Foreign criminal syndicates are estimated to have stolen tens of billions of dollars in pandemic relief money, and an inspector general’s report is shedding light on how some of that happened.
The Small Business Administration’s watchdog says the agency tried to block foreign applications to its Economic Injury Disaster Loans (EIDL), one of two major programs activated to prop up businesses during the early COVID-19 pandemic shutdowns.
Still, thousands of applications filed from foreign Internet Protocol addresses got through the SBA’s firewall. As a result, the agency doled out about $1.3 billion in payments that the inspector general deemed at severe risk of being fraudulent.
Filing from overseas isn’t an automatic signal of fraud or illegality, but it is a red flag, the Office of the Inspector General said.
“The numerous applications submitted from foreign IP addresses are an indication of potential fraud that may involve international criminal organizations,” the inspector general said in announcing the investigation Monday evening. “OIG has ongoing investigations into international organized crime operations that applied for and stole pandemic relief funds.”
The audit didn’t expand on those investigations, but overseas criminal syndicates have been identified in massive amounts of fraud related to U.S. pandemic spending.
SEE ALSO: Unemployment benefits deemed ‘high-risk’ program after massive fraud during the COVID-19 pandemic
There were three major relief programs: expanded unemployment benefits, which totaled about $900 billion; the SBA’s Paycheck Protection Program, which extended about $800 billion in forgivable loans to small businesses to keep them afloat; and the EIDL, with roughly $342 billion in loans, grants and advance payments to businesses.
Unemployment benefits were particularly vulnerable, with few controls early on to weed out bogus applications. One estimate puts total unemployment fraud at more than $200 billion, with international criminal syndicates likely accounting for well more than $100 billion. Much of that went to organizations tied to U.S. adversaries in Iran and Russia.
The SBA programs were tougher to scam, though early estimates still run to tens of billions of dollars. The inspector general’s report captures some of that activity.
The audit found that the SBA weeded out “millions of attempts” to submit EIDL applications from foreign IP addresses.
It also found that SBA officials were aware of the potential and took steps to combat it with a four-layer defense.
The first layer was a firewall that was supposed to block applications from six countries with histories of fraud. The second layer was another firewall that was supposed to block any application with a foreign IP address altogether.
Layer three was supposed to flag any foreign IP addresses that still made it through, and layer four was a personal review by a loan officer.
The audit found that foreign IP addresses were able to access the loan system more than 233,000 times.
Nearly 42,000 applications from foreign addresses made it all the way through the security layers and were granted, resulting in fraudulent loans, grants and advance payments totaling $1.3 billion.
When auditors reviewed 50 applications that got through the firewall despite coming from foreign addresses, they found 16 weren’t flagged by the third layer of defense. Of the 34 that were flagged, the in-person loan officer review bungled 15 of them.
SBA and the contractor it hired to process applications pronounced themselves stumped at how foreign IP addresses were able to circumvent the firewalls, the audit said.
The audit didn’t name the contractor, but a congressional report this summer said the Trump administration awarded RER Solutions a $750 million contract to handle the applications despite being unable to “perform core contract tasks.”
More than 40% of all pandemic loans the SBA oversaw may have been approved without an agency employee conducting a review, the investigation found.
In an official response to the audit, SBA Associate Administrator Patrick Kelley sought to put the numbers in context.
He said successful foreign IP applications were just 1% of all approved EIDL cases and the SBA did a particularly good job of weeding out applications from the six high-risk nations, which the report did not identify.
The $1.3 billion in overseas payouts was less than half a percent of total EIDL spending.
Mr. Kelley said the system was set up in the early days of the pandemic shutdown, when experts warned of a looming economic collapse.
“As a result, the initial focus of SBA’s COVID relief programs had to be on providing financial assistance as quickly as possible to respond to the crisis,” Mr. Kelley wrote. “While it is true that great speed was needed when developing the COVID EIDL program and to deliver this economic assistance to millions of small businesses impacted by the pandemic; we do not believe there is a tradeoff between speed and fraud controls.”
The SBA generally agreed with the inspector general’s recommendation to review all foreign IP address applications that got through the system and figure out which ones were bogus. The agency said it will try to recover the money.
Nigeria, known for being home to sophisticated and determined fraudsters, led the way among foreign IP address applications with 33,477 submitted. Of those, 241 totaling nearly $20 million were approved.
Canada led the way in dollar amount, with $183 million paid out on 3,755 applications. A total of 20,500 were submitted from Canadian addresses.