This spring, the coronavirus pandemic quarantined millions of Americans inside their homes for months. In a desperate attempt to save an economy that went into freefall practically overnight, the government went on the largest, fastest spending spree in history.
One of the biggest slices of the stimulus pie went to businesses. In fewer than six months, the better part of a trillion dollars was spent propping up millions of businesses nationwide.
Now that the dust is starting to settle, questions are mounting about how funds were distributed, whether there were sufficient safeguards to protect the public purse, and just how much fraud has occurred. The answers are causing significant alarm. Coronavirus stimulus may have enabled the largest-ever theft of government funds. Criminals harnessed the power of the internet to exploit what some call federal government negligence to steal untold billions of taxpayer dollars, much that will never be recovered.
On March 27, Congress passed the Coronavirus Aid, Relief, and Economic Security (CARES) Act, the first of several relief packages that have cost taxpayers a cumulative $6 trillion to date. To put that in perspective, the 1930s New Deal would cost roughly $800 billion in today’s dollars.
Economic relief for businesses, via loans and grants through the Paycheck Protection Program (PPP) and Economic Injury Disaster Loans (EIDL), was one of the biggest line items in these bills. EIDL, which predates the better-known PPP loans, offered grants of up to $10,000 and loans of up to $2 million; PPP provided forgivable loans of $10 million max. To date, $525 billion has gone to the PPP; another $190 billion has been approved for EIDL, according to the Small Business Administration (SBA), which implemented the programs.
Three-quarters of a trillion dollars is an enormous sum, but most consider it money well spent for saving millions of American jobs and businesses.
Be that as it may, in its haste to distribute funds, independent oversight agencies now say SBA neglected to effectively protect against fraud, even after being warned. It’s now believed that billions vanished due to what some, including members of Congress, label mismanagement by SBA. Double payments, loans and grants to phantom businesses, identity theft, and other misconduct have been rampant. Criminals have exploited the lack of oversight to line their pockets, in some cases to the tune of millions.
Alarms were raised almost as soon as funds started hitting bank accounts last spring. On May 5, two men became the first charged with PPP fraud. Assistant Attorney General Brian A. Benczkowski told USA Today that they would be the first of many.
“We have a lot of leads,” Benczkowski said.
By the end of July, the SBA Office of Inspector General (OIG) had received more than 5,000 complaints from financial institutions flagging incidents of potential fraud in the programs. “Nine financial institutions have reported a combined total of $187.3 million in suspected fraudulent transactions,” OIG stated in its preliminary report on July 28.
“Our preliminary review reveals strong indicators of widespread potential fraud in the program.”
The full report is due out later this month.
OIG has also been inundated with reports of identity theft. On Oct. 1, Inspector General Hannibal “Mike” Ware told a Congressional committee that they’ve received thousands of complaints thus far—and climbing.
In recent months, the millions who obtained PPP loans received letters from SBA notifying them that payments were deferred until July 2021.
To many, the letters were a relief. The deferment gave them more time to apply for loan forgiveness, and for the government to consider it, which is likely to be a lengthier process than applying for the loan itself.
To thousands of others, the letters were a surprise. They hadn’t taken out any loan.
“People are finding out for the very first time that their identities were stolen when they hear from SBA that their loan payments are going to be deferred,” Inspector General Ware testified to the Congressional Small Business Committee, “And they’re like, ‘What loan payments? I’ve never had a loan from SBA.’”
“This is routine. We’re getting this dozens of times every single day. We’re hearing some heartbreaking stories out there.”
A business owner in Florida who asked not to be named was among those shocked to receive an $80,000 bill for a loan they never took out.
West Virginia resident Em Carpenter, an editor at Ordinary Times, also received an unwelcome surprise in her credit report over the summer. Someone applied for an SBA loan in her name. Via Twitter direct message, she told the Daily Dot that she immediately tried to get to the bottom of the matter. Carpenter, who doesn’t own a business, said that she wasn’t contacted by a bank or SBA to verify the application. Nor has she been able to get to the bottom of it.
“I have tried to contact the SBA, but the hold time has been 2-3 hours and I don’t have that kind of time,” Carpenter said.
Carpenter said she filed a complaint with the Federal Trade Commission (FTC) and placed a fraud alert on her credit. This was in August. Two months later, she’s still waiting to hear back.
“I don’t even know if it was approved. All I can see is that they ran my credit,” she said, “…I have not heard anything.”
Carpenter doesn’t even know if the loan was approved, but it hasn’t shown up on her credit, so she’s hoping it was denied.
David Goldstein, a senior fellow at Civic Ventures, had the same experience. On Aug. 5, one day after a presumed thief tried to use Carpenter’s social security number (SSN) to apply for an SBA loan, Goldstein received word from Experian that someone had done the same to him.
Via DM, Goldstein said that three months prior, someone fraudulently used his SSN in an unsuccessful attempt to file for unemployment.
