The past 16 months have been challenging. COVID-19 left a trail of destruction and a tremendous loss of life. It has had an impact on almost every aspect of daily life. The economy, supply chains, social norms, schools, and places of worship were all affected. The pandemic also led to increased risk of financial fraud and cybercrime. The nation seems to be turning the corner on the pandemic, and people are gradually setting their sights on returning to a new normal way of life.
The digital systems people utilize to socially interact, conduct their business, purchase goods, and in some cases seek medical help, all face increased risk of falling victim to a COVID-19 motivated criminal scheme of attack. With government agencies and the private sector gradually shifting from maximum telework mandates, people are still spending increased time at home working from remote devices.
Bad actors continue to exploit people’s uneasiness and anxiety by sending fictitious emails requesting charitable donations, peddling counterfeit personal protective equipment (PPE), or touting a COVID-19 vaccine.
There has been an onslaught of phishing attempts and emails directing unsuspecting people to malicious websites with suspicious attachments. These attempts could lead to loss of personal information, unauthorized access to company networks, and financial fraud. There is no central repository for COVID-19 related fraud. However, the Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) is a great mechanism for the public to report internet-related crime.
Over the course of the past few months, the Secret Service has observed a clear evolution of the types of frauds being perpetrated… With workers out of the office, many of the normal oversight mechanisms that have might otherwise have prevented an organization from becoming a victim, such as in-person approval for wire transfers, made organizations especially susceptible to (Business Email Compromises) BECs.
—Michael D’Ambrosio, Assistant Director Office of Investigations
United States Secret Service
The sudden surge in working from home across the nation led to increased personal router attacks where, in addition to identity theft attempts, traffic was redirected to malicious domains in attempts to gain employee credentials. These phishing emails represent an easy and cost-effective way to get into a company’s systems. Good cyber hygiene and company insider threat practices are the recommended steps necessary to help reduce this risk.
Methods & Trends
Many of the patterns and trends in identity theft that were prevalent four to five years ago are being deployed once again. As witnessed after the Hurricane Katrina disaster relief in 2005 and the big bank bailout of 2008, criminals acted quickly to fraudulently acquire millions of U.S. dollars, capitalizing on the abundance of available money and lack of controls. Each new crisis creates similar vulnerabilities.
During the height of the COVID-19 pandemic, the previously used methods and techniques were resurrected by fraudsters. One example is the increases in COVID-19 themed phishing and fraud campaigns that leverage the coronavirus crisis and the subsequent stay-at-home restrictions. In his statement before the Senate Judiciary Committee on 9 June 2020, Calvin A. Shivers, assistant director, Criminal Investigative Division FBI, warned of this increase in fraud:
As of May 28, 2020, the Internet Crime Complaint Center (IC3) received nearly the same amount of complaints in 2020 (about 320,000) as they had for the entirety of 2019 (about 400,000). Approximately 75% of these complaints are frauds and swindles, presenting a challenge for the FBI’s criminal program given the sheer volume of submissions.
One year later with the FBI’s release of its 2020 Internet Crime Report, records indicate the agency received a staggering 791,790 complaints of suspected internet crime, representing ~300,000 more complaints than 2019. Reported financial losses now exceed $4.2 billion. Approximately 28,500 of the complaints submitted to the IC3 in 2020 were related to COVID-19.
Early in the pandemic, the Department of Justice (DOJ) established COVID-19 task forces throughout the country with several other agencies including the Federal Emergency Management Agency, U.S. Department of Health and Human Services, U.S. Small Business Administration (SBA), and the U.S. Treasury. DOJ’s efforts were supported and augmented by its state and local law enforcement partners, who allowed the DOJ to get a head start in combatting the inevitable fraud. Initial complaints and arrests regarding price gouging and hoarding of PPE (N95 masks, gloves, etc.), COVID-19 related charity scams, investment frauds, and business email compromise schemes were publicized by the U.S. Attorney’s Office, Western District of Pennsylvania.
On 17 May 2021, U.S. Attorney General Merrick B. Garland established a Task Force to coordinate investigative efforts across government aimed at combatting COVID-19 fraud. As of May 2021, the DOJ’s efforts have led to the charging of approximately 600 defendants with crimes involving over $600 million in 56 federal districts across the United States.
