ID Fraud May Increase Following Efforts to Regulate PPP Payments
by Mark Rasch
Since the Treasury Department’s response to the COVID-19 pandemic and Congress’ authorization of payments under the Paycheck Protection Program (PPP), there have been calls for greater accountability and transparency. While the identity of the largest recipients of PPP funds has been public, tens of thousands of small- and medium-sized businesses – serving millions of individual employees – have not been subject to any scrutiny.
The Treasury Department has resisted any opening of the books and records of payments by the government under the CARES Act, with Treasury Secretary Mnuchin noting “We never agreed to full transparency.” Nevertheless, the Treasury Department and the Small Business Administration (SBA) did agree to release some limited data including names of businesses who received PPP loans above $150,000, and the amount of the loans they received; a start for transparency – and potentially for more fraud – this time by Internet threat actors who can use this information to facilitate Identity Fraud, Identity Theft, phishing and other fraud schemes. Other information to be disclosed would include the NAIC code, business type, demographic data, nonprofit status and number of jobs supported by the PPP loan. Starting with the larger PPP borrowers, fraudsters can use the released information to target companies based on their perceived payroll. Since the majority of small businesses are not publicly traded, information such as ownership, control, management, profits and payroll are typically not available to the public.
This points to a larger problem for small- and medium-sized businesses. Any information – including information from job listings, LinkedIn postings, Facebook and other social media posting, online directories, email addresses and other information – present a potential gold mine for hackers. Particularly those who specialize in social engineering scams. Spear-phishing (targeted attacks) and whale-phishing (targeting high net worth individuals) can be facilitated by knowing who the CFO of a company is and some basic information. Bank accounts can be drained through Business E-Mail Compromise (BEC) fraud schemes which also depend on gathering critical information. Since many of these attacks originate from overseas (frequently Asia, Eastern Europe and sub-Saharan Africa) any information they can glean from the Internet or from public disclosures can help them commit fraud.
One step that companies can do is to have an active OSI (Open Source Intelligence) and Threat Intelligence program, which scans not only the public Internet, but hacker message boards, unregistered portions of the Internet and private chat and other message centers for information about the company or key personnel. Since many threat actors sell or trade stolen or other personal information, an OSI program might provide early warning. Other things are basic cyber-hygiene including strong passwords and authentication, Multi-Factor authentication, encryption, testing and training, as well as robust cyber security, employee and privacy policies written by experienced counsel. Cyber insurance should also be a part of the overall mix. The bad guys only have to be right once. Defenders have to be vigilant every time.