Business Identity Theft: How Corporate Hijacking Works And What To Do

The first clue is usually boring.

A tax refund check never arrives. A state business-registry email says “access granted,” but no one at the company requested access. A bank fraud department calls about a business account the company never opened. A vendor asks whether “the new contact” is authorized to change payment instructions.

Individually, each signal looks like administrative static. Together, they point to a growing problem: someone has stolen the company’s identity and is using government records, tax credentials, bank onboarding, and ordinary business paperwork to make the fraud look legitimate.

This is not just business email compromise with a new label. It is corporate-record hijacking. The fraudster does not need to hack the company’s ERP system or empty a payroll account on day one. The fraudster needs a public record that says the impostor is in charge, an EIN confirmation that appears to match, and an institution willing to treat internally consistent paperwork as proof of authority.

The issue is so significant that several attorneys general have issued Business Identity Theft Alerts to reach a broader audience. Ohio and Colorado maintain business identity theft resources that focus on monitoring public records, business credit, and registry notifications. The reason is simple: the scheme is mechanical and repeatable. But this also means it follows a predictable pattern that can be anticipated, detected, and unwound through a defined sequence of actions.

How the Scheme Works

Business identity theft of this kind is not a single act. Think of the fraud as a five-link chain. Not every case contains every link, and the order can vary, but the pattern is consistent enough to build a prevention and response playbook around it. Understanding the chain is key to both prevention and remediation because each link is a point to intervene.

Step 1: Portal Access or Registry Leverage

Most states have moved corporate filings to online business registries. Many of these systems allow a user to request “access” to an existing entity’s record, with notice sent to the entity’s registered agent or email of record. The attacker requests access to the target company. Depending on the state’s controls, access may be granted with little more than the request itself. The legitimate company often receives an automated “access granted” notification, which, if it is read and understood, is the single best early warning the scheme generates.

Step 2: The Unauthorized Filing (Usually a Fraudulent Amended Filing)

Once the impostor has access or a filing path, the next move is to file an amended annual report, address change, registered-agent change, officer change or statement of information that removes the company’s real officers, directors, and registered agent and substitutes the attacker (or a straw name). The state, bank, vendor, credit bureau, etc., having no independent way to know the filer is an impostor, accepts it. The attacker now holds a state-issued document that appears to show they control the company. This is the linchpin: it is the credential every downstream institution will rely on.

Step 3: The EIN or Tax-Account Move

The attacker may apply for a new EIN in the company’s name, misuse the company’s existing EIN, or change the business address or responsible-party information associated with the IRS account. EINs are free and, when approved through the IRS online process, can be issued immediately. That speed is useful for legitimate businesses and useful for impostors.

Counsel should distinguish three different facts: (1) whether a new EIN was fraudulently obtained, (2) whether the existing EIN was misused, and (3) whether the company’s address or responsible-party information was changed. Those facts drive different IRS, banking, and recovery steps.

Step 4: The Bank, Vendor, or Credit Account

With the state filing and the IRS EIN letter, the imposter opens a business bank account in the company’s name at an institution where the company has no existing relationship opening a bank account, seeking credit, changing a vendor profile, or adding a new “authorized” contact. The banking institution’s file looks fine: state record, EIN letter, matching address, and a person represented as an officer.

Therein lies the danger. The fraud is not built on obviously fake paperwork. It is built on paperwork that became fake because the upstream record was corrupted.

Link 5: The Money Leaves

The account exists to receive funds. In the cases now flooding federal dockets, the deposited instrument is frequently a stolen U.S. Treasury check, a tax refund, an Employee Retention Credit payment, or a vendor payment payable to a business whose name the attacker has taken over, or to the company itself. A check payable to the company, or to “United States Treasury,” is deposited into the fraudulent account and quickly withdrawn or transferred.

A crucial variation matters enormously for the remediation analysis: sometimes the deposited check actually belongs to the victim company. The most painful version is when the company is legitimately owed a federal tax refund, the IRS issues the check, the attacker intercepts it (often by also changing the company’s address of record with the IRS), and deposits it into the fraudulent account. In that scenario, the company is out of its own money and must recover it, a different posture from the case where the company’s name was merely borrowed to cash a third party’s stolen check.

The Address Change

The schemes that do the most damage usually involve a parallel attack on the company’s address of record, with the state, with the IRS, or both. If the attacker can redirect official mail, they can intercept the very instruments and notices that would otherwise tip off the company. An undeliverable refund, a notice of address change the company never requested, or correspondence that stops arriving are all signals that the address of record has been compromised. Counsel should treat any unexplained change in the cadence of expected government mail as a potential indicator, not a clerical hiccup.

