What Is Business Identity Theft? A Guide for Small Business Owners, Solopreneurs, and Gig Workers

Date: 07/08/2026

Most people think of identity theft as a personal problem. Someone steals a Social Security number, opens a credit card, wrecks a credit score. But identity theft does not stop at the individual level. It targets businesses too — and for the tens of millions of Americans who freelance, consult, or run a one-person operation, the line between personal identity and business identity barely exists at all.

Business identity theft occurs when someone uses a business’s identifying information — such as its Employer Identification Number (EIN), name, or owner details — without authorization to commit financial fraud, open fraudulent credit lines, file false tax returns, or impersonate the business for financial gain.

The scale of the problem is significant. According to the ITRC’s 2025 Business Impact Report, 81 percent of small businesses reported suffering a security breach, a data breach, or both in the past year. The ITRC’s 2024 Consumer and Business Impact Report found that fewer than 20 percent of small businesses were not victimized by a cyberattack or data breach in the prior year. In other words: being targeted is now the norm, not the exception.

What Makes Business Identity Theft Different from Personal Identity Theft?

Personal identity theft targets an individual: their Social Security number, personal credit history, bank accounts, and financial identity. Business identity theft targets a company: its EIN, business name, commercial credit profile, and registered legal identity.

In theory, these are two separate categories. In practice, they often overlap almost entirely.

When you operate as a sole proprietor or under your own name, your personal SSN may serve as your business tax ID. Your personal credit history may be your business credit history. A thief targeting your “business” may effectively be stealing your personal identity at the same time and vice versa. A single compromised piece of information can trigger consequences in both directions.

If you work independently and have not thought of yourself as a “business” in the traditional sense, that does not reduce your exposure. If you invoice clients, file a Schedule C, maintain a business account, or market services under your name, you have a business identity that can be stolen.

Common Types of Business Identity Theft

Business identity theft takes several distinct forms. Understanding the different types helps business owners recognize threats before they escalate.

EIN Fraud (Tax Identity Theft)

Criminals use a business’s Employer Identification Number to file fraudulent tax returns, claim false refunds, or impersonate the business with the IRS. The business owner typically discovers the problem when the IRS rejects their legitimate return because one has already been filed under the same EIN. Sole proprietors who use their SSN as their tax ID face dual exposure: a compromised number affects both their personal and business tax standing.

Fraudulent Credit and Loan Applications

Thieves use a business’s name and EIN to open credit lines, apply for business loans, or establish vendor accounts. Discovery often comes months later, when debt collectors make contact or a legitimate credit application is declined due to fraudulent accounts already on file.

Business Registration Hijacking

Criminals file fraudulent documents with a state’s Secretary of State office to alter a business’s registered agent, officers, or mailing address and effectively seizing control of the business’s legal identity. This is particularly dangerous because it can redirect official correspondence, payments, and renewal notices away from the legitimate owner.

Fake Business Impersonation and Website Cloning

Scammers create a fraudulent website or social media presence that mimics a legitimate business to deceive customers, collect payments, or harvest credentials. Gig workers and freelancers who rely on online portfolios, social profiles, or platform-based client relationships are especially vulnerable to this type of attack.

Account Takeover

Criminals gain access to an existing business bank account, payment platform (such as PayPal, Venmo for Business, or Stripe), or accounting software by obtaining login credentials through phishing attacks or data breach exposure. Once inside, they can redirect funds, alter payment details, or lock the legitimate owner out.

Vendor and Supply Chain Fraud

Criminals impersonate a business to deceive its suppliers or clients into redirecting payments to a fraudulent account. When carried out via email, this is commonly known as Business Email Compromise (BEC). For solopreneurs with ongoing client relationships, a single convincing impersonation message can redirect a payment before anyone realizes what happened.

A note for gig workers and solopreneurs: if you use a personal cell phone, personal email, or personal bank account for business transactions, a breach of any of these assets may constitute both personal and business identity theft simultaneously.

Warning Signs of Business Identity Theft

Business identity theft often goes undetected for months because victims do not know what to look for. The following warning signs are worth monitoring regularly.

Financial and Credit Signals

  • Unexpected declines on credit applications or existing lines of credit
  • Unfamiliar accounts or charges on a business credit report
  • Collection calls or notices for debts the business did not incur
  • Unexplained changes in your business credit score

Tax and IRS Signals

  • Rejection of a business tax return because one has already been filed under the same EIN
  • Receiving an IRS notice or letter that does not correspond to any filed return
  • Unexpected tax transcripts or correspondence about returns you did not file

Operational and Registration Signals

  • Mail or official correspondence that has been redirected or has stopped arriving
  • Changes to your business’s registered agent or mailing address that you did not authorize
  • Vendor or supplier notices about unpaid invoices you did not create
  • Unfamiliar business names or entities filed using your EIN

Digital and Reputational Signals

  • A duplicate website, social profile, or online listing impersonating your business
  • Customer complaints about communications from your business that you did not send
  • Unauthorized changes to your online business accounts or payment platforms

If you recognize any of these signs, contact the ITRC before taking further action. A trained advisor can help you assess what happened and prioritize next steps.

Why Small Businesses, Solopreneurs, and Gig Workers Are High-Value Targets

Most sole operators lack the dedicated IT staff, security teams, or fraud monitoring infrastructure that larger organizations maintain. The gaps are real, and fraudsters know it. At the same time, the financial consequences of a successful attack compound quickly: the ITRC’s 2025 Business Impact Report found that among breached small businesses, 62.5 percent reported a total financial impact exceeding $250,000, with more than a third facing costs above $500,000.