The common factor and motivation for most financial crimes is simple: greed. Criminals use data created by the explosion of online transactions and mobile devices for nefarious purposes like redirecting tax funds, intercepting social security entitlements, and gaining access to sensitive government information. According to data compiled by the Federal Trade Commission (FTC) there have been more than 580,000 complaints filed by consumers to the FTC reporting over $531 million in financial losses related to COVID-19 related scams.
- Unemployment insurance scams
- Small Business Loan scams
- Identity fraud (synthetic, individuals, businesses, email accounts) in submitting applications
- Loan fraud associated with the CARES Act
- Fraudulent loans obtained by new businesses or existing business accounts taken over by fraudsters
- Fraudulent use of the Paycheck Protection Program
- Mortgage scams to include fraudulent refinancing, Home Equity Line of Credit (HELOCs), short sale fraud, and loan modification scams
- Treatment scams
- Supply scams
- Healthcare provider fraud related to in-person and telemedicine healthcare services
- Charity scams
- Phishing scams
- App scams
- Investment scams
- Price-gouging scams
The 2020 Internet Crime Report indicated the FBI received a staggering 791,790 complaints of suspected internet crime, representing ~300,000 more complaints than 2019.
All industries have felt the impact of the pandemic as COVID-19 continues to impact the global digital economy, regional economies, industries, businesses, and consumer behavior. Compared to the previous six months, the January-June 2020 LexisNexis Cybercrime Report showed a 38% and 32% growth in bot attacks on financial services and e-commerce merchants, respectively. This demonstrates the extent of fraud with online payment transactions as seen by the onslaught of fraud attempts targeting the Small Business Administration’s Paycheck Protection Program. With the Pandemic Unemployment Assistance (PUA) program, an estimated 10% were reported as improper payments due to fraud.
The flood gates appear to be open given the seemingly low barriers to entry. Criminals either are just brazen or believe that agencies cannot handle the number of claims, thereby resulting in many cases of obvious fraud attempts. For instance, criminals have attempted the following tactics: use of deceased identities, use of the same physical address, use of vacant addresses, or houses for sale as an applicant’s input address on loan applications are obvious indicators of fraud. Although the use of different types of disposable domains is not a new fraud tactic, there has been an increase in the use of multiple instances of foreign disposable domains.
Resilience of Fraudsters
Crime is certainly not new nor is the ingenuity and tenacity of criminals to find new and creative ways to further their illicit activities. The technology and communication systems meant to foster good governance and provide for the well-being of civil societies are by default the very systems exploited by criminal actors to commit financial fraud around the world. Financial and cybercrime have no borders.
The COVID-19 pandemic and efforts to provide financial relief to individuals, families, and small businesses had an unintended consequence – it also brought transnational crime into homes. Government agencies at all levels – including law enforcement – are on the front line when it comes to this type of fraud activity. Unemployment fraud, identity theft, money laundering, and other scams have a common COVID narrative. There is no shortage of fraud opportunities with the focus of attack being the Coronavirus Aid Relief, and Economic Security (CARES) Act, Economic Injury Disaster Loan (EIDL), Economic Impact Payment (EIP), and Paycheck Protection Program (PPP).
The SBA dispensed two sources of funding to small businesses negatively impacted by the pandemic: PPP and the EIDL. The issuance of any such government-wide stimulus package is followed by fraud. The United States Secret Service alerted members of the Senate Committee on the Judiciary to the alarming fact that, even assuming “very low rate of fraud, of just 1%, we should still expect more than $30 billion will end up in the hands of criminals.”
Well over a year after the onset of the pandemic and subsequent related fraud, the financial losses reported by various law enforcement agencies is staggering. On 12 May 2021, the United States Secret Service reported the seizure of over $640 million in fraudulently obtained funds and effected the return of approximately $2 billion to state unemployment insurance programs. Well-organized fraud rings successfully exploited the COVID-19 crisis to commit large-scale fraud. Statewide government unemployment insurance scams are rampant, resulting in tremendous financial loss to the taxpayer.
