Cases involving the misuse of personal data in economic crimes have increased
Identity theft – i.e. the unlawful use of another person’s name or personal data – was criminalised in September 2015. Identity thefts typically involve cases of fraud. In this case, it means buying products from an online store with the data of another person or taking out a loan, payday loans or setting up customer accounts or bank accounts with another person’s personal information and data.
Authorities are misled by naming the wrong people when providing information about the people responsible for a company or the employees of a company. Companies and their details are also often exploited in order frauds, where various purchases are made under a company’s name. The misuse of personal information and data enables the simultaneous defrauding of the Tax Administration, Kela (the Social Insurance Institution of Finland), collective industrial organisations, insurance firms and financial institutions.
Fraud offences that come to the knowledge of authorities is not limited to Finland alone, and several operators have connections to other European and Baltic countries or organised crime (organised crime as defined in Chapter 17 section 1a of the Criminal Code of Finland).
Identity thefts can lead to rapid and substantial financial losses
It is characteristic of identity thefts that they can cause substantial damage fast and that the offenders may achieve substantial monetary gains. Once the money is transferred abroad, returning it to the victim of the crime is often difficult, if not impossible.
In 2017, identity thefts targeting companies attempted to get groundless VAT refunds from the Tax Administration by exploiting counterfeit account change notifications. The attempt also extended to groundless returns of payroll taxes. The Tax Administration successfully prevented the payment of groundless VAT refunds amounting to approximately EUR 55–60 million in cases involving identity theft.
Over the last few years, tens of Finnish companies have been victims of a fraud or an attempted fraud in which someone has impersonated a director of the company and tried to get the company’s financial administration to pay large sums of money to the accounts of criminals. These “CEO frauds” involve internationally organised criminal activities.
They are often based on careful preparation making use of information available in open sources, for example. They also rely on social engineering to make the victim act in a way that benefits the offender. CEO frauds are one of the focal points of international police work and attempts to prevent criminal injuries have been successful.
Prevention is the best way to combat the misuse of personal data
The victims in cases involving identity theft include private individuals, businesses and society. Prevention and communication about phenomena related to identity theft have proved effective in practice.
It is advisable for companies themselves to regularly check whether the company’s details in various information systems (such as the Trade Register) are accurate and unchanged. In cases involving a suspected crime, companies should always contact the authorities.
It is very important for private individuals to protect their personal data, particularly their personal identity and online banking codes.
The exchange of information between authorities should be improved, both nationally and internationally. In Finland, prevention could be enhanced by, among other things, authorities being able to disclose information about an identity theft to other authorities.