. Vescent’s research has been covered in the New York Times, CNN, American Banker, CNBC, Fox and the Atlantic. She is co-author of the The Secrets of Spies, The Cyber Attack Survival Manual and The Comprehensive Guide to Self Sovereign Identity.