Business Identity Theft: How Companies and EINs Are Targeted

Business identity theft occurs when a company's legal identity, tax credentials, or financial accounts are fraudulently used by unauthorized parties to obtain credit, redirect payments, or file false documents. Unlike consumer identity theft, business identity theft can unfold across corporate registries, tax filings, and banking systems simultaneously, often without triggering the individual-level alerts that protect personal accounts. The identity theft providers provider network covers the service landscape for both personal and business identity fraud cases across the United States.

Definition and scope

Business identity theft is the fraudulent appropriation of a company's legal identity — including its Employer Identification Number (EIN), registered agent details, state incorporation records, or financial account credentials — to conduct unauthorized transactions, establish fraudulent credit lines, or impersonate the business before government agencies.

The Federal Trade Commission (FTC) recognizes business identity theft as a distinct fraud category affecting entities ranging from sole proprietorships to publicly traded corporations. The IRS defines a specific category of business identity theft involving the misuse of EINs to file fraudulent payroll tax returns or redirect employment tax refunds (IRS Publication 5027).

The scope of exposure differs by entity type. A sole proprietorship's EIN is numerically distinct from the owner's Social Security Number, but the business's financial history, trade credit profile, and banking credentials can be stolen independently. Corporations face additional exposure through state-level Uniform Commercial Code (UCC) filings and secretary of state registration systems, where fraudsters can alter agent information or file false amendment documents.

Business identity theft is documented under federal statutes including 18 U.S.C. § 1028 (identity fraud) and 18 U.S.C. § 1343 (wire fraud), both of which the Department of Justice (DOJ) prosecutes in cases involving business entities.

How it works

Business identity theft typically proceeds through three functional phases: reconnaissance, credential acquisition, and exploitation.

Phase 1 — Reconnaissance
Perpetrators gather publicly available data from state corporation databases, the IRS EDGAR system (for public companies), UCC filing registries, and business credit reporting bureaus such as Dun & Bradstreet. EINs are frequently exposed on publicly filed 990 forms for nonprofits, which the IRS makes available via the IRS Tax Exempt Organization Search.

Phase 2 — Credential Acquisition
Once an EIN, registered agent name, and corporate address are obtained, fraudsters use the data to:
1. Open new credit accounts in the company's name with lenders that rely on business credit reports
2. Submit fraudulent UCC-1 financing statements to secure claims against a company's assets
3. File unauthorized articles of amendment with a secretary of state to redirect corporate correspondence
4. Impersonate the company in vendor communications to divert accounts payable transfers

Phase 3 — Exploitation
Exploitation may involve rapid drawdown of fraudulently opened credit lines, submission of false tax returns to the IRS to obtain refunds, or long-duration impersonation schemes targeting the company's suppliers and customers. The IRS Identity Theft Central resource (IRS.gov) documents the payroll diversion variant, in which fraudsters redirect employment tax deposits by impersonating the business before payroll processors.

Common scenarios

Business identity theft manifests across four well-documented scenarios, each with distinct entry points and regulatory implications:

Corporate record tampering — Fraudsters file unauthorized amendments to state business registrations, changing the registered agent or business address. This method bypasses financial systems entirely and is difficult to detect without routine monitoring of secretary of state filings. The National Association of Secretaries of State (NASS) tracks this vector and has coordinated multi-state pilot programs to address it.

EIN-based tax fraud — A company's EIN is used to file false W-2 forms, payroll tax returns, or employment tax refund requests with the IRS. This often appears as a discrepancy during legitimate annual filing and is addressed through IRS Form 14039-B, the Business Identity Theft Affidavit.

Trade credit fraud — Business credit profiles at bureaus such as Dun & Bradstreet or Experian Business are exploited to open net-30 or net-60 trade accounts, which generate goods or services before the fraud is detected. Because business credit does not carry the same federal protections as consumer credit under the Fair Credit Reporting Act (15 U.S.C. § 1681), recovery timelines are typically longer.

Vendor payment diversion — Impersonating a known vendor, fraudsters send fraudulent invoices or banking change notifications to the targeted company's accounts payable team, redirecting legitimate payments. This scenario is classified by the FBI's Internet Crime Complaint Center (IC3) under Business Email Compromise (BEC), which generated losses exceeding $2.9 billion in 2023 (FBI IC3 2023 Internet Crime Report).

Decision boundaries

Distinguishing business identity theft from related fraud categories determines which agencies have jurisdiction and which remediation pathways apply.

Business identity theft vs. consumer identity theft — Consumer identity theft is governed primarily by the Fair Credit Reporting Act and enforced by the FTC with specific dispute rights for individuals. Business identity theft carries no equivalent statutory dispute framework at the federal level; remediation relies on direct engagement with the IRS, state business registries, and business credit bureaus through non-standardized processes.

Business identity theft vs. account takeover — Account takeover fraud targets existing credentials (banking logins, payment portals), while business identity theft targets the legal identity of the entity itself to create new fraudulent obligations. The distinction matters for insurance coverage under commercial crime policies and for determining whether the Financial Crimes Enforcement Network (FinCEN) Suspicious Activity Report (SAR) process applies.

Business identity theft vs. corporate impersonation — Corporate impersonation involves fraudsters using a business's name and branding to deceive third parties without necessarily accessing the company's financial or tax credentials. The FTC has separate enforcement authority over impersonation schemes under 16 C.F.R. Part 461.

Professionals navigating case classification can reference the identity-theft-provider network-purpose-and-scope page for service category definitions, and the how-to-use-this-identity-theft-resource page for provider network navigation guidance.

 ·   · 

References

Read Next

Employment Identity Theft: I-9 Fraud, Wage Records, and Remediation ANA › Professional Services Authority › National Cyber › National Identity Theft Employment Identity Theft: I-9 Fraud, Wage Records, and... Government Benefits Identity Theft: Unemployment, Social Security, and Medicaid Fraud ANA › Professional Services Authority › National Cyber › National Identity Theft Government Benefits Identity Theft: Unemployment,... Driver's License Identity Theft: State DMV Fraud and Recovery Steps ANA › Professional Services Authority › National Cyber › National Identity Theft Driver's License Identity Theft: State DMV Fraud and...