Even states that have implemented security features often fall short of the mark. Massachusetts' Secretary of State's office has password protected online filing. However, scammers can obtain a user name and password from the Secretary of State's office with nothing more than a valid e-mail address and the name of the LLC or LLP they are targeting.

Don Huntting, the president of in Westlake Village, California said that California, like other states, is behind the curve, with state agencies mired in bureaucracy and slow to process changes in business filings - let alone spot fraud in real time. He said that, in his state, it often falls to banks, which have higher standards of proof when setting up business accounts - to actually spot and stop business identity theft fraud. "The state is dropping the ball," Huntting said.

Wrosch of Oregon said the same is true in his state, acknowledging that the state's business registry can be manipulated or out of date, and shouldn't be the final word on the ownership of a company.

"We tell businesses: if you're relying on our database to show ownership or authority (of a company), then you're enabling business identity theft. Our registry is not the best indicator or the sole indicator of who is the owner or person in charge of a business."

Business identity theft wouldn't be a problem, he said, if "the people who had the money whether that's a bank or a credit card company didn't rely on the business registration ... what they see on our system."