What Impacts Response Strategy

Early in the matter, separate the facts into two buckets:

• The company’s own money was stolen. Examples include a legitimate federal refund, customer payment, insurance payment, or vendor receivable that belonged to the company but was intercepted or deposited into an impostor account.
• The company’s identity was used as a vehicle. Examples include a third party’s stolen Treasury check or fraudulent credit account routed through a bank account opened in the company’s name.

The distinction matters. In the first bucket, the company is pursuing its own money. In the second, it is also cleaning up reputational, tax, credit, and possible law-enforcement exposure from being used as the false front. The preservation letters, bank demands, insurance notices, and agency reports should say which bucket applies and should not blur the two.

The Early Warning Signs

Early warning signs: training clients to see it coming

• The scheme generates signals at almost every link. The problem is that each signal, viewed alone, is easy to dismiss. The advisor’s job is to teach clients that these are not isolated curiosities; they are the smoke from a specific fire. The signals worth flagging include:
  • An “access granted,” “user added,” or “filing submitted” notification from the Secretary of State or state business registry that no one at the company initiated.
  • A change to officers, directors, registered agent, or principal address on the company’s public registry profile that the company did not make. Pulling the public record and reading it is free.
  • A notice from the IRS confirming an address change, an EIN assignment, or a tax filing the company did not submit.
  • Government or vendor mail that should be arriving but isn’t, or a refund or payment returned as undeliverable.
  • A call from a bank’s fraud department about an account the company does not recognize.
  • A vendor, customer, or credit counterparty referencing a transaction, application, or “new contact” at the company that no one recognizes.
  • An unexplained change in the company’s business credit profile (Dun & Bradstreet, Experian Business, Equifax Business), a new principal, a new address, a new tradeline, or a sudden inquiry

The single most valuable habit a company can adopt is to periodically pull and review its own state registry record and its business credit profiles.

Several states now recommend checking the registry at least quarterly. It costs nothing and converts an invisible compromise into a visible one within weeks, not months.

Defensive Measures Every Business Should Have in Place

Prevention here is mostly about controlling two things: (1) who can change the company’s records, and (2) who finds out when a change is attempted. Practical measures clients should implement:

• Assign an owner for entity records. Someone should be responsible for every state registration, annual report, registered-agent relationship, portal login, and renewal calendar. “Legal handles that” is not a control unless a named person actually handles it.
• Use registry notifications. Enroll in available Secretary of State or corporations-division filing alerts in every state where the company is formed or qualified. Some states offer filing notification systems, watchlists, or email alerts. Use them.
• Review public records quarterly. Pull the company profile in each state and confirm entity name, status, registered agent, officers/managers, principal office, mailing address, and recent filings. Michigan’s recent alert recommended checking portal files at least once every three months; that cadence is a useful baseline even outside Michigan.
• Harden portal credentials. Use unique credentials, multi-factor authentication, and a small list of authorized users for state registry and tax portals. Treat these logins like banking credentials because a corrupted filing can become a banking credential.
• Control the registered agent and email of record. Automated notices only help when they go to a monitored inbox. Do not let a defunct employee email or unused registered-agent address become the only tripwire.
• Monitor tax-account signals. Keep business address and responsible-party information current with the IRS, and treat Form 8822-B confirmations or unexpected EIN correspondence as significant. If the company receives an EIN notice for an EIN it did not request, escalate immediately.
• Watch business credit and UCC records. Monitor Dun & Bradstreet, Experian Business, Equifax Business, and UCC filings where appropriate. Business-credit cleanup is not as consumer-friendly as personal-credit cleanup, so speed and documentation matter.
• Build out-of-band verification into bank and vendor changes. Require callback verification through known-good contacts before changing signers, addresses, account ownership, ACH instructions, wire instructions, or vendor master data.
• Train the human sensors. The accounting clerk who notices a missing refund, the office manager who sees a registry email, and the controller who gets an odd bank call are the early-warning system. They need to know whom to tell.

What to do When a Client is Targeted?

When the call comes, speed and sequence matter. The fraud is often still in motion, evidence is perishable, and several deadlines start running on discovery. The following is the working sequence I use; adapt it to the facts and jurisdiction.

1. Stabilize the state record. Contact the Secretary of State’s corporations division immediately. File a corrective or restated filing that removes the fraudulent officers and reinstates the legitimate ones, supported by an affidavit of unauthorized filing. Reset portal credentials, verify the registered agent and email, enable MFA, and ask the state to flag the fraudulent filing and preserve access logs, IP addresses, and user identifiers for law enforcement. If the company is registered in more than one state, check each state.
2. Issue a litigation hold and preserve evidence. Internally, suspend auto-deletion and log rotation; preserve the registry notification email with full headers; capture the public registry record before and after the fraudulent filing; and image the accounts most likely to have been targeted. The compromise vector is frequently a phished or socially engineered credential. Hence, security logs (MFA, Single Sign-on, email gateway) are central evidence and are often subject to short retention cycles.
3. Address the bank. Put the depository institution on written notice that an impostor opened the account, disclaim the company’s ownership of the account and any funds moving through it, and demand the account-opening records. In identity-theft cases, the records request can be framed under the Fair Credit Reporting Act’s victim-records provision. Be prepared for the institution to question whether the provision reaches business victims, and have a fallback (a standard preservation-and-records demand, and ultimately a law-enforcement subpoena) ready. Where a check was deposited over a forged or missing payee endorsement, preserve the company’s conversion and warranty theories.
4. Report to the right agencies, each of which opens a different lane. Treasury-check fraud is the U.S. Secret Service’s core jurisdiction; IRS-issued refunds also implicate the Treasury Inspector General for Tax Administration; cyber and wire elements go to the FBI’s Internet Crime Complaint Center; business identity theft is reported to the IRS on Form 14039-B; and the FTC’sftc.gov generates a report some institutions require. Add the state attorney general’s consumer protection division and local law enforcement. Keep a log of every report and its reference number; downstream institutions will ask for them.

Note that if someone used the company’s name or EIN to submit fraudulent tax returns or Forms W-2, the IRS directs businesses to Form 14039-B, Business Identity Theft Affidavit. If the issue is a missing or stolen refund, Form 3911 may be part of the refund-trace process. If the address or responsible party was changed, Form 8822-B and direct IRS contact may be needed to correct the account.

5. Separate the tax dollars from the recovery dollars. If the scheme involved a tax payment or refund, resist the instinct to conflate the company’s tax obligation with its recovery of stolen funds. They are distinct. An obligation the company actually owes the government must be funded to stop penalties and interest from accruing; an extension to file is not an extension to pay; and statutory interest is effectively non-abatable even when a penalty later is. Recovery of a stolen refund check runs on a separate track through the IRS refund-trace and Treasury forged-endorsement claim process (Form 3911, followed by the Bureau of the Fiscal Service’s claim package), backed by the Check Forgery Insurance Fund, and in parallel through civil claims against the depository bank. Pay what is owed; recover what was taken; do not assume the recovery will satisfy the obligation.
6. Watch the payment designation. A subtle trap: if a client makes a payment intended to satisfy a tax liability, but it posts to the wrong period or is otherwise refunded, the liability remains unpaid, and the penalty clock keeps running, and the refunded money becomes the next thing the attacker tries to steal. Coordinate with the client’s tax preparer to confirm that any payment is designated so it is held and applied to the intended liability rather than kicked back out.
7. Protect the business credit profile. The fraudulent state filing often propagates automatically into the company’s commercial credit file. Pull the Dun & Bradstreet, Experian Business, and Equifax Business profiles, dispute the corrupted data, and, critically, displace any impostor who has registered as the company’s contact or “registered company officer” with the bureau, because the bureau will otherwise validate the attacker’s future changes. Demand the suspension of automated ingestion of the fraudulent state filing until the company confirms the record. Because business-credit reporting sits largely outside the FCRA, preserve common-law and statutory theories (defamation, state identity-theft statutes, Lanham Act false-association) in early correspondence in case the bureau is unresponsive.
8. Tender to insurance early. Cyber and commercial-crime policies frequently respond to computer fraud, funds-transfer fraud, forgery, and social-engineering losses, as well as breach-response costs. Notice windows are short, and many policies require carrier consent before counsel or forensic vendors are engaged. Tender promptly, map the potentially triggered coverage parts, and request the carrier’s position on retaining existing counsel.
9. Manage the address of record. Re-establish and verify the company’s address with the state and the IRS, obtain proof, and consider locks to prevent unverified changes. Direct any replacement refund to a verified address or, better, by direct deposit. If the address was the interception point, fixing it is what stops the bleeding.
10. Keep the file organized for a multi-front matter. This is not a single matter; it is a cluster of corporate, tax, banking, commercial credit, insurance, and criminal referral workstreams running at once, each with its own deadlines and reference numbers. A master index and a reference-number tracker are not housekeeping niceties here; they are how you keep the case from fracturing.

Why this Matters for any Law Practice

Two features of this scheme make it a distinctly lawyer-shaped problem. First, it crosses domains that are usually handled by different specialists — corporate filings, tax procedure, the UCC, consumer- and commercial-credit law, insurance coverage, and criminal referral — and the client needs someone to hold the whole picture and sequence the response. Second, almost every step has a deadline or a perishable-evidence problem behind it: reclamation windows, statement-examination periods, insurance notice provisions, log-retention cycles. Acting fast and in the right order is most of the value an advisor adds.

The reassuring part is that the scheme’s mechanical nature cuts both ways. Because it follows a pattern, a prepared advisor can move quickly through a known sequence, intervene at each link the attacker built, and reassemble the client. The clients who fare best are those who were taught to read the warning signs and had a lawyer ready to run the playbook the day the call came.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.