Skip to main content

How to Combat State Business Registrar Fraud Risk

State business registrar leaders need high assurance unknown internet users match submitted registration information. Unfortunately, registrars face challenges due to widespread availability of stolen identity information — putting their organizations and constituents at high risk of fraud.

Many business registrars don’t have a dedicated fraud department, role or expert. They instead rely on technology partners supporting their missions for strong customer experiences — ideally while emphasizing friction-right fraud detection capabilities.

How can business registrars assess fraud risk?

When you combine the convenience of the internet, increased availability of stolen and easily fabricated identity information and lack of fraud controls, it creates an environment primed for fraudsters to cause irreversible harm to business registrars, constituents and more. But often, existing first-party data (data provided by applicants) can be critical in taking a first step to analyze and identify fraudsters.

 

  • Payment chargebacks: Many registrars face financial losses when fraudsters attempt to process a transaction for a business registration or alteration using a fraudulent form of payment. These payments — whether a stolen credit card or credit they do not intend to repay — are often indiscernible from legitimate users. By keeping records of personally identifiable information (PII) used in payments that result in chargebacks, you can build a database to identify high-risk transactions and better prevent fraudsters from perpetrating criminal activity against your agency again and again. It can also provide a starting point for effective investigations.
  • Suspicious banking institutions: Bank Identification Numbers (or BINs) of suspicious institutions can also flag applications or requests that may yield a higher rate of suspicious activity.
  • Known criminal associations: Agencies can retain PII, such as names, email addresses, physical addresses and phone numbers, used in the registration that are ultimately deemed to be corporate identity theft, criminal enterprises or fraudulent business fronts so the same information cannot easily be used in multiple attempts.
  • Geographic risk: Web application firewalls can help protect agencies from illegitimate web traffic initiated from abroad, such as web sessions originating from nations like Russia, China, Nigeria and others.
  • IP address risk: Agencies should monitor IP addresses associated to web sessions for any high-volume or irregular activities not otherwise associated to a known registered agent.
  • First-party data: Information like current company officers or corporate locations can be used by business registrars to help verify consumer identities.

Cybercriminals who mine, breach and collect data are skilled fraud enablers

Before exploitative information ever gets to a fraudster, it often starts with a separate criminal who’s sophisticated in mining, breaching and collecting data to broker. Criminal data brokers often participate in widespread, organized crime rings that can operate with significant resources and support. They may capitalize on data exposure that’s inadvertent or unintended to enable fraud. For example, criminals can skim the web for publicly available information, such as certificates of good standing, to capture valuable information quickly without detection.

Data breaches have also become a particularly attractive catalyst for fraud because they potentially allow criminals to use stolen identities to commit crimes at scale. TransUnion’s 2024 Omnichannel Fraud Report concluded almost 5,000 publicly disclosed data breaches took place last year, representing an historic high.

This trend was driven by a 38% year-over-year increase in third-party breaches. Data breaches are one method criminals use to collect personal information for sales on the dark web. But criminals target organizations and consumers alike to harvest identity credentials for profit.

 

Stolen identities fueled fraud risk  

  • 4,903 publicly disclosed data breaches in the US in 2023 — an historic high
  • 38% year-over-year increase in breaches of third-party services providers
  • 55% of Americans reported being targeted with online, email, phone call or text messaging fraud attempts from Sept. to Dec. 2023

Last year, more than 2 million consumers were targeted in reports of investment scams, government imposter scams and other social engineering schemes, according to the Federal Trade Commission. Malicious software and hardware, penetration testing and web scrappers are a few other methods criminals can use to amass sensitive personal information and take advantage of system vulnerabilities.

How do cybercriminals exploit account or organization access points?

  • Public records — Skim websites for publicly available information
  • Social engineering — Deceive/manipulate people for personal info (romance, imposter, grant, employment scams, etc.)
  • Value-chain attack — Accesses an entity’s network via third-party vendors or suppliers
  • Hardware attacks — Obtain data from physical locations or media, such as skimming credit card numbers at an ATM
  • First-party data breaches — External, targeted attacks using malware, penetration testing or other means; direct access by internal actor; can include inadvertent exposure

How do data breaches lead to future fraud?

Criminal outfits often seek credentials that contain robust data identity that can be used to obtain lines of credit from multiple institutions, apply for loans, enroll in government benefits like unemployment insurance or even register for a false business. Login credentials are often reused by consumers and can therefore enable unauthorized access to multiple accounts. Other types of valuable information can include:

  • Usernames and passwords
  • Personal information (such as mother’s maiden name) to bypass knowledge-based authentication (KBA) questions
  • Identity information like name, address, Social Security number
  • Medical or employment records
  • Credit card or payment information
  • Account credentials like account
    number or customer ID

TransUnion measures the ability of breaches to enable identity fraud and specifically, public sector fraud. Using a Breach Risk Score where stolen identity information had the potential to further public sector fraud, a proprietary TransUnion analysis found risk increased 73% from Q1 2020 to its highest point in Q4 2023. In the months following one of the largest attacks in recent history — the MOVEit breach which began in May 2023 — TransUnion also saw public sector customers experience consistent growth in the percentage of suspicious transactions they oversaw compared to all transactions.