The Internet Threat Landscape
The world and its interactions are interconnected and increasingly reliant on the dependability and convenience of technology. Inadvertently, the world’s adoption of digital technologies for the ease of business and communications has led the Internet (an open-source medium) to become a nearly limitless reservoir of publicly accessible information. This information, or as commonly referred to as “open-source information” represents a potential treasure trove to criminal actors. Just about anything can be in online open sources including social media profiles, web pages, online newspapers and publications, books, geolocation data, IP addresses, and personally identifiable information (e.g., full names, addresses, social security numbers, dates of birth, metadata, device information, demographic data, and physical traits). This information is often exploited by malicious actors.
As the world struggled with COVID-19, cybercrime increased by more than 600%. A prediction made by Juniper Research in 2018 indicated that by 2023 approximately 33 billion digital records will have been stolen by malicious threat actors.
- In 2020, approximately 11.7 billion devices are connected to the Internet worldwide and are exposed to malicious cyberattacks. Although estimates vary, the number of Internet-connected devices are expected to be as high as 30.9 billion or more by 2025.
- Although third-party quantitative studies were not obtained on the prevalence of specific internet threats such as doxxing (i.e., revealing personal information about someone online without their consent) as of 2020, an analysis of open-source data revealed a drastic increase in the use of doxxing as a tool of political intimidation and personal grievances.
- Nearly 98% of cybercrime incidents make use of social engineering tactics. Social engineering refers to the deliberate use of manipulation or deceitful tactics by a malicious attacker to entice a person to disclose sensitive or personal information.
- According to Verizon Wireless, in 2021:
- Cyberattackers increased malware attacks against U.S. victims, healthcare, and public sector.
- Credential theft and social attacks were the cause for 67% of cyber breaches and the majority (86% of breaches) continue to be financially motivated.
On the Horizon – Front-End Identity Authentication & Private Sector Capabilities
The pandemic’s impact seems to have strained law enforcement’s resources and ability to identify and mitigate this criminal activity. Private sector partnerships are vital to this effort as the vulnerabilities to the nation’s financial sector and supply chains have been targeted by fraudsters and cybercriminals.
Supply chain risk management vetting is vitally important as the pandemic exposed the vulnerability of government procurement offices, which often lack expertise to identify threats and conduct proper risk assessments. This is normally the jurisdiction of an organization’s investigative teams. COVID-19 exposed the dire need for government to grow these capabilities and seek solutions to better protect their supply chains and avoid rampant fraud and insider threats.
The public sector should implement more rigorous standards and anti-fraud safeguards to better assume a more proactive stance in identifying fraud before it happens. Efforts to improve front-end identity verification and authentication would save taxpayers untold billions of dollars that otherwise would go into the pockets of fraudsters or their bank accounts and crypto wallets.
Business and identity data are not static. They evolve, and connections of risk tend to hide behind them. Businesses are purchased, there are shell and shelf companies, company officers change, and so on. A multi-layered approach is needed that solves the scope of issues around verification, fraud analytics, authentication, and identity proofing without creating a negative experience for end users. Front-end identity authentication is central to how the government dispenses entitlements, stimulus, benefits, and contracts to all types of applicants, including businesses.
Front-end identity authentication also ensures that a person’s claimed identity matches their digital footprint, internet behavior, and patterns of activity of a connecting device. New ways are needed to look at digital identities and known patterns of behavior versus that of a bot. Using big data across a shared global network can identify high-risk users accessing systems by looking at behavior that deviates from the norm or from trusted digital identities seen through millions of other consumer interactions.
Digital intelligence can automatically alert information technology professionals to potential threats at the time a user connects to an agency’s protected infrastructure. Front-end identity and authentication help protect all types of government portal or network access for citizens, applicants, and employees. This method avoids a futile pay and chase fraud scenario.
Clean-Up the Fraud & Return to Core Mission
Government agencies and their employees are mission-focused and under considerable demands and constraints. The pandemic created broader issues than just individual identity fraud. Businesses are now a big part of the identity verification problem. It is important to keep in mind that companies do not commit fraud, people do. Now is the time for agencies to prevent procurement fraud, supply chain risk, and business compliance schemes by vetting the company on the front-end. Just like individuals, businesses leave many “data footprints” through actions, such as securing assets, establishing points of contact, paying taxes, and legal proceedings. Reliable business intelligence is a must for agencies to be prepared for this type of fraud and to fix vulnerabilities before they happen. Criminals only need to be lucky once, businesses and people must protect the data 100% of the time.