Protect my Business from Identity Theft
Breach Alert & Data Subscriptions
Most comprehensive repository of information about publicly reported U.S.-based data breaches. Data services that support organizations that require breach information for research, planning, trend analysis, and much more.
Tier II Contact Center Services
Low-cost contact center support services for businesses that need access to the highly specialized skills required to help consumers prevent or respond to the unique impacts of an identity compromise and crime.
Contact Center Training Certificate
The ITRC’s Contact Center Training Certificate Program provides front-line staff with the tools and skills needed to effectively partner with customers and other consumers who are identity crime victims in a supportive and effective way.
Custom Research & Education
Programs and initiatives tailored to address identity fraud through collaboration with businesses, academia, and government agencies.
Conferences
Intimate ITRC leadership gathering of senior local, state, and federal agency leaders, along with industry and non-profit executives to seek actionable solutions to help prevent, respond to, and recover from identity misuse.
What Is Business Identity Theft?
Business identity theft occurs when someone uses your business’s Employer Identification Number (EIN), business name, or other identifying details—without authorization—to commit fraud, typically tax-related. Criminals may file fake returns claiming refundable credits or wages, open unauthorized business lines of credit, or even impersonate your company to file Forms W‑2/1099. According to the IRS, these fraudsters “may steal sensitive information to file a fraudulent tax return for a refund or to commit other crimes”.
This type of theft is more complex than individual fraud. Warning signs include:
- E‑filing you can’t initiate because a return has already been filed under your EIN.
- Receiving IRS notices about W‑2s or refunds you didn’t file.
- Unexpected IRS transcripts or letters, such as Letter 6042C or 5263C.
- Your business address changed in IRS records without your involvement.
Beyond taxes, business identity theft may also involve:
- Unauthorized credit card or credit lines opened in your business’s name.
- Strange entries on business credit reports.
- Unrecognized account withdrawals or expenses.
- Disappearing mail or bogus invoices.
The consequences can be severe: cash flow disruption, damage to credit and credibility, time-consuming investigations, and potential legal liability.
How to Report Business Identity Theft
If you suspect your business has been targeted, taking immediate action is crucial.
1. Notify the IRS
If your business experiences one of the following, it’s time to act:
- A return was rejected because one was already filed for the period.
- A return was filed under your EIN that you didn’t file.
- A W‑2 was filed on behalf of your employees without your input.
- A tax balance due notice for taxes you don’t owe was received.
To report this, complete and submit IRS Form 14039‑B, Business Identity Theft Affidavit. If you received an IRS notice, attach the form to it and follow the submission instructions. Otherwise, mail it to the IRS Ogden, Utah, office or fax it to 855‑807‑5720. In urgent cases, you can also schedule an appointment at an IRS Taxpayer Assistance Center.
2. Alert Payroll and HR Teams
If sensitive employee data—like W‑2s or SSNs—was exposed, report it immediately:
- Email [email protected] with the subject “W2 Data Loss,” including the business name, EIN, contact info, incident summary, and number of employees affected.
- Notify employees promptly and guide them to file credit freezes, fraud alerts, and FTC reports via IdentityTheft.gov. Provide them with IRS Publication 4524 and the FTC’s Data Breach Response Guide.
3. Contact Federal and Local Authorities
- Notify your local police department as prompted by IRS guidance.
- If credit fraud—not tax fraud—is involved, report to the FTC and consider placing a business-wide fraud alert.
How to Prevent Business Identity Theft
Prevention is the most effective way to protect your business. Here’s a best-practices checklist based on IRS and FTC guidance.
Build a Cybersecurity Foundation
- Install and update anti-virus/anti-malware software on all devices (computers, phones, routers).
- Use firewalls and segment your network to limit access and control who can access what.
- Require strong, unique passphrases: at least 12 characters. Employ a password manager.
- Enable multi-factor authentication (MFA) with an authenticator app wherever possible.
- Encrypt sensitive emails and files.
- Back up data regularly to an offline storage device.
- Physically destroy old hard drives and devices.
- Ensure data entry only occurs on secure “https://” sites.
- Limit access to sensitive data to employees who genuinely need it.
Train Your Team
Human error is often the weakest link:
- Train employees to recognize phishing, spear-phishing, and business email compromise scams that pose as executives requesting W‑2 data.
- Stress verifying any request for sensitive data through independent channels—never via forwarded email.
- Share the Red Flags Rule framework with employees so they can spot warning signs, such as unusual account activity, mismatched documents, address changes, or alerts from relevant agencies.
Develop a Data Security Plan
Formalizing policies enhances resilience:
- Adopt a data security plan based on IRS Publication 4557 or NIST’s Small Business Fundamentals.
- Regularly review and update the plan, especially after staff turnover, acquisitions, or IT changes.
- Conduct periodic audits and mock phishing drills.
- Maintain incident response protocols with clear escalation procedures.
Breach Alert & Data Subscriptions
Convenient, comprehensive source for data breach information.
The ITRC maintains the most comprehensive repository of publicly reported, U.S.-based data breaches from credible sources. Data is offered on a batch or subscription basis for one to three-year terms. Our services are designed to support organizations that require breach information for research, planning, trend analysis, vendor and partner due diligence, compliance, and alert services. Breach Alerts keep you informed of data breaches at vendors in your supply chain to comply with state and federal laws and regulations as well as company policies.
Plans to protect your business:
Comprehensive data for business planning and due diligence.
- Attack Vector
- Attack Vector Details
- Breach Information Sources (#1-10)
- Compromise Impacts Third-Parties/Supply Chains
- Created Date
- Data Attributes
- Data Exposed/Breached
- Date Breach Discovered
- Date Breach/Exposure Reported
- Date of Breach
- Date Updated (If Applicable)
- Entity Name
- Entity Website
- HQ State
- Identity Theft Protection Company
- Identity Theft Protection Offered
- Industry
- Internal Comments
- Nonsensitive Records Count
- Nonsensitive Records Exposed
- Number of Individuals Impacted
- Publicly Traded
- Sector
- Sensitive Records Count
- Sensitive Records Exposed
- SIC Code
- Source Types (#1-10)
- States With Notices Filed
- Threat Actor
- Ticker Symbol
- Total Records Breached or Exposed
- Unknown Records Exposed
Custom reports sent straight to your inbox.
- Reports sent right to your inbox!
- Monthly updates throughout the year.
What to Do If You Become a Victim
If prevention fails, it’s important to act fast:
File Form 14039‑B with the IRS promptly.
Contact the IRS Identity Theft Victim Assistance Unit by calling the number listed on IRS notices.
File a police report with law enforcement.
Review all financial statements and tax filings for signs of fraud.
Notify credit bureaus to place fraud alerts.
Notify employees—provide resources and encourage individual monitoring.
Report breaches to state regulators and comply with breach notification laws (e.g., the FTC Red Flags Rule).
Remediate vulnerabilities found during the breach.
Within 120 to 582 days, the IRS may designate an identity-theft indicator on your account and issue an Identity Protection PIN to block further fraudulent filing.
Tier II Contact Center Services
Low-cost, escalation services with highly specialized and trauma-informed advisors.
- Personalized remediation plans for victims
- Helps customers discover additional compromises
- Volume-based pricing and metric-based reporting, including case tracking
- Live phone, live chat, text-to-chat
- No call time limit
- Custom training
Contact Center Training Certificate
Trauma-informed and culturally aware support services to help organizations address the unique issues experienced by victims of identity crimes.
The ITRC’s new Contact Center Training Certificate Program provides customer-facing staff with the tools and skills needed to help your customer or prospect who is an identity crime victim in a supportive and effective way.
- Team members who complete the ITRC training receive a designation as a Certified Identity Recovery Specialist.
- ITRC training material is continuously updated based on our daily interaction with identity crime victims; emerging threat and trend bulletins are also available.
- Curriculum includes extensive material not covered by competing products, including trauma, professional standards and expectations, and working with specialty populations.
- Training is available online, hybrid, or on-premises.
Custom Research & Education
Programs and initiatives tailored to address identity fraud through collaboration with businesses, academia, and government agencies
- Research & Reports
- Education & Presentations
- Outreach & Support Opportunities
Conferences
Intimate ITRC gathering of senior local, state, and federal agency leaders, along with industry and non-profit executives
The ITRC gathering of senior local, state, and federal agency leaders, along with industry and non-profit executives, seeks actionable solutions to help prevent, respond to, and recover from identity misuse. Recognized experts and thought leaders share their knowledge and experiences in general sessions and in small group discussions.
The Identivation Conference is limited to 150 invitation-only attendees. There is no fee to attend, but attendees are responsible for their hotel and transportation. For more information about the 2026 Identivation Conference or to reserve your support package, click “Get Started” and fill out the form.
Partner with the ITRC
Business identity theft can have far-reaching consequences, including lost time, stolen money, and damaged reputation. But with vigilance, solid systems, innovative training, and trusted partners, your company can withstand and recover from even the most insidious attacks.
The Identity Theft Resource Center is ready to provide free assistance tailored to businesses. Protect your livelihood, your employees, and your future. Reach out to the ITRC now if you suspect or have been a victim of business identity theft.
