COVID-19-related scams are running rampant. There are reports of a rise in charity fraud, fake job claims, fake COVID-19 tests on the black market, supply chain fraud, price gouging, cyber scams and more. In late 2020, two Texas men were charged with trying to sell $317 million in fake N95 face masks to a foreign government. The government made a payment to the men but the payment was intercepted before it went through, according to prosecutors.
In 2019, the U.S. Small Business Administration (SBA) in charge of the Paycheck Protection Program (PPP) loans, received under 800 calls on its fraud hotline. Through August of 2020, the fraud hotline had more than 42,000 calls. Though we have yet to know the real extent of fraud among government coronavirus relief packages such as PPP and Economic Injury Disaster Loans (EIDL), experts estimate it’s at least in the tens of millions. Multiple people have already been charged with PPP-related fraud claims.
A wave of attempted fraud is also hitting state unemployment benefits programs after states have struggled to process record-high claims. In October 2020, the Arizona Department of Economic Security said that it had prevented 43,000 people from receiving unemployment benefits in order to investigate potential fraud. According to the Wall Street Journal, officials believe U.S. state losses tied to unemployment insurance fraud will be in the billions of dollars.
There’s also the increased risk of insider threats for enterprises and government agencies, says Scot Walker, managing director with Mantle Advisors global investigations and intelligence firm, San Jose, Calif. As people are furloughed or their partner loses his or her job, people can become desperate. “There is, of course, the insider risk. If I give a loan to my buddy, he helps me out and gives me 25% [kickback] as a thank you because my wife is out of work. In challenging times, it’s not only criminal organizations that are threatening; people have to put food on the table,” he says.
In December 2020, a former employee of the Massachusetts Department of Labor was arrested and accused of misusing her position to submit fraudulent Pandemic Unemployment Assistant (PUA) claims for herself and her husband.
A former contract employee with California’s Employment Development Department, which administers the state’s unemployment insurance program, was charged in federal court with fraud and identity theft in connection with a scheme to steal hundreds of thousands of dollars in pandemic unemployment aid. According to the complaint, the woman conspired with her boyfriend, a prisoner at California State Prison, to submit fraudulent pandemic unemployment insurance claims for California state prisoners and out-of-state residents whose identifying information was stolen.
Indeed, with more than $300 billion given out to more than five million businesses through the PPP and a second relief package approved in the U.S. at the time of publication, a significant portion of funds is thought to be going to fraudsters, says Jon Goldberg, senior vice president and deputy director of financial intelligence at a large financial firm. “It’s a guesstimate and no one will really know the extent of it for another two years most likely, but we’ve heard that 40% of SBA-controlled PPP loans were either fraudulent or had misrepresentation or falsified information on the application,” he says.
And yet, fraud schemes within government programs are just the tip of the iceberg when it comes to fraud schemes that have spawned or increased due to the COVID-19 pandemic. “We are seeing CARES Act benefits fraud, SBA PPP and EIDL fraud, unemployment fraud, illegitimate products, supply chain fraud, and enhanced cyber threats and work-from-home vulnerabilities,” says Karl Perman, president and co-founder of risk consultancy CIP CORE, and a member of Security’s Editorial Advisory Board. “The scope and magnitude of fraud related to COVID-19 is huge.”
Much of the fraud happening related to COVID-19 right now can be broken into first-party fraud that entails a person or group applying for fake loans or lying on an application to receive bigger payouts, etc., and third-party fraud which includes stolen identities to apply for loans or benefit financially, account takeovers, synthetic ID fraud, phishing schemes, ransomware and more.
Recently, the U.S. Attorney’s Office in Baltimore reported authorities had seized two domain names posing as biotechnology companies developing COVID-19 treatments. An investigation began by Homeland Security Investigations after corporate security for Moderna Inc. located one of the fake websites and contacted authorities, according to the indictment. The site showed the name and trademarked logos for the biotechnology company and redirected visitors on the Contact Us page to a form requesting name, company/institution, title, phone, e-mail, and comments/questions. It’s unclear if any identifying information was gained or used by the threat actors before the sites were taken down by authorities.
On the enterprise side, many organizations have seen an increase in fraud related to job scams. High-profile companies have had fraudsters impersonate them in fake interview calls or emails, asking for private information to conduct background checks or to pay upfront for technology costs with reimbursement down the line — potentially damaging the company’s reputation and defrauding innocent people of money or their identities.
In addition to reports of impersonation such as the above, another risk seeing a surge is synthetic ID fraud, where a fraudster combines real biographic information with fake information to create a synthetic or fake person. An example of synthetic ID fraud, would be a bad actor using a child’s social security number along with a fake name and address to create a bank account or apply for a credit card. This type of fraud is the fastest growing type of financial crime in the U.S. right now, according to McKinsey.
Financial institutions and eCommerce merchants are also experiencing an increase in account takeovers (ATOs). ATOs — where a legitimate loan was requested or account created but a fraudster gains access to the account and removes funds — have grown by 378% since the start of COVID-19, according to Sift, a payment fraud solutions company’s Q3 2020 Digital Trust and Safety Index report.
This method has been used with PPP loans as well, Perman says. Because the government has published the names of everyone who applied for PPP and other programs for transparency, there have been reports of fraudsters trying to access that money through ATOs. “Someone legitimately takes out a loan and then a threat actor takes advantage of that by calling the institution and changing the address or clearing out the account. There are so many avenues that have opened up for unscrupulous people,” he says.
“The biggest thing with fraud criminals in general, is that they are going to target society, groups of the public, or specific countries at our most vulnerable times. They target weak links, and this is a very vulnerable time globally. It’s an opportune time for criminal organizations to take advantage,” Goldberg says.
On top of identity theft crimes, financial institutions have been hit hard with fraud related to the pandemic in a myriad of ways, not the least of which is backing fraudulent government loans or subsidies, as well as dealing with retails scams and purchases of fraudulent products.
With many PPP and EIDL funds that have been backed by financial institutions, questions remain on the final impact to the banking industry. Will the government pay that money back to the institutions and absorb the losses? Will the institutions be held responsible? “We don’t know. We know the impact of all this to the financial institutions will be negative, we just don’t know the size and scope yet,” Goldberg says.
One of the reasons why fraud increases in vulnerable times is that government agencies like the SBA, financial institutions and other organizations don’t have the bandwidth or time to investigate or follow up on everything. “There just aren’t enough resources to effectively monitor or regulate all of this,” Goldberg adds.
So, what happens? Well, the end, if you can call it that, will look a lot like what Walker refers to as The Goldilocks Story. “Baby bear, mama bear and papa bear each have a different size pot of [stolen] money. No one is probably looking at baby bear because the pot is too small. Mama bear may get in trouble depending on her jurisdiction or previous convictions, but most likely, if you’re a papa bear, those are the most attractive to the government and prosecutors, and they will get the attention. They’ll go to jail but the rest most likely will not.”
According to Walker, for enterprises, business continuity plans will become even more powerful going forward as the fraud continues. “Companies are going to have to pivot as risk increases,” he says. “Businesses should expect that the volume and velocity of threats will increase and they should assume everything is fraudulent.”