“I can’t know for sure if either were successful because I’ve never heard back,” Goldstein said.
Scores of others online have made similar assertions about their identities being stolen to apply for SBA assistance.
A question about PPP fraud on the smallbusiness subreddit generated hundreds of comments detailing different types, and how SBA’s lack of oversight has facilitated it. Many noted that businesses will be left holding the bill, regardless of who’s to blame.
“I’ve literally been working these applications for like a month now. Check the requirements for PPP loans on SBA.gov. 100% on the business owner regarding submitted documents related both to the initial applications and, later on, loan forgiveness,” wrote one.
“No way would banks participate in a lending campaign this massive without ensuring they won’t be on the hook for any borrower misdeeds. The regular SBA process is 25-30 days and these are being pushed through in hours.”
Because banks aren’t on the hook for fraudulent loans, they arguably have less incentive to safeguard against it. This plus speed may have facilitated theft of astronomic proportions.
A post on the politics subreddit linking to a story about coronavirus relief fraud inspired some to share their own experiences.
One who said they work for a credit union wrote that a would-be thief used an elderly customer’s account to deposit a $40,000 PPP loan. “Apparently we don’t reconcile names on deposits and account names,” they explained. Another said that someone tried to use both he and his spouse’s identities to apply for PPP loans.
Identity theft expert Carrie Kerskie expected the programs to be targeted. Kerskie, who hosts a podcast about the issue, told the Daily Dot that criminals are always looking for new ways to make a buck.
“As soon as I heard about the PPP programs rolling out, I knew what they were going to do,” Kerskie said.
Law-abiding citizens weren’t the only ones who felt the economic pinch of the pandemic, she said. “[Criminals] had to get creative just like any other business.”
Like many, they turned to the internet. But while law-abiding citizens started selling facemasks on Etsy or launched an OnlyFans, criminals went after coronavirus stimulus.
There they found an easy target.
In July, OIG wrote that it’d found “several systemic deficiencies … [that] need to be addressed immediately to reduce fraud risk and prevent further losses.” OIG also identified $250 million in loans and grants that may have gone to ineligible recipients.
SBA reacted with a mixture of surprise and denial. SBA Administrator Jovita Carranza lauded the agency’s commitment to mitigating fraud risk and said it used “sophisticated technology to create a robust set of internal controls” to protect against fraud. Carranza, a President Donald Trump appointee who took the helm at SBA last January, claimed these controls saved taxpayers billions.
“…[T]he concerns raised by OIG in the Draft Management Alert were unexpected,” she wrote.
Carranza also claimed SBA couldn’t address OIG’s claims or describe what it was going to change to protect against fraud in the future because they weren’t provided with summaries of the thousands of individual complaints.
“Rather, […] SBA will inform OIG about the robust internal controls already in place in the EIDL program and discuss enhancements in internal controls that SBA is making in response to the concerns reflected in the Draft Management Alert.”
OIG responded that it “has been in daily contact” with SBA “about specific instances of potential fraud.”
To its credit, SBA has made changes since OIG issued its dire warning, such as beginning to verify tax identification numbers and instructing processors on signs of potential fraud. “They have pivoted pretty quickly on implementing controls,” Ware said.
But many remain deeply concerned.
At the committee hearing, Rep. Judy Chu (D-Calif.) said she was “shocked” by reports of rampant fraud in coronavirus stimulus.
Bill Shear, director of financial markets and community investment at the Government Accountability Office (GAO), said, “We continue to be concerned about the potential for fraud in the EIDL program and are currently conducting work on the program, including on internal controls and fraud risk management.”
Goldstein, who also co-hosts a podcast about economics, told the Daily Dot that SBA is “ill-equipped” to handle fraud complaints. “At the time I tried to report, all of their online and downloadable forms seemed aimed at reporting suspicious activity of SBA employees.” He said that since then, the agency has updated its fraud complaint forms—for lenders.
“There’s nothing specifically for identity theft victims,” he said. “And of course, there was zero follow up from SBA.”
Kerskie offered some advice for people whose identities have been stolen to apply for SBA loans. First, report it to SBA using contact information on their website (thieves are likely to start sending fake SBA demands in phishing schemes). Find out what SBA and the bank need to document the theft. File a report with federal law enforcement or the FTC (local agencies can’t investigate federal crime, plus business identity theft isn’t a crime in some states). You should also pull your business and/or personal credit report(s). And make sure to get documentation.
“Get everything in writing,” Kerskie said.
How did this happen?
SBA’s achievements are undeniable. All who spoke at the congressional hearing complimented the herculean accomplishment of approving 5.2 million PPP loans and 3.5 million EIDL applications in mere months.
“At one point in the crisis it was reported that SBA performed 14 years’ worth of lending in 14 days,” IG Ware said.
