Identity Theft for Sole Traders: Prevention

Why Sole Traders Are Vulnerable to Identity Theft

Identity theft is not just a consumer problem. For sole traders, the stakes are arguably higher — because your personal identity and your business identity are legally one and the same. Unlike a limited company, which exists as a separate legal entity, a sole trader's business is an extension of themselves. This means that if a criminal steals your identity, they can damage both your personal credit history and your business simultaneously.

The nature of sole trader work also creates specific vulnerabilities. Your name, address, and contact details are often publicly available through your website, social media profiles, and business directories. Your Unique Taxpayer Reference (UTR) number may appear on invoices or correspondence that passes through multiple hands. And your National Insurance number — the key to your tax identity — is shared with HMRC, pension providers, and sometimes clients or agents.

In 2024, Cifas (the UK's fraud prevention service) recorded over 237,000 cases of identity fraud, making it the most common type of fraud in the UK. While not all of these affected sole traders specifically, the characteristics that make sole traders visible also make them targets.

How Identity Theft Happens to Sole Traders

Understanding the methods criminals use to steal business identities helps you protect against them.

Data Harvesting

Criminals collect personal information from multiple sources and piece it together to build a complete identity profile. For sole traders, these sources might include:

• Your website: Your name, business address, email, and phone number are typically published openly. Some sole traders also display registration numbers, professional qualifications, or client testimonials that provide additional data points.
• Social media: Business and personal social media profiles can reveal your date of birth, location history, family connections, and lifestyle details. This information is useful for answering security questions or for social engineering attacks.
• Companies House: If you've ever been a director of a limited company, your personal details are on public record, including your date of birth and residential address history.
• Electoral roll: Unless you've opted out, your name and address are publicly searchable on the electoral roll.
• Data breaches: Previous data breaches from websites, retailers, or services you've used may have exposed your email address, passwords, and personal details. The Have I Been Pwned website allows you to check whether your email address has appeared in known data breaches.

Phishing and Social Engineering

Direct approaches — fraudulent emails, phone calls, or messages — remain highly effective for extracting specific details that criminals need to complete an identity profile. A scam email from "HMRC" asking you to verify your UTR number, or a call from "your bank" asking for your date of birth and mother's maiden name, can provide the final pieces of the puzzle.

Our guide to spotting HMRC scam emails covers phishing tactics in detail.

Mail Interception and Redirection

Criminals may intercept mail sent to your business address — particularly if you work from home and don't have a secure postbox — or redirect your mail to a different address using a fraudulent Royal Mail redirection. This can give them access to bank statements, tax correspondence, and other documents containing sensitive information.

Stolen Documents

Physical theft of documents — from a stolen wallet, a break-in at your home office, or even documents left in a bin — can provide criminals with the information they need. Your passport, driving licence, bank statements, and tax correspondence are all valuable to identity thieves.

Warning Signs That Your Identity Has Been Stolen

Identity theft can operate silently for weeks or months before the victim becomes aware. Watch for these warning signs:

Unexpected credit refusals. If you're turned down for credit you'd normally expect to receive — a business credit card, a mortgage application, or even a mobile phone contract — it could indicate that someone has been taking out credit in your name and damaging your credit score.

Unfamiliar transactions on your bank or credit card statements. Even small, unfamiliar transactions can be a sign. Criminals sometimes make small test transactions before attempting larger frauds.

Missing post. If you stop receiving expected post — bank statements, tax correspondence, utility bills — it could indicate that your mail has been redirected.

Contact from debt collectors. If you receive letters or calls from debt collection agencies about debts you don't recognise, someone may have taken out credit in your name and defaulted.

Unfamiliar entries on your credit file. Regular credit file checks can reveal accounts, searches, or addresses that you don't recognise.

HMRC correspondence about income you didn't earn. If HMRC queries income that wasn't yours, or if your self-assessment tax calculation is unexpectedly higher than expected, someone may have used your identity for tax purposes.

