How to prevent identity theft with six best practices for businesses

November 24, 2020

Identity theft occurs when a criminal uses an individual’s personal information to impersonate them, usually for financial gains. They may drain the victims’ existing bank accounts, open new credit lines in their names, access medical treatments, commit tax fraud, and more. In worse case scenarios, they might even commit serious crimes under the victim’s name.  

In a recent interview with PYMNTS on identity fraud, Chief Technology Officer of Mitek Stephen Ritter said that “it’s unfortunately very common that the fraudsters take advantage of moments of weakness. They try to achieve what they want to achieve when people are distracted. [Consumers] are more worried about their health than they are vigilant about the emails they read and the links they might click.”

Fortunately, there are plenty of ways to prevent identity theft from occurring in your business. Some of them are as simple as training your employees, while some require more inspection and evaluation, such as thoroughly vetting your vendors. Following all the best practices will help you keep your customers’ information safe and avoid falling prey to an identity thief. It’s part of the foundation to attracting new customers and retaining them. 

Below you’ll find six of the best ways to help your business avoid becoming a victim of identity theft, and thus, help you create an identity theft protection program for your customers’ sensitive information. Read on for more. 

Increase awareness among your employees

Cyberattacks and data breaches often happen when employees accidentally click on suspicious links or download attachments infected with a virus. The best way to combat this is by educating your employees about the common data security threats, and training them on the best practices that will help them prevent identity fraud. In particular, employees need to be trained on how to: 

  • Encrypt sensitive data  
  • Create and store strong passwords 
  • Avoid phishing attacks  
  • Securely store data in your company’s system 

Make it mandatory that all your employees go through the training and pass some sort of quiz to demonstrate they have learned the necessary protocols. Awareness needs to be spread throughout your organization because anyone can download a virus from a suspicious email, which may lead to a data breach. Another common mistake is the assumption that a single training session about security practices is enough to equip your employees. In order for employees to remember, schedule regular refreshers. 

Simulate cyberattacks

Educating your employees about threats and best practices is often not enough. It is important for your employees to be able to recognize the signs of a cyberattack – especially a phishing scam. Identity thieves are getting more sophisticated and their phishing attempts are becoming more believable as time passes.  

The best way to combat this and train your employees to recognize such attempts is to simulate phishing attempts. There are free and paid phishing simulators that you can use to send phishing emails to your employees. Regular simulations will help train them to detect fraudulent activity or suspicious emails. You’ll be able to find the knowledge gaps to make your company more secure. After all, employees are said to be the weakest link in your security chain. 

Conduct background checks on employees and vendors

No amount of training will have any effect if your employees themselves are fraudulent. So, especially when hiring employees who will have access to sensitive data, making the right hiring decision is essential. In general, conducting basic background checks on all candidates is a good practice for all businesses. But when you’re hiring people for roles dealing with sensitive customer or financial information, or who will be handling the finances of your business, a more rigorous background check is needed. 

One of the ways you can start the background check? Use a digital identity verification check like taking a picture of an identity document. In an era where many employees may be starting work in a remote setting, there’s unique technology solutions available - a new can employee take a picture of an identity document as well as a selfie for biometric comparison to confirm they are, in fact, they are who they say they are. In addition, that same technology which assists in validating the supplied identity document is not forged can even compare it to information input into the form.  

Employees are not the only people who need to be vetted – most every company does business with third-party vendors. From people who deliver office supplies to third-party IT vendors, many people external to the company have access to the premises and sensitive data. And just like new employees, there is potential that they could be fraudulent or engage in suspicious activity. So, it’s important to vet them well. It can be time consuming and delay business transactions, but it’s better to take precautions than risk a data breach. 

Have strong cybersecurity practices in place

A good way to prevent your customers’ identity from being stolen is to institute good cybersecurity practices. These include, at the minimum, using: 

  • A firewall and antivirus / anti-malware software 
  • Strong passwords and changing them regularly  
  • Encrypting your data  
  • The level of data security required will differ between businesses, so there might be additional practices to consider. 

Another crucial security practice for all types of businesses is to keep all your software updated at all times. If possible, enable the auto-update feature available from the vendor, so that updates happen as soon as they come out. For security systems that don’t have the auto-update feature, set up a regular updating schedule. For an additional level of security, use a secure private network for communications inside the company. 

Limit access to sensitive data

Employees are vulnerable to threats due to several reasons, including:  

  • Human error (e.g. Downloading an official-looking attachment that contains a virus)  
  • Weak passwords and never changing their passwords 
  • Negligence  

Training and educating employees helps reduce errors, but the risk is still there. To reduce the chances of attack even further, or curtail its effects, it’s best to limit employee access to sensitive data. For example, this practice could have helped Twitter following a large breach of sensitive information after it was uncovered that hundreds of employees had open access to it without proper clearance. 

Allow your employees to only access data they need to do their jobs effectively, and nothing more. Placing such limits narrows down the pool of employees who could accidentally enable identity theft by clicking on a harmful link.  

Furthermore, a great way to protect everyone against suspicious email attachments and phishing attacks is to use your private network to limit the websites that employees can visit while using your company’s devices. Better still, partition your data so that, even if one employee falls victim to a scam, the data breach does not spread to the entire company’s systems. 

Have a strong and transparent privacy policy

Taking steps to avoid becoming an identity theft victim is essential, but not always something a company takes into consideration. "I’ve found a surprising amount of companies people interact with every day don’t provide clear communication or guiding information on biometric security," writes Head of Strategy at Mitek Joe Bloemendaal

Informing your customers about security steps is important. Draft a strong privacy policy and display it prominently on your website. The privacy policy should let customers know exactly what information you’re collecting from them, how you’re using it, and what you’re doing to keep that information safe. Make it clear and to the point. Don’t include unnecessary details or complicated jargon which will make your customers avoid reading it. 

In a recent study conducted in partnership with, Mitek found that consumers overall were more confident engaging with and providing information necessary for account openings to companies that were up-front and center about “why they needed the information.” For instance, up to 60% of consumers were more likely to provide information to a company they were onboarding with if the company explained their information wouldn’t get passed to third parties. 

During the various touch points of your customer’s experience with your company, be upfront about what data you require from them and why. Where possible, give them the option of opting out of sharing their data with your company. It’s also good to keep your customers updated about your security practices, to reassure them that you’re taking good care of their private data. 

Measures to prevent identity theft are worth the cost

Business identity theft is a serious problem that is, unfortunately, often looked over. It is a mistake to assume that your business is too small to be a target for identity thieves, or that because the company is so large, it must already have all the necessary security measures in place.  

The best way to safeguard your company and customers from becoming a victim of identity fraud is to stay on top of the latest threats and how best to tackle them. If you follow the tips given above, as well as learn about authentication vs. verification, it will greatly reduce your odds of falling victim to an identity theft cyber attack. Some of these measures might be cumbersome to implement, but it’s always better to be safe than sorry. The consequences of an attack will go far beyond any budget value to your company, so it’s necessary to always be on identity theft fraud alert. 

Click here to learn more about digital identity verification technology