How Attackers Are Abusing UK Companies House Data for Corporate Identity Fraud

·

,

Companies House is one of the most open, searchable, and frankly underestimated attack surfaces in the UK. Every limited company registered in England and Wales has its director names, registered addresses, filing histories, and Person of Significant Control (PSC) data sitting there, publicly indexed, free to access, zero authentication required. That transparency is the point. It keeps British business accountable. It also hands attackers a ready-made dossier on almost any company they want to impersonate.

This is not a theoretical threat. Companies House corporate identity fraud costs UK businesses tens of millions of pounds annually, and the attack patterns are getting sharper as more criminals learn to chain open data together. Let’s walk through exactly how it works, what the OSINT workflows look like from the attacker’s perspective, and what you can actually do about it.

Anonymous hacker researching Companies House corporate identity fraud on multiple screens in a dark room
Anonymous hacker researching Companies House corporate identity fraud on multiple screens in a dark room

What Data Is Actually Exposed on Companies House?

Go to Companies House Search right now and look up any active limited company. You’ll find the registered office address, the names of every current and past director, their partial dates of birth, their correspondence addresses (often a home address if they filed without a registered agent), the full filing history going back years, a list of people with significant control and their nationality and country of residence, and the company’s SIC code, incorporation date, and share structure. All of it. No API key. No login. No rate limiting worth mentioning.

For a legitimate researcher or a due-diligence team, this is gold. For a fraudster building a convincing impersonation package, it’s essentially a target profile handed to them on a plate.

The Three Main Attack Patterns

1. Invoice Fraud and Business Email Compromise

An attacker identifies a supplier your company uses. One quick Companies House lookup confirms the supplier’s registered address, directors’ names, and the approximate scale of the business from filing history. They register a lookalike domain, craft an email that references the real director by name and the real company number, and send your accounts payable team a “remittance update” notice. The invoice looks legitimate because every verifiable detail is accurate. The only thing that changed is the sort code and account number at the bottom.

UK Finance reported that authorised push payment (APP) fraud cost UK victims over £460 million in a single recent year, and a significant chunk of that involves exactly this kind of corporate impersonation chain. The Companies House data is often just the first link.

2. Dormant Company Hijacking

This one is nastier and more technical. A dormant company, one that was incorporated but never actively traded or hasn’t filed anything substantive in years, still exists on the register. Some of them have useful-sounding names. An attacker can file a change of registered address with Companies House, often with minimal verification, effectively redirecting official correspondence to an address they control. From there, they can attempt to open business bank accounts, apply for credit, or run scams under a legitimate-looking company identity that has a clean, aged filing history.

Companies House has acknowledged this vulnerability. Their verification reforms under the Economic Crime and Corporate Transparency Act 2023 are designed to tighten this up, but the rollout is phased and plenty of legacy exposure remains.

3. Director Impersonation for Targeted Phishing

PSC data is particularly useful for social engineering. If I know you’re listed as a director with 75-100% share ownership, I know you’re probably the decision-maker. I know your name, a partial DOB, and your correspondence address. Pair that with a quick LinkedIn scrape and some basic OSINT chaining through electoral roll aggregators, and I’ve got enough to craft a highly personalised spear-phishing email, or worse, attempt a SIM swap by impersonating you to your mobile network.

Close-up of hands at keyboard during Companies House corporate identity fraud reconnaissance
Close-up of hands at keyboard during Companies House corporate identity fraud reconnaissance

A Practical OSINT Workflow (The Attacker’s Perspective)

Understanding the workflow is the first step to disrupting it. Here’s the rough sequence a skilled attacker might run:

  • Step 1: Company Search — Companies House free search. Pull company number, filing history, registered address, director list, PSC register.
  • Step 2: Domain Enumeration — Tools like Subfinder or crt.sh to map the target’s real domains. Whois lookups to cross-reference registration addresses with Companies House data.
  • Step 3: Personnel Mapping — LinkedIn, Hunter.io for email format discovery. Cross-reference director names from Companies House with professional profiles.
  • Step 4: Infrastructure Recon — Shodan, Censys, or GreyNoise to fingerprint publicly exposed services. If the target runs their own mail server, that’s potential for domain spoofing if SPF/DKIM/DMARC is misconfigured.
  • Step 5: Attack Assembly — Lookalike domain registration (often using combosquatting: company-invoices.co.uk, companynarne.com). A convincing HTML email template. A fake invoice referencing real company details.

The whole thing can be done in under an hour by someone who knows what they’re doing. That should make you uncomfortable.

Worth noting: teams doing legitimate security research sometimes use free SEO tools to map a target’s digital footprint, and those same enumeration techniques overlap heavily with how attackers scope corporate targets online.

How to Defend Against Companies House-Based Attacks

Protect Your Own Filing Data

Directors can apply to suppress their residential address from the public register if it was filed before the option to use a service address became standard. Companies House has a process for this under section 1088 of the Companies Act 2006. If you’re a director and your home address is sitting on the public register, that’s worth sorting urgently.

Use a registered agent address for your company’s registered office. It costs almost nothing and keeps your real operational address out of the public record. Many UK accountancy firms offer this service.

Monitor Your Own Company Record

Companies House offers a free email alert service that notifies you whenever a filing is made against your company number. Turn this on immediately if you haven’t already. If someone attempts to change your registered address or file fraudulent director changes, you’ll know within hours rather than months.

You can set this up directly at the gov.uk Companies House follow service. Genuinely takes two minutes.

Train Your Finance Team

Invoice fraud succeeds because people trust documents that look correct. Your accounts payable team needs a standing rule: any change to supplier bank details requires a verbal confirmation call to a number already held on record, not a number provided in the email. Every time. No exceptions. This single control stops the majority of BEC attacks cold.

Harden Your Email Infrastructure

Publish a strict DMARC policy (p=reject). Enforce SPF and DKIM. Check your domain on MXToolbox if you’re unsure of your current posture. Lookalike domains are far less effective when your legitimate domain has proper email authentication, because it creates a visible discrepancy in email headers that a trained eye, or a decent mail gateway, will flag.

The Bigger Picture: Open Data and Open Abuse

There’s a genuine tension here. Companies House transparency is a feature, not a bug. It enables journalism, due diligence, anti-corruption work, and academic research. The Global Legal Entity Identifier Foundation and various anti-money-laundering frameworks actively rely on this kind of open corporate data. Shutting it down is not the answer and is not going to happen.

The answer is awareness, verification culture, and better identity assurance on the Companies House platform itself. The Economic Crime and Corporate Transparency Act 2023 introduced identity verification requirements for directors, which is a meaningful step. But legislation moves slowly and attackers adapt quickly.

Companies House corporate identity fraud will keep being a viable attack vector as long as organisations treat the register as something that happens to them passively rather than an active part of their attack surface. Monitor it. Harden it. Train your people. The data is public. What you do with that knowledge is the variable.

Frequently Asked Questions

How do fraudsters use Companies House data to commit fraud?

Fraudsters pull director names, registered addresses, and company numbers from the public register to build convincing impersonation packages. They use this data to craft fake invoices, set up lookalike domains, or attempt to hijack dormant company identities by filing fraudulent changes with minimal verification.

Can I remove my home address from Companies House?

Yes. Under section 1088 of the Companies Act 2006, directors can apply to suppress a residential address from the public register. Going forward, you should always use a service address (such as a registered agent or accountant’s address) rather than your home address when filing.

What is dormant company hijacking and how does it work?

Dormant company hijacking involves an attacker filing a change of registered address for a dormant but legitimately incorporated company, redirecting official mail to an address they control. They can then attempt to open bank accounts or obtain credit under that company’s aged, clean-looking identity.

How can businesses protect themselves from Companies House-related invoice fraud?

The most effective control is a strict policy of verbally confirming any bank detail changes with a supplier using a phone number already on file, never one provided in an email. Combining this with DMARC email authentication and staff training significantly reduces the risk.

Does Companies House notify you if someone files against your company?

Yes. Companies House offers a free email alert service that sends a notification whenever a filing is made against a specific company number. You can set this up via the gov.uk follow service, and it’s one of the simplest defensive measures available to any UK company director.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *