Business Identity Theft: How Companies and EINs Are Targeted
Business identity theft involves the fraudulent use of a company's legal identity, tax identification credentials, or financial accounts to obtain credit, file false documents, or divert assets — without authorization from the business's legitimate owners or officers. Unlike personal identity theft, which targets individuals, this category of fraud exploits the institutional identity of legal entities: corporations, LLCs, sole proprietorships, partnerships, and nonprofits. The Federal Trade Commission and the IRS both recognize business identity theft as a distinct fraud category with its own reporting pathways, documentation requirements, and regulatory consequences. Understanding how this sector of fraud operates is essential for business owners, compliance officers, financial institutions, and researchers tracking the broader landscape of identity theft types and categories.
Definition and scope
Business identity theft is defined by the fraudulent assumption of a legal entity's credentials or registered identity for financial gain or deceptive purpose. The primary credential at risk is the Employer Identification Number (EIN), the nine-digit tax identification number assigned by the IRS to businesses for tax filing, payroll, and banking purposes. The EIN functions for a business much as a Social Security number functions for an individual — it anchors the entity's financial and legal identity across government databases, credit systems, and financial institutions.
The scope of business identity theft extends across four broad credential categories:
- EIN and tax identity — Filing fraudulent federal or state tax returns, claiming false refunds, or registering shell entities using a legitimate company's EIN.
- Secretary of State filings — Submitting fraudulent amendments to articles of incorporation or organization to change registered agents, officer names, or ownership structure at the state level.
- Business credit identity — Opening lines of credit, trade accounts, or loans using a legitimate company's credit profile, DUNS number, or registration data.
- Domain and brand identity — Registering lookalike domains, spoofing business email domains, or impersonating a business to defraud its customers or suppliers.
The IRS addresses EIN-based tax fraud through its Business Identity Theft program, which instructs affected businesses to submit Form 14039-B, the Business Identity Theft Affidavit. The Federal Trade Commission separately maintains guidance on business credential fraud and its intersection with credit reporting obligations under the Fair Credit Reporting Act (15 U.S.C. § 1681).
How it works
Business identity theft typically proceeds through a structured sequence of reconnaissance, credential acquisition, and exploitation. The operational phases differ from personal identity theft primarily in the number of accessible databases and the relative ease with which business registration data can be obtained legally.
Phase 1 — Data harvesting. Business registration records filed with Secretaries of State are public in most U.S. jurisdictions. An attacker can retrieve a company's legal name, EIN (sometimes exposed in public filings or tax-exempt organization returns such as IRS Form 990), registered agent, officer names, and mailing address through legitimate state portals. The IRS itself publishes EINs for nonprofit organizations through its Tax Exempt Organization Search database.
Phase 2 — Credential weaponization. With EIN and registration data in hand, fraudsters can apply for business credit accounts, open banking relationships, or register new entities using the harvested identity. Business credit bureaus — including Dun & Bradstreet, Equifax Business, and Experian Business — rely on EIN as a primary identifier, making EIN compromise a direct path to fraudulent trade credit.
Phase 3 — Exploitation and monetization. The acquired credit lines, loans, or fraudulent tax refunds are typically liquidated rapidly — through merchandise resale, cash advances, or wire transfers — before the legitimate business detects the activity. In Secretary of State fraud, the attacker may change the registered agent or officers to lock the legitimate owner out of the entity's official records.
Phase 4 — Detection lag. Unlike consumer credit monitoring, business credit monitoring is not mandated by federal statute for issuers, and small businesses often lack automated alerts. The FTC's data on identity theft reporting indicates that business-related identity fraud is underreported relative to personal identity fraud, partly because discovery timelines are longer.
Common scenarios
Fraudulent tax filings. A fraudster files a false federal business income tax return or employment tax return using a legitimate company's EIN, claiming a refund before the actual business files. The IRS Business Identity Theft unit handles these cases separately from personal tax identity theft.
Secretary of State amendment fraud. A bad actor submits a fraudulent articles of amendment to a state business registry, replacing the company's officers or registered agent. Once recorded, the attacker may open bank accounts or obtain credit under the now-altered official filing. Colorado, Florida, and Wyoming have each documented this pattern in publicly available state audit reports.
Business credit application fraud. Using harvested EIN and DUNS data, an attacker submits applications to net-30 vendors, business credit cards, or SBA-backed lenders. Business credit files — unlike consumer files — carry no federal freeze mechanism analogous to the security freeze available to individuals under the FCRA.
Vendor and invoice fraud. Criminals impersonate an existing supplier by registering a lookalike domain or spoofing a business email domain (a social engineering tactic), then redirecting payments from the victim company's accounts payable department to a controlled account. The FBI's Internet Crime Complaint Center (IC3) classifies this as Business Email Compromise (BEC), which generated reported losses exceeding $2.9 billion in 2023 (FBI IC3 2023 Annual Report).
Synthetic business identity. A fraudster constructs a partially fictitious business identity by blending a real EIN with fabricated officer names or addresses — a business-sector analog to synthetic identity theft in consumer contexts. This variant is particularly difficult to detect because the EIN itself resolves correctly in IRS and credit bureau queries.
Decision boundaries
Distinguishing business identity theft from adjacent fraud categories requires attention to the primary credential compromised and the legal entity status of the victim.
| Scenario | Primary victim | Primary credential | Classification |
|---|---|---|---|
| Employee uses company EIN to file personal refund | Legal entity (company) | EIN | Business identity theft |
| Fraudster opens credit card in owner's name for business use | Individual | SSN | Personal identity theft |
| Attacker alters state filing to change ownership | Legal entity | Registration record | Business identity theft |
| Contractor submits fake invoices using real vendor name | Third parties / company | Brand / bank account | Business email compromise |
| Fraudster steals owner's SSN and EIN simultaneously | Individual + entity | SSN + EIN | Combined personal/business |
The distinction matters for reporting and remediation. Personal identity theft proceeds through the FTC's IdentityTheft.gov system and the identity theft reporting steps established under federal consumer protection frameworks. Business identity theft requires separate reporting to the IRS via Form 14039-B, notification to the relevant Secretary of State, and engagement with business credit bureaus independently — no single federal portal consolidates the business remediation pathway in the same manner as IdentityTheft.gov does for consumers.
For businesses that also experience compromise of an owner's personal SSN, the remediation tracks must run in parallel: the personal track through IdentityTheft.gov and the credit freeze and fraud alert guide mechanisms, and the business track through IRS and state registry channels. The data breach and identity theft overlap is also relevant when business credentials are exposed through a third-party vendor breach, triggering both notification obligations under state breach laws and internal fraud remediation steps.
Sole proprietorships occupy a boundary case: because a sole proprietor's EIN and SSN are often used interchangeably by lenders and vendors, compromise of either credential can implicate both the personal and business identity simultaneously. The IRS distinguishes these cases procedurally but acknowledges the overlap in its guidance for sole proprietors filing under Schedule C.
References
- IRS Business Identity Theft – Form 14039-B and Program Overview
- Federal Trade Commission – Business Identity Theft Guidance
- FBI Internet Crime Complaint Center (IC3) – 2023 Annual Report
- Fair Credit Reporting Act – 15 U.S.C. § 1681 (GovInfo)
- IRS Tax Exempt Organization Search (EIN public disclosure)
- FTC Consumer Sentinel Network Data Reports
- FBI IC3 – Business Email Compromise Public Service Announcement