SBA’s hasty actions undeniably saved millions of jobs and businesses.
“Many businesses in my district needed the money right away to stay afloat,” said Rep. Dwight Evans (D-Ind.) at the hearing.
But the unprecedented lending spree also facilitated unprecedented theft, at least some of which was avoidable.
The Daily Dot provided SBA with a detailed list of questions on Oct. 7. The following day, a spokesperson said they were working on obtaining answers. As of press time, the questions remain unanswered.
One of the simplest, and most exploitable, vulnerabilities lay in the loan process itself. The four-page PPP loan application, only two of which are fillable, requires information that can largely be obtained in a simple internet search. Photo identification wasn’t required, and the information wasn’t independently verified in the early months. Nor were applicants contacted to confirm the request.
In the early days, borrowers were even able to alter the bank information after applying, allowing funds to be rerouted overseas, where it is much more difficult to trace or seize. This plus the expediency demanded by Congress—the first cash infusion was to hit bank accounts in just three days—which also decreed that applicants self-verify, made the stimulus an easy mark for criminals. They wasted no time feasting on the fatted calf.
Identity theft expert Kerskie isn’t surprised. “They were starting to get the money into the hands of businesses so fast, the checks and balances weren’t there,” she said.
In August, Bloomberg Businessweek reported that among just the maximum $10,000 grants, up to $1.3 billion went to “phantom businesses.” Its researchers found that the number of businesses that received grants in some districts far exceeded the number that were eligible; in the Chicago area alone, where 19,000 were eligible, SBA approved 81,000 grants.
On Sept. 10, the Department of Justice (DOJ) said that 57 had been indicted in dozens of cases for attempting to pilfer $175 million in PPP loans since May. DOJ has reportedly initiated hundreds of investigations, a fact made even more significant because, as Shear testified, it typically takes 12-18 months to begin investigating fraudulent loans. Ware said that it may take 7-10 years before the full extent of the damage is known.
Although the sums are significant, the techniques alleged in most cases filed thus far are comparatively amateur—officers say applicants lied about their eligibility and spent funds improperly on luxury cars, vacations, and other personal items.
Kerskie believes that far more sophisticated financial crimes have also occurred. “I would say this is modern-day organized crime … for this volume amount and this fast, this is organized crime.”
SBA made some changes in response to OIG’s report, but regulators say it has continued to struggle to implement sufficient anti-fraud controls or to even communicate.
“The cooperation has been poor—and I don’t like stating this, but we haven’t had good cooperation in conducting this work,” Shear told Congress.
Last month, the Project On Government Oversight (POGO) reported that within SBA the coronavirus stimulus programs are being called “a disaster.” An SBA insider told POGO that the agency could’ve avoided much fraud by better training the subcontractors reviewing loan applications, verifying applicants’ tax information, and requiring photo ID. Much of what POGO learned contradicted Carranza’s response to OIG’s July warning.
For instance, Carranza claimed that tax ID numbers were being verified. Yet more than a week after she wrote that, an SBA manager informed loan processors that software had been updated to do so, POGO reports.
POGO also obtained internal emails from August in which SBA offered loan processors basic fraud prevention advice, such as not to approve loans when it and/or the bank account isn’t in the applicants’ name, giving “Daenerys Targaryen” and “Sansa Stark,” characters from Game of Thrones, as an example. An email also explained fraud alerts about masked IP addresses, devices previously associated with fraudulent activity, and the like. “We generally see higher fraud rates from international traffic,” the email noted.
An inside source told POGO that loan staff routinely overrode fraud alerts due to “poor training and inadequate guidance.”
“Due to the widespread presence of fraudulent applications, effective immediately, all COVID-19 applications” that don’t result in any loss to the business were also to be denied, an SBA supervisor wrote on Aug. 14.
It will be years before the extent of the losses is known. Some estimate that as much as 10%, or more of the half-trillion dollars of PPP loans, were fraudulent.
If so, that would put coronavirus stimulus fraud in the same category as the $78 billion Enron scandal and Bernie Madoff’s $65 billion Ponzi scheme. In short, it may be the all-time largest theft of government assets.
Government programs are perhaps inevitably targeted for fraud. The largest government stimulus in history was always going to be irresistible to criminals. This is not shocking. What’s shocking perhaps is the scope of the fraud and how little was done to prevent it.
As Ware said: “Fraudsters are going to do what fraudsters are going to do.”
This week’s top technology stories
|A ‘deepfake’ of a vaping teen is at the center of a harassment case—but what if it’s not faked?|
|The media and big tech used to love each other—here’s how it all soured|
|The truth of QAnon has been staring us in the face all along|
|Clubhouse’s desire for exclusivity is harming the Deaf community|
|Will the U.S. finally get its act together on facial recognition laws?|
|Sign up to receive the Daily Dot’s Internet Insider newsletter for urgent news from the frontline of online.|