The COVID-19 pandemic put many businesses in a predicament. They needed to close their doors to stop the spread of the virus. But they also needed to make money to continue to exist and to pay their employees.

To help make up the difference, many business owners and operators applied for emergency loans that, if used appropriately, would be forgiven by the U.S. federal government.

That’s the course James R. Stote, 55, and Phillip J. Augustin, 52, were on when they applied for a Paycheck Protection Program (PPP) loan in mid-2020 for Augustin’s company, Clear Vision Music Group LLC. The PPP loan was guaranteed by the Small Business Administration (SBA) as part of COVID-19 relief efforts under the U.S. Coronavirus Aid, Relief, and Economic Security (CARES) Act.

There were just a few problems. Stote and Augustin falsified the documents to obtain the loan, and then after submitting an initial application, they worked to obtain even larger PPP loans for themselves and others. They used fake payroll numbers, false Internal Revenue Service (IRS) forms, and phony bank statements to submit for or facilitate at least 79 fraudulent loan applications worth at least $35 million.

One of those loan applications was for Diamond Blue Smith, 36, a recording artist and member of the rap group Pretty Ricky. Smith obtained a PPP loan worth $426,717 for his company, Throwbackjersey.com, using falsified documents. After receiving that initial loan, Smith reapplied for another PPP loan for his other company, Blue Star Records LLC—also with falsified documents. He received a loan of $708,065 and spent at least part of it at the Seminole Hard Rock Hotel and Casino and to purchase a Ferrari.

Smith’s activity was ultimately noticed by law enforcement, which arrested him. While detained, Smith told investigators he paid Stote and Augustine at least $250,000 in kickbacks for their help in preparing and submitting the loan applications.

Augustin, Stote, and Smith all pled guilty to conspiracy to commit wire fraud and were ordered to pay more than $1 million each in restitution. Federal agents also seized the Ferrari.

This investigation marked a win for the authorities, but it exemplified a particularly pernicious problem. In the wake of the COVID-19 pandemic, fraudsters have eagerly taken advantage of government loan programs, supply chain disruptions, and a generally overwhelmed public.

Government Program Fraud

To help bolster the economy and boost aid for people impacted by the COVID-19 pandemic, financial firms and governments around the world released billions of dollars in the form of unemployment insurance, loans, and grants to stimulate their economies.

In the United States, the government took similar measures. The U.S. Congress passed the American Rescue Plan and the CARES Act, which made $2.2 trillion available in loans, grants, and payroll protection to keep businesses open and maintain household income.

Part of that effort was the PPP, which initially included—with subsequent expansions in 2020 and 2021—more than $814 billion in loans to provide incentives for businesses to keep workers on payroll or rehire laid-off workers. Individuals and businesses applied for PPP loans to SBA-approved lenders, credit unions, and financial technology companies. If loan holders abided by the rules for receiving the loan and used the funds appropriately, the loan would be forgiven.

Additionally, the SBA was tasked with overseeing the COVID-19 Economic Injury Disaster Loan (EIDL) program. This new program provided $154 billion in emergency low-interest loans to help cover operating and other expenses—of up to $2 million—for eligible U.S. small businesses.

To help ensure that the money allocated through these programs was used responsibly, Congress tasked the U.S. Government Accountability Office (GAO) with tracking how it was used and conducting audits of the SBA. The GAO has also been receiving reports about the programs via its FraudNet hotline—where anyone can report allegations of fraud, waste, abuse, or mismanagement of federal funds.

Howard Arp, director, forensic audits and investigative service, GAO, oversees the FraudNet hotline. During the last two years, he says approximately 40 percent of incoming complaints were related to the CARES Act. These range from false eligibility for relief programs, misuse of funds from relief programs, and even complaints from people who received a PPP loan but never applied for one.

“We document the complaint and then have it for future reference,” Arp explains. “If the complaints are fairly specific, that instance and allegation of fraud is referred to the appropriate Office of Inspector General or the Department of Justice. We also have it documented, and we can consider it for future work and ongoing work.”

Additionally, the GAO began reviewing the distribution process for PPP and EIDL loans, how loans are transitioned into forgiveness, and the reported risks and fraud associated with these stages.

“We also were seeing cross-cutting fraud, people were not siloed,” says Rebecca Shea, director, forensic audits and investigative service, GAO. “People were exploiting the PPP and EIDL and then the tax credits as well, and unemployment insurance. We’re starting to see an increasing number of cases that were exploiting programs…it could run the gamut…VA contract fraud to stealing checks out of people’s mail for those tax credits.”

The GAO made a series of recommendations to improve oversight of PPP and EIDL, some of which the SBA has acted on. In the meantime, however, the GAO has placed the emergency loan programs on its High-Risk List because SBA has not finalized plans to oversee its PPP and EIDL program, placing hundreds of millions of federal dollars at risk of improper payment. The GAO High-Risk List consists of U.S. federal programs and operations that are vulnerable to waste, fraud, abuse, and mismanagement, or programs that need broad reform.

