How scammers can siphon off stimulus payments
- By Derek B. Johnson
- Apr 14, 2020
While the federal government scrambles to get stimulus money to individuals and small businesses, it may be opening the process up to cybersecurity vulnerabilities and fraud.
About 80% of taxpayers will receive payments through the same electronic transfer system = used to deposits tax refunds, Social Security checks and Veterans Affairs benefits. Those who didn't file federal taxes in the past two years or who don't have traditional bank accounts may have to wait for paper checks that could take months to process and deliver, according to Treasury Department estimates.
To speed up the process, the IRS unveiled a new web tool that allows non-filers to apply to receive their stimulus checks digitally, either straight to their bank accounts or through online payment services like PayPal, Venmo and CashApp.
To qualify for a payment, the IRS tool asks individuals to provide proof of identity in the form of their name, date of birth, Social Security number, mailing address, email address and bank account, type and routing numbers. Other identifiers, such as a valid state driver's license or an IRS Identity Protection PIN, are also accepted but are not required. Submitting that much personal identifying information (PII) online, without any additional protections or protocols in place, increases the potential for fraud or identity theft.
Even before the Coronavirus Aid, Relief and Economic Security (CARES) Act was signed into law, the Federal Trade Commission and the Federal Deposit Insurance Corporation were warning consumers on the likelihood of scammers trying to impersonate official organizations in order to obtain credentials to divert relief funds.
Experts and government watchdogs said they believe relying on such "knowledge-based" authenticators -- like Social Security numbers and date of birth -- is no longer useful or appropriate, since an explosion of hacks targeting private companies over the years has led to such PII becoming widely available for sale on the internet.
Eva Velasquez, president and CEO of the non-profit Identity Theft Resource Center, said her organization has not yet received complaints from taxpayers about stimulus-related fraud, but it expects to in the coming weeks and months, particularly if the IRS is just relying on the PII described in the online tool.
The vulnerabilities in relying on "static PII" to authenticate applicants' identities are the same as they are for regular tax fraud, but even more prevalent in an environment where the government is looking to quickly get funds to those who need them.
Velasquez said agencies like IRS should also be utilizing their existing fraud analytic systems to monitor the payments where possible and ensure they are sharing data with agencies that deal with populations that disproportionately make up non-filers, like veterans and low-income Americans.
The IRS has not responded to requests for comment about what else it may be doing to track or mitigate fraud related to non-filer stimulus payments.
Tax fraud leveraging PII continues to be a significant problem. According to an interim Treasury audit released April 7, the IRS has reported 30,038 fraudulent tax returns totaling $135.6 million in refunds so far this tax filing season. The tax agency also claimed its fraud detection protocols prevented 98% of those returns. However, the Government Accountability Office warned last month that the agency's fraud technology must be updated as it continues to rely too much on PII about Americans to authenticate their identities.
Further, some online payment service apps may not have the same identity-authentication or cybersecurity controls in place that are more common in the heavily regulated banking industry. PayPal has issued online guidance detailing how users can get paid through PayPal Cash or credit cards and recently announced it has received approval from the Small Business Administration to disperse small business loans through the platform.
The CARES Act also set aside $350 billion for guaranteed loans to small businesses to help them keep workers on payroll during the economic downturn caused by the outbreak.
SBA will be responsible for dispersing nearly $350 billion in guaranteed loans to help small businesses deal with the economic fallout of the coronavirus pandemic. The explicit goal of the legislation, as detailed in a corresponding interim regulation, is to "provide relief to America's small businesses expeditiously" by giving all lenders delegated authorities and streamlining regular loan program requirements. The rule also specified that SBA will allow lenders to "rely on certifications of the borrower in order to determine eligibility."
In order to be eligible for the Paycheck Protection Program, businesses are asked to submit payroll processor records, payroll tax filings and other documentation. However, borrowers who don't have those records can also provide other supporting documentation, such as bank records that are "sufficient to demonstrate the qualifying payroll amount," and businesses can use electronic signatures or consents regardless of the number of owners.
The rule states borrowers who knowingly use the program's funds for unauthorized purposes could be charged with fraud, but it relies almost entirely on self-certification from businesses that the funds will be used properly. Newly approved lenders under the program aren't obligated to check any further, though they are encouraged to set up anti-money laundering compliance programs if they haven't already.
Velasquez said her organization views fraud mitigation between the government and online payment apps as "a shared responsibility" and wondered how the process would differentiate when an applicant's PII and online service account don't match, noting there could be legitimate reasons behind the discrepancy. At press time, PayPal had not responded to questions about what it may be doing to further combat or mitigate fraud while processing stimulus checks or small business loans.
This article was first posted to FCW, a sibling site to GCN.
Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.
Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.
Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at [email protected], or follow him on Twitter @derekdoestech.
Click here for previous articles by Johnson.