Identity Theft and Identity Fraud

How Businesses Can Protect Themselves Against Legal, Financial, and Reputational Risks

Cybercrime is no longer confined to private individuals. Businesses are increasingly being targeted by identity theft and identity fraud – often with significant financial, legal, and reputational repercussions. As digital transformation accelerates, so does the exposure to sophisticated deception, data breaches, and fraudulent activity carried out under false identities.

Definition of Terms: Identity Theft versus Identity Fraud

• Identity Theft
  refers to the unauthorized acquisition of personal or business-relevant data – such as information belonging to private individuals, employees, executives, or even entire corporate profiles.
• Identity Fraud
  on the other hand, is the subsequent misuse of that information. This involves someone presenting oneself to third parties as another person or organization in a fraudulent manner, for example, to obtain orders, manipulate payment data for purchases, or gain access to systems.

What Are the Consequences of Identity Theft for Businesses?

Regardless of the industry in which a company or organization operates, the impacts of identity theft and identity fraud are often complex and far-reaching. Beyond the inherently serious issue of data theft, additional risks can arise, such as disruptions to supply chains, damage to customer relationships, complications in contract negotiations, and potential compliance violations.

Typical ID Fraud Scenarios in Companies

Unfortunately, the possibilities for misuse are as varied as the methods criminals use to obtain data. Phishing, spam SMS, and other forms of social engineering are the most common ways in which identities are stolen. The scenarios associated with identity theft and identity fraud give a sense of the scale that ID fraud can reach:

• CEO Fraud
  In this “boss scam,” criminals pose as the CEO via email and instruct employees to, for example, transfer large sums of money to (of course) fake accounts.
• Fake Job Applications
  The HR department can also be affected, especially when fake application documents are used to deliver malware, giving criminals access to internal networks.
• Phishing of Employee Accounts
  Phishing is a well-known method of fraud, but the telltale signs of the past have become much harder to detect. Thanks in part to AI, phishing emails have become so professional that it is easy for criminals to obtain login credentials (including those of employees) and misuse them to access company systems.
• Deceiving Customers
  When criminals impersonate a company and use fake accounts to send fraudulent invoices to customers, this can cause significant reputational damage, especially if payments are made to fraudulent accounts that cannot be traced.
• Attacks on Service Providers and/or Partner Companies
  The consequences of compromised identities that provide extensive access to company systems and potentially entire supply chains should not be underestimated either.

Legal Framework

GDPR & B2B

Strict data protection requirements also apply in the B2B sector. Companies are obligated to safeguard the personal data of customers, employees, and partners. And even in cases of unintentional data loss, significant fines may be imposed for non-compliance.

The EU General Data Protection Regulation (GDPR), which applies across Europe, sets out comprehensive rules to ensure the protection of digital identities. For example, companies are required to provide information upon request about the personal data they have stored on customers and contractual partners. Within the legal framework, users can also request the deletion of their stored data. Exceptions apply to data retained by authorities, such as criminal records or medical information.

In the event of data protection violations, users may theoretically be entitled to compensation. However, it is not possible to make a general statement about whether or when such a claim might apply.

Criminal Code and Identity-Related Offenses

Identity theft and identity fraud are increasingly relevant in digital and cross-border contexts. While not always defined as standalone offenses in national criminal codes, they are typically covered under broader legal provisions such as unauthorized access to data, computer fraud, document forgery, and impersonation.

Criminal codes in many jurisdictions, including Germany, allow such acts to be prosecuted under existing laws. These include illegal data access (commonly involving cyberattacks or phishing), manipulation of digital information, and fraudulent use of another person’s identity to gain financial or other benefits.

In most cases, identity-related crimes are linked to additional offenses—such as data privacy violations or breaches of communication confidentiality. Legal frameworks across the EU and globally continue to evolve to address these challenges, aiming to strengthen digital security, protect individuals, and deter cybercrime through more specific and enforceable legislation.

German Criminal Code (StGB)

The offenses of “identity theft” and “identity fraud” are not yet explicitly defined in the German Criminal Code (StGB). However, certain related acts, such as data espionage (§ 202a StGB), forgery of data relevant as evidence (§ 269 StGB), fraud (§ 263 StGB), or computer fraud (§ 263a StGB), can fall under existing criminal provisions.

Such acts are often accompanied by additional criminal offenses that may also be prosecuted. One example is the violation of the confidentiality of correspondence (§ 202 StGB), which penalizes the unauthorized opening of another person’s mail. A more contemporary regulation is § 202a StGB, which criminalizes unauthorized access to data. This is particularly relevant in cases where cybercriminals hack into systems to obtain information. These actions also involve fraud (§ 263 StGB) against individuals or entities by misrepresenting a stolen identity.

Protective Measures for Businesses

To defend themselves against identity theft and fraud, companies must implement effective countermeasures. Identity misuse can occur both from the outside (e.g., fraudsters posing as customers) and internally (e.g., stolen employee credentials leading to deeper system infiltration). Key measures include:

• Awareness and Employee Training
  Employees are the first line of defense. Regular training on how to recognize and respond to potential threats is essential – especially since identity verification is often legally required in certain industries.
• Secure Identification Processes
  Deception is not new, but the digital environment has increased its scale. Even a single careless click can compromise sensitive data. Strong identity verification protocols are essential to prevent unauthorized access.
• Continuous System Audits and Updates
  All internal systems must be regularly reviewed for vulnerabilities and kept up to date. This also applies to third-party technologies that form part of the organization’s IT infrastructure, which must comply with relevant legal and security standards.

Solutions for Protection Against Identity Theft and Identity Fraud

There are various solutions that enable companies and public authorities to securely verify the identity of their users while also fulfilling compliance requirements. These include, for example, video identification procedures, biometric methods, and solutions for reading the chip in ID documents.

Verification of ID Documents

Several providers offer procedures for verifying ID documents as part of an online identity check.

WebID, for example, is considered a pioneer in the field of digital identification and offers a broad portfolio of solutions that comply with AML (Anti-Money Laundering) and data protection regulations. The following products include ID document verification as part of the identification process:

• WebID’s VideoID (Live) allows for AML-compliant identification of individuals. The person first uploads a suitable ID document. Verification then takes place via a video call with a specially trained agent.
• AccountID enables online identification through a reference bank transfer: after uploading an ID document and a selfie, which are automatically checked using live detection and biometric matching, a reference transfer is made via online banking. The identification process is then completed by entering a transaction number (SMS TAN).
• eID is also AML-compliant. This solution enables identity verification via the online ID function and is the preferred method in public administrations, as it allows error-free reading and forwarding of the data stored on the activated chip in ID documents.
• Biometric Identification
  Biometric features such as fingerprints, facial recognition, and iris scans are considered virtually impossible to forge, as they are unique to each individual and can only be faked with considerable effort. WebID also provides digital identification solutions based on biometric data.
  In addition to AccountID, which already uses biometric matching and liveness detection, these methods are also used for AutoID. AutoID uses a fully automated process to biometrically compare the customer’s face (selfie) with the image stored in an official document, such as an identity card.