Can Your Identity Be Stolen at Work? Yes. And It's Getting Easier.

Most SMB leaders intuitively know that identity theft and fraud happen “out there,” but the truth is far more uncomfortable: employee identities are now routinely stolen at work, often via familiar business systems that seem safe on the surface. Even more troubling for small and mid‑sized businesses, Business Email Compromise (BEC) remains one of the costliest threats, contributing nearly $2.8 billion in losses in 2024 alone. Across 2024–2025, BEC losses rose to nearly $8.5 billion, underscoring just how valuable stolen identities have become to attackers who rely primarily on social engineering, not code, to infiltrate organizations.

Featured in this Article: 

1. Identity Theft vs. Identity Fraud Breakdown 
2. Top 5 Ways Employee Data Gets Stolen
3. How to Have a Modern Defense Approach in 2026
4. YouTube: What Cyber Trends are On The Horizon This Year? 
5. What to Do If Your Identity Gets Stolen

What's the Difference Between Identity Theft and Identity Fraud? 

Although used interchangeably, identity theft and identity fraud refer to two very different stages of an attack on your personal information. Identity theft occurs first, when your information is taken without your permission. Identity fraud happens next, when that stolen data is actively used to steal money, open accounts, or commit financial harm.

Identity Theft (Exposure Stage)

When  personal information is taken without permission. This includes names, addresses, credit card numbers, Social Security numbers, login credentials, and other sensitive data. 

The key idea here is that identity theft = information stolen.

Identity Fraud (The Misuse Stage)

When stolen personal data is used for financial gain.

The key idea here is that identity fraud = stolen information is exploited.

Ways Employee data gets stolen

Employers are responsible for a great deal of personal and private information regarding their employees. Third parties may want that information for a variety of reasons, some of which are bureaucratic, financial, nosy, or even dangerous. 

There are plenty of ways, but here are a few popular methods:

Public Wi-Fi (Especially "Evil-Twin" Networks)

CISA confirms that attackers increasingly set up fraudulent Wi‑Fi networks with the same identifiers (SSIDs) to legitimate hotspots so employee devices connect automatically. Once connected, attackers can intercept credentials, redirect traffic, or present fake login pages to harvest authentication details. As travel and hybrid work grow, the attack surface does too.

• Evil Twin networks enable credential interception via fraudulent hotspots.
• Attack hardware costs under $500, making attacks accessible to amateurs. 
• Victim devices automatically connect to stronger fake SSIDs, exposing traffic.
• VPN enforcement mitigates risks on untrusted networks.
• Public Wi‑Fi remains one of the easiest data‑theft environments for attackers.
  
  

Business Email Compromise and Identity Jacking

BEC has evolved into a sophisticated identity‑theft machine. Modern attackers intercept both passwords and session cookies, allowing them to bypass MFA entirely. Microsoft has documented multi‑stage BEC campaigns abusing SharePoint workflows, mailbox rules, and trusted document‑sharing flows to compromise organizations undetected.

• BEC caused ~$2.8B in 2024 losses nationwide.
• Attackers use hijacked sessions to impersonate employees, especially in finance roles.
• Inbox rule creation enables hidden persistence in compromised email accounts.
• Credential‑based intrusions represent 22% of breaches (2025 DBIR).
  
  

MFA Fatigue (Push-Bombing)

MFA fatigue attacks surged between 2024–2025, exploiting user frustration instead of system weaknesses. Microsoft noted that about 1% of users approve the very first unexpected MFA prompt, enough to cause widespread compromise across SMBs. Attackers bombard a victim with nonstop MFA notifications until fatigue, confusion, or irritation leads them to approve a fraudulent login.

• MFA fatigue exploits human approval reflexes, not software flaws.
• Number‑matching MFA reduces accidental approvals compared to simple push prompts.
• Attackers deploy notification floods to pressure users into approving a login.
• Phishing‑resistant MFA provides stronger protection than SMS or push‑only systems.
  
  

Phishing (Specifically, QR Code Phishing)

QR‑code phishing bypasses traditional corporate defenses by pushing victims to scan codes using personal smartphones, which operate outside enterprise controls. Between August and November 2025, successful QR phishing attacks grew 5×, according to StrongestLayer’s 2026 report, even after major security vendors deployed QR‑scanning features.

• QR-phishing shifts attacks to unmanaged mobile devices where corporate tools can’t inspect traffic.
• Attackers use cloud‑hosted redirect chains to evade email filters.
• QR codes on signage lure victims in physical spaces like parking meters, menus, invoices.
• Nearly 90% of QR-phishing attacks target credential theft in corporate apps.
  
  

Improper Disposal of Devices and Equipment

Old hardware remains one of the most underestimated causes of employee identity theft. The FTC’s updated Safeguards Rule requires organizations covered by GLBA to report any unauthorized acquisition of unencrypted data affecting 500+ consumers within 30 days—including exposure through poorly wiped devices.

• Bad disposal practices expose customer and employee private information in bulk.
• FTC Safeguards Rule mandates 30‑day reporting for qualifying incidents. 
• Stolen device data enables payroll fraud, tax fraud, and account takeover.
• SMBs face regulatory and reputational fallout when data leaks through disposal.

How to Have a Modern Defense Approach in 2026

The release of NIST Cybersecurity Framework 2.0 brings a clearer roadmap for SMB security programs by elevating cybersecurity governance to an executive responsibility. The new Govern function helps small businesses define roles, oversight, supplier controls, and strategic risk priorities—ensuring identity protection is not left entirely to IT teams.

Pair that governance with:

• Phishing ‑resistant MFA (FIDO2, passkeys, number‑matching)
• EDR on all endpoints, now considered essential across government and industry (with federal agencies deploying 920,000+ EDR agents)
• Email authentication + isolation (SPF/DKIM/DMARC, browser isolation for finance roles)
• QR phishing‑focused user training, since QR threats now evade traditional email controls
• Strict device disposal and vendor risk oversight

…and SMBs can dramatically reduce their vulnerability to identity-driven compromise.

What do you do if your identity is stolen?

When identity compromise occurs, the first step is containment. In many attacks, password resets alone are insufficient. For example, BEC attacks require session token revocation, mailbox rule cleanup, OAuth permission review, and vendor/bank notification. The FBI encourages businesses to file IC3 reports promptly because recovery workflows depend on timely reporting.

If you need help or maybe this seems like something you should outsource to make sure you're not subjected to, contact us today and we'll get you one your way to better protection. 

Want us to manage all this for you? Check out our Secure Managed Services offerings that cover your IT support and cybersecurity all in one package.