Corporate Identity Theft in Germany

Identity theft methods are becoming increasingly skilful and are a well-known phenomenon today. In addition to identity theft from private individuals, where personal information such as name, national insurance number or credit card information is used to commit fraud, corporate identity theft is also on the rise. Information such as financial data, company logos or names are often misused for fraudulent purposes.

The most common methods of corporate identity theft include phishing emails. These messages are designed to trick employees, managers, and other company stakeholders into disclosing sensitive information. This sensitive information can include login credentials, account numbers and other financial data. Such fraudulent emails may appear to come from a legitimate source, particularly banks or government agencies, or from internal company departments.

The perpetrators often send phishing emails to specific employees or departments in order to search for certain information. Another frequent occurrence is the so-called CEO fraud. In this case, a person employed by the company is made to believe that the CEO or board member of the company is demanding, for example, the transfer of a certain amount of money or the sending of sensitive data, whereupon the person concerned fulfils the order. As phishing emails are often difficult to recognise, companies should always be vigilant and train their employees accordingly.

Hacking attacks can also lead to the theft of a company’s identity. Hackers try to exploit vulnerabilities in the software and gain access to the company’s systems using stolen login data. Once they have gained access, they can install malware, steal sensitive data, and overtake the organisation’s systems or extort a ransom.

Such hacker attacks can lead to considerable financial losses and – if the information gathered is published – can damage a company’s reputation. To protect their systems and networks, companies need to be proactive. Once a company realises that it has been the victim of identity theft, it should act as quickly as possible and seek legal advice instantly.

Another method of company identity theft involves insiders within the organisation. These insiders may be current or former employees or contractors who have access to sensitive information or systems. Some individuals may misuse this access to steal sensitive data, financial records, or intellectual property for personal gain.

Recognising these threats can be particularly difficult for businesses. If your company is at risk of such an attack, contact our experts. Our lawyers advise companies on efficient and effective whistleblowing and internal complaint mechanisms that enable employees to report such cases in confidence and take action. Our legal team supports companies in implementing suitable measures to prevent insider threats and identity theft. This includes introducing internal systems, educating employees about phishing and social engineering risks, implementing strong access controls and authentication procedures and regularly monitoring networks for suspicious activity.

Companies must be vigilant in the event of identity theft and ensure that they are prepared for such a case. Detecting information theft is critical to mitigating potential damage. Companies can take a number of steps to detect potential corporate identity theft:

• Monitor financial accounts: Companies should regularly monitor or review bank accounts, bank statements and credit reports. Regular monitoring enables them to detect suspicious activity and transactions immediately and take prompt action as a result. Such monitoring should also include audits of the organisation’s internal systems and networks.
• Security assessment and data protection: Organisations should conduct regular security assessments of their internal systems and networks to identify potential vulnerabilities. In this context, it is crucial to closely analyse data breaches that have already occurred, as well as to keep abreast of current threats and the latest security standards. This proactive approach enables employees to learn what to look out for in the event of breaches and how they should react in such situations.
• Legal advice and involvement of law enforcement authorities: In the event of identity theft, the affected company has a duty to respond appropriately. Advice from our legal team will ensure that you take the best possible action in such a situation. Possible steps include notifying law enforcement authorities and affected third parties (including customers and employees), conducting an internal investigation and taking remedial action.

Companies must be vigilant to prevent corporate identity theft in Germany. The following measures must be implemented on a regular basis:

• Protection of sensitive data: Controls should be implemented within the organisation, particularly in relation to access to and security of sensitive data. Companies should protect customer and company data with password-protected systems, encryption, and firewalls to prevent unauthorised access. In order to be able to act as quickly as possible in the event of internal threats, companies should always be aware of who has access to sensitive data. They should therefore be prepared to restrict access to those employees who actually need it to fulfil their tasks.
• Introduction of security protocols: It is also advisable to introduce multi-factor authentication and regular password changes to prevent unauthorised access to company systems. Suspicious activity monitoring systems can also be used to help detect signs of identity theft, for example by alerting to unusual financial transactions or requests for data.
• Employee training: Specialised training is provided to teach employees how to respond to hacking or phishing attacks. Regular training ensures that the company’s employees are aware of the best practices in terms of data protection and cyber security. This in turn ensures that they do not accidentally or as a result of deception disclose sensitive data.
• Whistleblower and internal reporting systems: Companies can also encourage their employees to report suspicious behaviour by having secure and appropriate mechanisms for doing so within the company structure. Such systems can make a decisive contribution to ensuring that employees do not turn to people outside the company with their complaints and suspicions.

In Germany, theft of a company’s identity is punishable by considerable penalties. In civil proceedings, companies can also claim damages or compensation for losses or damage they have suffered as a result of identity theft. These damages can include financial losses or damage to the company’s reputation through negative media coverage and loss of business.

Identity theft is not a stand-alone offence. Instead, committing identity theft constitutes various criminal offences under German law. Depending on the individual case, this may include the spying and interception of data as defined in Section 202a StGB, data theft as defined in Section 202d StGB, the falsification of evidence-relevant data as defined in Section 269 StGB and fraud or computer fraud as defined in Sections 263 et seq. StGB. The penalty then depends on the particular circumstances of the case.

Proving identity theft at a company can sometimes be difficult. Taking extensive measures to provide evidence is necessary. Gathering evidence in the form of relevant documents, including financial statements, bank records, correspondence and invoices, is a first starting point. These documents should prove that the company’s identity has been used without the appropriate authorisation.

Internet data such as IP addresses, email addresses or social media posts that provide evidence of identity theft or point to the identity of the perpetrator can be used – as can surveillance footage or other physical evidence of the theft.

Our legal team works with experts to help companies in Germany gather the necessary documentation and information to resolve the case. Our lawyers also provide information about the possibility of using witness and expert statements. Such statements can be decisive when it comes to proving responsible behaviour regarding data protection and security measures.