The Small Business Administration may have paid out COVID relief funds to overseas fraudsters. A review by the SBA Office of Inspector General found a number of applications for Economic Injury Disaster Loans from foreign IP addresses were flagged as fraudulent, but not properly reviewed. SBA paid more than $1.3 billion in loans, grants and advances to applicants from foreign IP addresses between March 20, 2020, and Nov. 12, 2021, the time period reviewed by the OIG.
An application from a foreign IP address does not necessarily disqualify the applicant; the OIG report said they may qualify for assistance. But the sheer volume — millions of applications from foreign IP addresses, with more than 233,000 processed and 41,638 approved — suggested a high potential for fraud to the OIG, particularly from international criminal organizations, prompting the review. The OIG said it currently “has ongoing investigations into international organized crime operations that applied for and stole pandemic relief funds.”
The OIG found SBA had four layers of controls, designed in collaboration with a contractor hired to help the agency with its historic volume of applications, that were intended to mitigate this type of fraud. The first layer was supposed to entirely block applications from IP addresses located in six countries deemed high-risk. However, the OIG found that 3,097 applications were not blocked. Of those, 550 were approved for grants, loans or advances, totaling more than $14 million disbursed.
The contractor suggested IP masking as a possible means for subverting this control.
The second layer was supposed to prevent applications submitted from a foreign IP address from being completed. However, the OIG found 233,872 were completed and 41,638 were approved, for a total payout of $1.3 billion.
The third and forth layer were a system intended to flag potentially fraudulent applications for review, and then the actual review performed by a loan officer, respectively. The OIG reviewed 50 applications that were approved and disbursed to foreign countries, and found that 16 of them were not flagged, though they should have been. Of the 34 that were flagged, 15 were not approved by loan officers, but were still disbursed.
The OIG recommended that SBA review every application that was submitted from a foreign IP address and was approved and disbursed. For any applications found to be fraudulent, SBA should terminate payment, recover funds already paid out, and refer those cases to the OIG for investigation. In addition, the OIG recommended that SBA review its controls for foreign IP addresses and improve them before future disaster relief efforts.
SBA partially agreed with the first recommendation, though it noted that “The $1.3 billion identified by the OIG that originated from applications submitted from a foreign IP address represents less than .04 percent of the more than $342 billion approved by SBA for COVID EIDL advances and loans.” SBA also said it has already begun the review of applications. SBA also agreed with the second recommendation.
Daisy Thornton is Federal News Network’s digital managing editor. In addition to her editing responsibilities, she covers federal management, workforce and technology issues. She is also the commentary editor; email her your letters to the editor and pitches for contributed bylines.