The threat is also accelerating. AI-powered attacks were identified as a root cause in more than 40 percent of cyber events in the ITRC’s 2025 Business Impact Report. Sophisticated impersonation, automated phishing, and AI-generated Business Email Compromise messages are increasingly accessible to criminals targeting small operators.

For solopreneurs and gig workers, the risk is further amplified by the overlap between personal and business identity data. A single compromised credential, such as your email address, SSN, or payment account, can expose both at once. And when the damage is done, the entire financial recovery burden falls on the individual.

What To Do If Your Business Identity Has Been Stolen

If you believe your business identity has been compromised, acting quickly limits further damage. Work through the following steps.

  1. Contact the ITRC for Free Guidance

The Identity Theft Resource Center provides no-cost, live support from expert advisors who can help you assess the situation and build a recovery plan. Call 888.400.5530, or use the live chat on our site. 

  1. Place a Fraud Alert on Your Business Credit

Contact the major business credit bureaus, Dun & Bradstreet, Experian Business, and Equifax Business, to place a fraud alert and request a review of your business credit reports for unauthorized accounts.

  1. Report to the IRS

If you suspect EIN fraud or tax-related business identity theft, report it to the IRS using Form 14039-B (Business Identity Theft Affidavit). This initiates a formal investigation and flags your EIN to prevent further fraudulent filings.

  1. File a Report with the FTC

Report business identity theft at IdentityTheft.gov. An FTC report creates an official record and is often required by creditors, banks, and law enforcement during the recovery process.

  1. Notify Your State’s Secretary of State

If you suspect business registration hijacking — unauthorized changes to your registered agent, address, or officers — contact your state’s Secretary of State office directly to flag and correct fraudulent filings.

  1. Alert Your Financial Institutions

Notify your bank, payment processors, and any active creditors of the identity theft. Request account reviews, update credentials, and ask about available fraud protection options.

  1. Document Everything

Keep records of all fraudulent accounts, unauthorized filings, correspondence received, and every step you take during recovery. This documentation is essential for disputes with creditors, the IRS, and law enforcement.

How To Help Protect Your Business Identity

Prevention is not a guarantee, but consistent habits meaningfully reduce your exposure. The following actions deliver the highest return for the effort invested.

  • Monitor your business credit reports regularly through Dun & Bradstreet, Experian Business, and Equifax Business. Unexpected accounts or inquiries are among the earliest fraud indicators.
  • Set up an IRS Business Identity Protection PIN when available and applicable. This adds a verification layer to your business tax filings.
  • Use multi-factor authentication (MFA) and passkeys on all business accounts. This is one of the highest-impact protections available, yet the ITRC’s 2025 Business Impact Report found MFA adoption among small businesses declined from 33.6 percent in 2024 to 27.2 percent in 2025 — a meaningful gap that leaves businesses exposed.
  • Limit the sensitive business information you share publicly or store digitally. The ITRC’s 2024 Consumer and Business Impact Report found that nearly half of small and midsize business leaders were already limiting data collection as a protective measure.
  • Verify any requests to change banking details, vendor payment information, or registered business addresses through a known, trusted channel before taking action — never through a reply to the message requesting the change.
  • For gig workers and solopreneurs: separate personal and business financial accounts where possible. This creates a cleaner audit trail if fraud occurs and may limit the scope of damage if one account is compromised.

Frequently Asked Questions About Business Identity Theft

Is business identity theft the same as personal identity theft?

Maybe. Personal identity theft targets an individual’s Social Security number and personal financial accounts. Business identity theft targets a company’s EIN, business name, and commercial credit profile. For solopreneurs and gig workers who use personal information as their business identity, both types can occur simultaneously from a single incident.

Can a solopreneur or gig worker be a victim of business identity theft?

Yes. Gig workers and solopreneurs are particularly vulnerable because their personal information often serves as their business identity. A stolen SSN used to file fraudulent business taxes, or a hijacked freelance profile used to deceive clients, may constitute business identity theft even without a formally registered company.

What is EIN fraud?

EIN fraud occurs when a criminal uses a business’s Employer Identification Number to file fraudulent tax returns, claim false refunds, or impersonate the business with the IRS or creditors. Sole proprietors who use their SSN as their tax ID face combined personal and business exposure if that number is compromised.

How do I find out if my business identity has been stolen?

Common indicators include rejected tax filings because a return was already filed under your EIN, unfamiliar accounts on your business credit report, collection notices for debts you did not incur, or unauthorized changes to your business registration. Monitoring your business credit regularly and signing up for IRS notifications can help catch fraud earlier.

What should I do first if I think my business identity was stolen?

Contact the Identity Theft Resource Center (ITRC) at 888.400.5530 or idtheftcenter.org for free, expert guidance. An ITRC advisor can help you assess what happened, prioritize next steps, and build a personalized recovery plan at no cost.

Does business identity theft affect my personal credit?

It can, particularly for sole proprietors and solopreneurs whose personal credit history is connected to their business operations. Fraudulent accounts opened in a business’s name may appear on personal credit reports if the business has no separate credit profile established.

How much information are you putting out there? It’s probably too much. To help you stop sharing Too Much Information, sign up for the In the Loop.