two-factor authentication (Sentavio/


How government can protect against CARES Act scammers

To provide relief to American families and businesses impacted by the COVID-19 pandemic, the federal government passed the $2 trillion  Coronavirus Aid, Relief and Economic Security (CARES) Act. While this act is intended to help Americans in need, identity thieves and fraudsters are drawn to these stimulus packages, considering them as an opportunity for easy money. The government is well aware of this potential for abuse, and both the IRS and the FBI have issued warnings about tactics identity thieves could use in an attempt to steal money meant for Americans.

While many stimulus packages face fraud risks, the CARES Act is especially vulnerable to identity theft because it is all being processed remotely, which carries an inherent risk that can never be fully eliminated. In addition, fraud risks could be amplified due to the breadth of this relief package and the speed at which funds are being processed and distributed. This puts the government in a very precarious position. Stimulus checks must be distributed quickly and accurately through a frictionless process, which provides ample opportunity to fraudsters.

To combat relief cheats and protect the public, the federal government must take the appropriate steps.

A successful identity theft prevention strategy leverages verification and authentication best practices. To prevent fraudsters from claiming money intended for a qualified American, government agencies need a multilayered approach to both processes. The government must set up public sites for citizens and businesses looking to file for various forms of relief, at which point a single sign-on approach offers a viable path for large-scale verification. Cloud-based SSO solutions can potentially deliver lower risk and a more seamless process.

Because Americans’ traditional identity attributes change over time, the key will be asking for as little information as possible while still being able to accurately complete the verification process. For authentication, the process has to be two-factor at minimum. While 2FA won’t work for every person in the United States, familiar processes like one-time passcodes sent to a verified phone number or email address may prove effective. By implementing verification and authentication measures, the government is protecting Americans as well as itself by ensuring the right people receive the money they’re entitled to.

Another challenge for the government will be bot traffic. Identity thieves are increasingly using bots to execute multiple attacks by impersonating valid user accounts and taking over an account. More sophisticated versions can create new user identities, allowing fraudsters to attempt multiple break-ins. One bot attack can be responsible for millions of identity theft attempts. To minimize this particular risk, government agencies must apply velocity checks to monitor device identification, as well as advanced tools that monitor behavioral interactions between the device and the data being entered, for example, noting how quickly information is entered on a web application.

The CARES Act is meant to provide relief to Americans impacted by the coronavirus outbreak, but the attempted scams will originate from all over the world. Fraud and identity theft have both become more sophisticated globally; it’s not scammers acting alone, but entire networks of bad actors working together. To mitigate risk, the U.S. government’s protective network must match this scale by leveraging shared intelligence from international networks. Using big data across a shared global network, government agencies can identify high-risk users accessing their systems by spotting behavior that deviates from trusted digital identities constructed through millions of consumer interactions. This monitoring doesn’t add any friction or delays to the overall process as it’s a passive activity done behind the scenes. Additionally, because it’s preventative rather than reactive, it limits the need for payment chasing, which is difficult and a drain on resources.

The American people are hurting, and they need the relief provided by the CARES Act as soon as possible. To accomplish this safely, the federal government must leverage all effective means of distributing funds – not just direct deposit and paper checks, but prepaid cards, wire transfers and more. In 2020, people are accustomed to sending and receiving money through a variety of channels and fin-tech solutions with built-in identity protection tools that can help solve this problem and get funds to those in need.

The U.S. government is under tremendous pressure to get aid to those in need while preventing mass identity theft and fraud. To achieve this near-impossible task, identity proofing must be conducted in an intelligent and compassionate way to ensure fraud prevention doesn’t put a burden on the user experience. With these best practices, the agencies responsible for distributing relief can accomplish an incredible feat while protecting stimulus funds from fraudsters and identity thieves.

About the Author

Kim Sutherland is VP of fraud and identity strategy at LexisNexis Risk Solutions, a RELX Company.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected