Identity, Threat Management

Federal auditors call for ‘robust systems’ to combat identity fraud in post-COVID era

Screen shot of SBA’s COVID relief program page. While identity theft was already a large and growing problem prior to 2020, legislation like the CARES Act funneled billions of dollars to small business loans reeling from the virus’ impact and boosted unemployment insurance programs for workers who had suddenly lost their jobs.

The federal government must stand up new “robust systems” to minimize identity theft and fraud and work to improve the processes for victims to report crimes, obtain their benefits, and restore their identities.

That’s the conclusion reached by a working group on identity fraud composed of multiple federal inspectors general office following a surge in identity theft and fraud that has swept the nation over the past two years. This surge in fraud has happened “in tandem” with the passage of massive new relief programs following passage of bills designed to keep businesses and unemployed workers afloat during the coronavirus pandemic.

While identity theft was already a large and growing problem prior to 2020, legislation like the CARES Act funneled billions of dollars to small business loans reeling from the virus’ impact and boosted unemployment insurance programs for workers who had suddenly lost their jobs. At the time, stopping the economic freefall and quickly getting money to those who needed it most were higher priorities for lawmakers than building in guardrails against fraud.

“First, Congress made a deliberate decision to make several pandemic relief programs widely available with minimal documentation in an effort to expeditiously get relief into the hands of people who needed it. Likewise, many of the programs were unveiled in crisis conditions without the necessary time to develop effective processes to detect and prevent fraudulent applications,” the group of auditors noted. “Secondly, outdated and inadequate technology systems at the state and federal level further compounded issues associated with the rapid program roll-out.”

There are numerous signals that this plan largely worked as intended: unemployment currently sits at or near record lows while other economic indicators showing large sections of the economy have mostly recovered from the dark days of 2020. However, it’s also clear that as a side effect, criminals, scammers and fraudsters have been benefitting from these same programs more than ever, pilfering an estimated hundreds of billions of dollars from programs whle also introducing new security risks for the Small Business Administration, state unemployment systems and others.

Even small volumes of fraud add up to big numbers. As one example, auditors note that law enforcement agencies were able to tie approximately $25 million in unemployment insurance fraud back to just eight individuals, who were using the identities of minors, prisoners and others to file false claims.  

“These acts of fraud are not victimless crimes,” said Rep. Jim Clyburn, D-SC, chair of the House Select Subcommittee on the Coronavirus Crisis this week. “This fraud exhausted funds badly needed by eligible Americans, particularly funds allocated to support small businesses that are crucial to making the American economy thrive.”

Hardening the relief system

There’s plenty of low-hanging fruit for agencies to grab as they look to improve their systems and processes.

For example, one of the recommendations presses federal agencies to improve coordination and communication with businesses and other organizations that suffer a data breach, since that data often inevitably winds up for sale on the internet and used to further fraud and identity theft schemes. While Congress, the Cybersecurity and Infrastructure Security Agency and the Securities and Exchange Commission moved to put in place new incident reporting rules that will flood the government with reporting on data breaches, other departments like Health and Human Services can already tap data on Medicaid related breaches from states that are supposed to report such data but aren’t.

The wave of fraudulent claims – and the inability of agencies to quickly spot and flag them – has revealed a core weakness in the government’s ability to connect the dots using information they already possess. For example, the Department of Labor likely could have identified individuals who illegally applied for unemployment insurance in multiple states, relied on dead or imprisoned people’s social security numbers to apply for benefits or used suspicious email accounts that hide identifying information. Those crimes accounted for more than $420 billion estimated losses to fraud in 2021.

Another recommendation: building out controls or processes to check for duplicate applications. Even temporary suspension of loans to allow for further investigation of the applicant’s IP address, email address, business address, or bank account to determine if they are eligible would have a positive impact, auditors claim.

Many unemployment insurance programs and other federal benefits are dispersed through state governments, and the inability to better coordinate on duplicate or suspicious applicants is a major driver of the problem. For example, the Department of Labor already has an agreement in place with the National Association of State Workforce Agencies that represents all fifty states and has unique, granular data on identity theft and fraud that could be leveraged. However, that agreement does not require the organization to report this data to the government. Similar failures by other federal agencies to tap financial services organizations and other sectors were highlighted in the report as well, and revisiting these agreements to make better use of those resources is paramount.

Support for fraud victims

Of course stopping or punishing fraudsters is just one part of the solution. The harder part: building a support system that can help defrauded individuals recover their money and restore their identities. Unfortunately this is an area where the government has also stumbled, with agencies like the SBA lacking a mechanism to track identity fraud complaints and provide assistance or access to federal programs where warranted.

In many cases, this would fall to the Federal Trade Commission, but auditors note that they must do so through a website that officials have designed as a “self-service” tool that pushes consumers toward a patchwork collection of agencies and policies depending on the type of fraud they’re dealing with. As such, a more proactive posture to identifying victims of fraud is required.

“Ultimately, no systematic process existed for victims of identity theft to report the issues to SBA or for the agency to reach back out to victims to provide information such as updates on the status of their cases,” the report notes. “Identity theft victims often reached out multiple times and reported having difficulties in speaking with officials who could help them resolve their issues.”

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.