“The Small Business Administration has provided hundreds of billions of dollars’ worth of loans and advances to help small businesses recover from adverse economic impacts created by COVID-19,” the GAO said in a release. “While loans have greatly aided many small businesses, evidence of fraud and significant program integrity risks need much greater oversight and management attention.”

Johana Ayers, managing director of forensic audits and investigative services at the GAO, says, “This area was added because there was a belief on our part at GAO that these programs, like the other issue areas, were at high risk for fraud, waste, and abuse, and were in need of significant transformation.”

The GAO based this assessment partially on the fact that SBA’s own independent financial statement auditor had noted in December 2020 that PPP loans and EIDLs went to “potentially ineligible borrowers,” according to a GAO report.

“For example, the auditor noted that there were over 2 million approved PPP loans (with an approximate total value of $189 billion) flagged by SBA that were potentially not in conformance with the CARES Act and related legislation,” the GAO explained. “The auditor also identified over 6,000 disbursed EIDLs (with a total value of over $212 million) that were issued to potentially ineligible borrowers.”

Additionally, financial institutions filed more than 21,000 and 20,000 suspicious activity reports related to PPP and EIDL with the Financial Crimes Enforcement Network (FinCEN) between May and October 2020, when funds became available. The SBA’s Office of Inspector General had also received thousands of complaints of potential wrongdoing related to the loan programs, and by October 2020 it had seized—with other law enforcement agencies—more than $450 million from fraudulent EIDL loans.

Two issues inherent to the emergency nature of the programs opened avenues for fraudsters: streamlined applications and a staggering number of loan requests. In the EIDL program, the application process was streamlined to the point that the SBA was prohibited from checking against Internal Revenue Service (IRS) tax records before granting loan approvals.

“That would be a key way for the agency to check if it was actually a business, had payroll in the last year, and met the requirements to be established,” Shea says. “They would have been able to have ownership, checking against IRS records before the loans were dispersed and approved.”

SBA also was dealing with the challenge of sorting through the significant number of loan applications, Shea adds, which was a tremendous push for the agency that ultimately subjected it to increased fraud.

“They issued more loans in that time period (mid-2020) than they had in the past 10 years, so they did have to make that balance,” she explains. “But there were some basic things they could have done that they did not do.”

For instance, SBA did not have fraud risk assessments and fraud risk profiles in place for its programs before the pandemic began.

“SBA was caught by surprise in a variety of ways, but they could have been much better prepared. They’ve been providing EIDL funds, and they didn’t have a fraud risk assessment for that at all,” Shea says. “They could have put something together. The situation is not that unusual…. We beat the dead horse of having your fraud risk assessment up front. It’s going to help you figure out what levers you can pull and what you need for detection.”

While it is not on the High-Risk List, the GAO has also expressed concerns about unemployment insurance and the ability to conduct oversight into how those funds were dispersed during the pandemic. Unemployment insurance is a regular program in the United States, but during the COVID-19 pandemic the U.S. federal government expanded eligibility requirements and increased the federal payouts to unemployed individuals, who typically apply online.

As of December 2021, Seto J. Bagdoyan, director, forensic audits and investigative service, GAO, says approximately $900 billion has been distributed through unemployment insurance during the pandemic. Based on prior analysis and experience, 10 percent of those funds are likely being lost to fraud.

“You’re losing $90 billion off the top,” Bagdoyan says. “It’s probably much worse, because of the schemes that have hit the agencies and support programs.”

These schemes include those introduced by organized crime efforts—originating primarily in China, Hong Kong, Nigeria, and Russia—using cyberattacks to compromise bank accounts, identities, and even mimic unemployment office websites to attract unsuspecting individuals, Bagdoyan adds. One private firm that provides cybersecurity protections to unemployment systems told the GAO that once U.S. federal funds stopped flowing into COVID-19 unemployment programs, there was a 40 percent drop in targeted attacks from organized crime entities.

“Some of these schemes will become embedded in traditional programs post-COVID,” Bagdoyan says. “And then they will be revived with the next emergency on the scale that we’re seeing now. It’s really difficult to counter. You have to make a good faith effort to have the best set of controls you can, that you’re managing as well as you can.”

The GAO has recommended that the U.S. Department of Labor create controls based on the auditor’s Fraud Risk Framework, including defined and documented responsibilities and authority for managing fraud risk assessments and facilitating communication among stakeholders on fraud-related issues. As of Security Management’s press time, the department had not agreed or disagreed with the recommendations.

Commercial-Level Fraud

Government fraud controls were not the only ones being tested during the COVID-19 pandemic. Private industries were also hit hard.

Back in April 2021, the Association of Certified Fraud Examiners (ACFE) research team had been tracking the significant level of fraud the private sector was experiencing. But it was feeling optimistic about the future. Vaccines for COVID-19 were being distributed, cases in some parts of the world were coming down, and some individuals were starting to talk about what post-pandemic life would be like.

So, in mid-2021 the team named the fourth report in its survey series on fraud and COVID-19, The Next Normal: Preparing for a Post-Pandemic Fraud Landscape. Since then, however, additional disruption due to large portions of the public refusing to take the COVID-19 vaccine, delays in distribution and returns to the office, and major supply chain challenges have slowed economic recovery efforts. As of 2 January, just 62 percent of eligible Americans were fully vaccinated, according to the Mayo Clinic.

