Foreign fraudsters broke feds’ firewall to steal pandemic loans: audit


Foreign criminal syndicates are estimated to have stolen tens of billions of dollars in pandemic relief money, and a new inspector general’s report is shedding light on how some of that happened.

The Small Business Administration’s watchdog says the agency tried to block foreign applications for its Economic Injury Disaster Loans (EIDL), one of two major programs to prop up businesses during the early pandemic shutdowns.

But thousands of applications filed from foreign Internet Protocol addresses still got through the SBA’s firewall, causing the agency to dole out about $1.3 billion in payments the inspector general deemed at severe risk of being fraudulent.

Filing from overseas isn’t an automatic signal of fraud or an illegal payment, but it is a major red flag, the Office of the Inspector General said.

“The numerous applications submitted from foreign IP addresses are an indication of potential fraud that may involve international criminal organizations,” the inspector general said in announcing the investigation Monday evening. “OIG has ongoing investigations into international organized crime operations that applied for and stole pandemic relief funds.”

The audit didn’t expand on those investigations, but overseas criminal syndicates have been identified in massive amounts of fraud related to U.S. pandemic spending.

There were three major relief programs: expanded unemployment benefits, which totaled about $900 billion; the SBA’s Paycheck Protect Program, which extended about $800 billion in forgivable loans to small businesses to keep them afloat; and the EIDL, with roughly $342 billion in loans, grants and advance payments to businesses.

Unemployment benefits were particularly vulnerable, with few controls early on to weed out bogus applications. One estimate puts total unemployment fraud at more than $200 billion, with international criminal syndicates likely accounting for well more than $100 billion. Much of that went to organizations tied to America’s adversaries in Iran and Russia.

The SBA programs were somewhat tougher to scam, though early estimates still run to tens of billions of dollars, and the new inspector general’s report captures some of that activity.

The audit found that SBA weeded out “millions of attempts” to submit EIDL applications from foreign IP addresses.

The audit found that SBA officials were aware of the potential and took steps to combat it with a four-layer defense.

The first layer was a firewall that was supposed to block applications from six countries with histories of fraud. The second layer was another firewall that was supposed to block any application with a foreign IP address altogether.

Layer three was supposed to flag any foreign IP addresses that still made it through, and layer four was a personal review by a loan officer.

The audit found foreign IP addresses were able to access the loan system more than 233,000 times.

Nearly 42,000 applications from foreign addresses made it all the way through and were granted, totaling $1.3 billion in loans, grants and advance payments.

When auditors went back and looked at 50 applications that got through the firewall despite coming from foreign addresses, they found 16 weren’t flagged by the third layer defense, and of the 34 that were flagged, the in-person loan officer review bungled 15 of them.

Both SBA and the contractor it hired to process applications pronounced themselves stumped at how foreign IP addresses were able to circumvent the firewalls, the audit said.

In an official response to the audit, SBA Associate Administrator Patrick Kelley sought to put the numbers in context.

He said successful foreign IP applications were just 1% of all approved EIDL cases and the SBA did a particularly good job of weeding out applications from the six high-risk nations, which the report did not name.

And the $1.3 billion in overseas payouts was less than half a percent of total EIDL spending.

Mr. Kelley also said the system was set up at a time when experts warned of a looming economic collapse amid the early days of the pandemic shutdown.

“As a result, the initial focus of SBA’s COVID relief programs had to be on providing financial assistance as quickly as possible to respond to the crisis,” Mr. Kelley wrote. “While it is true that great speed was needed when developing the COVID EIDL program and to deliver this economic assistance to millions of small businesses impacted by the pandemic; we do not believe there is a tradeoff between speed and fraud controls.”

SBA generally agreed with the inspector general’s recommendation to go back and review all foreign IP address applications that got through the system and figure out which ones were actually bogus. The agency said it will try to recover the money.

Nigeria, known for being home to sophisticated and determined fraudsters, led the way among foreign IP address applications with 33,477 submitted. Of those, 241 were approved, totaling nearly $20 million.

Canada led the way in dollar amount, with $183 million paid out on 3,755 applications. A total of 20,500 were submitted from Canadian addresses.


Source link