Monthly Rate of Denied and Reviewed Digital Transactions in 2023

What common types of identity fraud do business registrars face?

When fraudsters purchase personal information, it can be used to perpetrate many or multiple criminal schemes.

  • False registration — Fraudulent business application using stolen or fabricated identities
  • Misrepresentation — Mischaracterization of public records like certificates of good standing or entity name
  • Registration alteration — Often perpetrated by employees, shareholders, investors or others affiliated with the company
  • Lapsed registration — Resurrection of lapsed business
  • Credit card fraud — Submitting business registration payment with an illegitimate form of payment

Stolen personal information can be used in true-name fraud — which can include business identity theft. Multiple pieces of identity information can also be used to fabricate a synthetic identity to register a fraudulent business. Further, when a fraudster submits payment for their false business registration, they may use stolen or illegitimate payment information, causing a monetary loss.

How does business identity theft enable long-term, downstream fraud?

The victims of business identity theft are widespread, including consumers, business owners, investors, employees, financial institutions and state agencies. By using a stolen or synthetic identity to apply for a business registration — or alter an existing registration — a fraudster can establish more legitimacy against a fraudulent identity to further their ability to apply for a business line of credit. They can also create shell companies that enable money laundering schemes, help conceal illegal activities from regulators or law enforcement, or falsify employment records.

Fraudulent business registration or alteration may lead to future fraud, including

  • Using business registration information or “proof of rights” to receive access to credit
  • Concealing illegal activities from regulators or law enforcement
  • Falsifying employment records to fuel unemployment insurance fraud
  • Creating shell companies to enable money laundering

How to protect business registrars from fraud?

Fraudsters use harvested information to target systems with minimal identity verification requirements. Knowing the difference between safe and risky interactions requires a holistic picture of identity to secure trust in the business registration and alteration process. A robust fraud risk assessment of digital transactions can reduce friction for legitimate business registration applicants while keeping fraudsters at bay.

A strong fraud prevention strategy starts with better signal diversity; robust, authoritative and reliable data; and intelligent, risk-based analytics and decisioning to help verify constituent identities.

Fraudsters can be distinguished from true constituents based on device reputation and insights. TransUnion, as an example, offers a global, multi-industry consortium of 6,000 fraud analysts, 10 billion+ known devices, and over 100 million detailed known fraud reports — including instances of credit card fraud, synthetic identity theft, corporate identity theft attempts and more — to distinguish risk levels associated with individual devices without additional personal information being required from the constituent.

Identity verification and device proofing is the next layer of proactive control

Industries from government to banking, travel, ecommerce and more have decades of experience using identity verification to ensure users attempting to create or access accounts or make purchases are authorized to do so.

Verifying consumer identities with confidence starts by looking at the consumer-provided personal data and comparing it against authoritative and robust data sources. In instances such as new business registration, credit reporting agencies can help confirm personal details like addresses, phone numbers and Social Security numbers. 

But in faceless digital channels, more device data can aide in determining the risk level associated with the device being used to initiate the registration or alteration request. More diverse sources of public record data can also help identify suspicious and known subjects or high-risk associations between the user and other associates.

Scalable identity and fraud risk solutions secure trust across access points

A robust fraud solution will better secure trust across the business registration lifecycle from helping mitigate new registration fraud early in the application cycle to reducing the risk of alteration for existing entities. At each point along that journey, a fraud solution that identifies and helps separate safe from risky interactions can be used to effectively mitigate fraud and reduce chargebacks, ensuring genuine consumers receive the efficient services they deserve.

When suspicious activity is identified through digital insights or an identity cannot be verified, minimal step-up challenges can be implemented. As an example, you can request knowledge-based authentication or authenticate a user’s identity via a one-time passcode (OTP) sent as a text message to a mobile device.

Unfortunately, it’s relatively simple for fraudsters to hijack one-time passcodes via SIM swap, call forwarding or unauthorized number reassignments. To help ensure one-time passcodes are delivered to constituents and not fraudsters, one may leverage authoritative phone data from direct carrier relationships to promote a higher degree of trust regarding phone ownership when using OTPs.

If a user’s identity still cannot be authenticated, document verification is a natural progression to help securely and accurately validate constituent-provided data, and reduce the risk of fraud from stolen or synthetic identities.

Identity verification and device proofing should build trust in digital channels, delivering friction-right constituent experiences

By orchestrating identity, device reputation and device insights, fraud solutions can enable trust between business registrars, their states and constituents. The results include: continued, seamless experiences for good constituents; a reduction in fraudulent registrations and fraud losses; fewer investigative resources and cycles spent fighting fraud; and enhanced, friction-right constituent experiences across channels.

Learn more about TransUnion fraud and identity solutions.

Do you have questions? Our team is ready to help.