“I anticipate we’ll be doing a retrospect here,” says Andi McNeal, CFE, CPA, research director for ACFE and one of the authors of the report, in a December 2021 interview with Security Management.

The findings in the fourth report, however, tracked with what ACFE has been seeing throughout the COVID-19 pandemic—fraud is up and is expected to continue to climb.

In their survey of 1,539 ACFE members in more than 100 countries, the ACFE research team found that 51 percent of respondents said their organizations have uncovered more fraud since the onset of the pandemic and 71 percent expect the level of fraud impacting their organization to continue to increase. Just 14 percent said they had uncovered less fraud.

Business operations changed during the pandemic, including a shift to remote work. This adjustment opened doors for fraud.

“All controls built around in-person operations had to be reconfigured and reengineered,” McNeal says. “Certain people were performing functions they hadn’t before, so that’s going to leave gaps as to where the security was.”

For instance, many financial processes require two people to sign off on an invoice or expense before it’s approved. In a physical office environment, one person could walk the invoice or expense report to the other person to sign before filing it.

Virtually, that same process can be replicated by sending the invoice electronically and having the second person sign the document using a digital signature. It’s much easier, however, for a fraudster to intercept that electronic communication and insert a fake digital signature than it would be to physically intercept it or to forge it entirely.

Such an incident happened in 2020, when a director of a mobile home and residential vans company forged his estranged wife’s digital signature on a loan application sent via email before liquidating the company and declaring bankruptcy. The lender went after his wife for repayment, which ultimately led to an investigation using DocuSign metadata and mobile phone location evidence to determine the husband had signed into her accounts without consent to use her signature to take out the loans.

“Companies had to shift priorities quickly and repeatedly,” McNeal explains. “When the employees performing those operations are following a moving target, that can make it hard to make sure the protections we have in place are working. There’s inherent friction between swift responses and controls. The faster we have to change and adapt, the more vulnerability there is.”

This is especially true as 80 percent of survey respondents said cyber fraud—business email compromise, hacking, ransomware, and malware—and social engineering are the categories they expect to increase the most in the next 12 months. McNeal says an aspect of cyber fraud that is particularly challenging for organizations is the multiple motivations behind it—personal gain, political motivations, disruption intentions, or competitive reasons.

“Other risks projected to see large increases include identity crime (e.g., identity theft, synthetic identity schemes, and account takeovers), unemployment fraud, and payment fraud (e.g., credit card fraud and fraudulent mobile payments),” according to the report.

Surprisingly, however, fewer survey respondents said they anticipated fraud growth in three areas historically used to track internal or occupational fraud: employee embezzlement (54 percent), bribery and corruption (52 percent), and financial statement fraud (47 percent).

McNeal cautions that this is still a significant portion of respondents anticipating some growth in those areas, but she says that because they are more familiar types of fraud, organizations may feel they know how to adjust their controls and processes to respond.

“We’ve gotten used to working remotely. We’ve built out our duties and are making sure they’re doing that monitoring…and maybe using analytics,” McNeal says. “So, in a way, those external factors are feeling harder to monitor.”

Recovering the Funds

An individual fraudster might make off with a few thousand dollars, but when his or her profits are combined with others’ it can create massive losses for government agencies and companies alike.

To put that into perspective, the U.S. Secret Service announced that as of 12 December 2021 it had more than 900 ongoing investigations into the fraudulent use of COVID-19 relief applications—with relief funds valued at nearly $100 billion.

“That’s a combination of pandemic benefits and all the other benefits programs, too,” said Assistant Special Agent in Charge Roy Dotson, who was tapped as the Secret Service’s national pandemic fraud recovery coordinator, in a statement. “Every state has been hit, some harder than others. The Secret Service is hitting the ground running, trying to recover everything we can, including funds stolen from both federal and state programs.”

And while individuals may be charged and ultimately convicted for fraud, it is unlikely that the money itself will be fully recovered. Arp—who previously worked in the inspector general’s office at SBA and investigated EIDL fraud before joining the GAO—says it typically involves a long investigation and adjudication to forfeit those funds, whether it be a civil fraud case, criminal fraud case, restitution, asset forfeiture, or seizure of the money.

“The pandemic isn’t what opened everyone’s eyes,” Arp adds. “They’ve known for years; we’ve made recommendations for years…and at the end of the day, it seems that there’s the pay and chase model many people think is perfectly fine. But once it’s gone, you might as well count it gone.”

Bagdoyan agrees and says that the GAO is trying to use the national emergency of the COVID-19 pandemic as a case study for preparing agencies to have a crisis model that can be deployed on short notice to ensure there is program integrity on the front end.

“With improper payments, the recovery rate has been historically on the poor side,” Bagdoyan says. “Once the money is gone, it’s spent or consumed. Restitution is a very deliberate and long-term process that rarely yields full results, so you may be recovering pennies on the dollar.” n

Megan Gates is senior editor at Security Management. Connect with her at [email protected]. Follow her on Twitter: @mgngates.