Johanna Alonso//May 24, 2021
//May 24, 2021
Fears that bad actors would fraudulently apply for and receive CARES Act funds — which included Paycheck Protection Program loans, unemployment and more — are not unfounded, says Baltimore-based cybersecurity company ZeroFOX in a new report.
The company’s threat intelligence team has found hundreds of thousands of advertisements online in which cybercriminals offered their services to those looking to fraudulently apply for CARES Act funds.
These services include using 3D modeling technology to create fake images for the photo verification requirements of the process, as well as digging up private identifying information, like Social Security numbers, that allow fraudsters to impersonate other people and businesses.
These advanced strategies, detailed in ZeroFOX’s report, are used to circumvent measures, called Know Your Customer methods, that aim to prevent applicants from using a false identity. KYC methods have been used by banks and other institutions for years, initially only requiring applicants submit certain information to guarantee their identity.
The use of images, in which an applicant must submit a selfie alongside a picture of their identification to prove they are who they say they are was added as a fraud prevention measure.
Nevertheless, ZeroFOX found over 270,000 advertisements on Telegram, a messaging app that has becoming increasingly popular, offering to help create fake images to use to circumvent this part of the CARES Act application process.
And it’s a problem that is only going to get worse. ZeroFOX predicts that bad actors will continue to improve their methods to circumvent KYC and “will begin to apply these methods to defeat KYC in other platforms, such as financial platforms or cryptocurrency exchanges,” according to the report.
Additionally, whereas the federal government has already begun to charge some cybercriminals for CARES Act-related fraud, Zack Allen, senior director of threat intelligence for ZeroFOX, said it’s much less likely that private companies, if and when they are targeted by similar strategies, will respond as readily.
“Defrauding the government, the government will probably … have you arrested or have you fined or whatever,” he said. “But when it comes to other institutions, I don’t know that they’ll have that kind of response.”
The report also suggests that, due to the nature of CARES Act-related fraud, many of the small businesses whose identities were used to receive PPP funds, and many of the individuals whose identities were used to access unemployment benefits, won’t know until next year’s tax season.
“It’s so hard to catch these already, and when your victim set is basically the U.S. population, it’s going to be hard to find out if you’ve been victim,” Allen said. As in the case of any identity theft, measures like checking your credit score and signing up for data breach services can help victims know if their information has been compromised.
The report also offered several suggestions for how governments and other institutions can protect themselves against similar fraud in the future, including staying up with trends in cybercriminal tactics and techniques; using anti-fraud technologies that identify discrepancies in sign-up data such as location and IP address; and creating a process to review KYC datasets for fraudulent records, especially fake images.