Preventing Identity Theft: A Practical Checklist

Protect Your Personal Information

Minimise what you share publicly. Your business needs visibility, but not every detail needs to be public. Consider using a PO Box or virtual office address instead of your home address. Use a business email address rather than your personal one. Be cautious about publishing your date of birth on social media.

Secure your digital presence. Use strong, unique passwords for every account. Enable two-factor authentication wherever it's available. Use a password manager to handle the complexity. Keep your operating systems and apps updated to patch security vulnerabilities.

Protect physical documents. Shred sensitive documents before disposing of them — don't just put them in the recycling. Store important documents (passport, birth certificate, tax correspondence) in a secure location. If you work from home, ensure your home office is secure.

Monitor Your Identity

Check your credit file regularly. You can access your credit report for free through the three main UK credit reference agencies: Experian, Equifax, and TransUnion. Check for unfamiliar accounts, credit searches, or addresses at least quarterly.

Monitor your bank accounts. Review your bank transactions weekly. If you use Accounted, I monitor your transactions as they flow through and can flag anything unusual. This automatic oversight catches anomalies faster than periodic manual reviews. Learn about our monitoring features on the features page.

Set up alerts. Most banks and credit reference agencies offer alert services that notify you of significant activity on your accounts or credit file.

Protect Your Tax Identity

Guard your UTR number. Your Unique Taxpayer Reference should be treated as sensitive information. Don't publish it on your website or social media. Share it only with HMRC and trusted professional advisers.

Secure your Government Gateway account. Enable two-factor authentication, use a strong unique password, and never share your login details with anyone.

File your tax returns promptly. Filing early reduces the window for a criminal to file a fraudulent return in your name. If someone submits a return using your UTR before you do, it creates a complex situation to resolve. Our self-assessment guide provides practical filing advice.

What to Do If You're a Victim

If you discover that your identity has been stolen, take these steps:

1. Report to Action Fraud. Contact Action Fraud on 0300 123 2040 or through their website. They'll provide a crime reference number and refer your case to the relevant police force.

2. Contact Cifas. Register for protective registration with Cifas. This places a flag on your credit file that alerts lenders to perform additional identity checks before granting credit in your name. There's a small fee for this service, but it's invaluable if you know your identity has been compromised.

3. Notify your bank. Alert your bank's fraud team about the identity theft. They'll place additional security measures on your accounts and may replace your cards and online banking credentials.

4. Contact HMRC. If your tax identity has been compromised, call HMRC on 0300 200 3310 to report the issue. They can place a security marker on your tax record.

5. Check and correct your credit file. Contact all three credit reference agencies (Experian, Equifax, TransUnion) to report the identity theft and dispute any fraudulent entries. They're obliged to investigate and remove entries that aren't yours.

6. Review your digital security. Change passwords for all your accounts, especially email, banking, and Government Gateway. Check for any devices or apps that have been added to your accounts without your knowledge.

7. Monitor ongoing. Identity theft can have lingering effects. Continue monitoring your credit file, bank accounts, and tax records for at least 12 months after the incident.

Building Long-Term Resilience

Identity theft prevention isn't a one-off task — it's an ongoing practice. By incorporating simple security habits into your routine, you can significantly reduce your risk:

• Review your credit file quarterly
• Update your passwords every 6-12 months
• Shred sensitive documents as a matter of course
• Think carefully before sharing personal information, even with apparently legitimate requests
• Keep your software and devices updated
• Stay informed about current scam tactics

For broader guidance on protecting your business from financial crime, explore our posts on protecting your business bank account and what to do if your business is a victim of fraud.

And remember, keeping your financial records accurate and up to date with Accounted means that any irregularity is spotted quickly. Sign up and let me help you stay safe.

Useful Resources

• HMRC Self Assessment guidance
• HMRC's guidance on self-employed expenses

Accounted makes bookkeeping simple — Penny categorises your transactions automatically so you don't have to. See how →