Federal Charges Associated with PPP Loans Uncover Elaborate Synthetic Identity Fraud

The Paycheck Protection Program (PPP), included under the CARES Act, made available $659 billion in federal aid for small and medium-sized businesses hurt by the necessary shutdowns due to the COVID-19 pandemic. The program offered potentially forgivable loans covering up to eight weeks of payroll to help SMBs keep employees and to rebound more quickly when state governments authorized reopening.
PPP was authorized on March 27, 2020, and Small Business Association (SBA) lenders commenced loan application acceptance on April 3, only a week later. Shortly after that, fintechs with automated small business lending platforms also entered the fray.
Well-intentioned efforts to quickly distribute billions of dollars in stimulus funds in order to alleviate pandemic-related financial pressures also left the door open for abuse and fraud. So far, the Department of Justice (DOJ) has brought federal charges against several dozen perpetrators, representing hundreds of millions of dollars in alleged PPP loan fraud. As investigations continue, more charges against others are expected.
One recent case involves a pair of alleged fraudsters from South Florida who were arrested in late August. They were successful in securing more than $3 million in fraudulent PPP loans on behalf of four fictitious businesses. The investigation was handled by the Federal Deposit Insurance Corporation Office of Inspector General (FDIC-OIG), who uncovered more than 700 synthetic identities dating back to 2017, with the common thread that these identities had established bank or credit accounts with a single financial institution.
Synthetic identities often stem from a combination of real and fake attributes, such as a DOB and Social Security number, that don’t correlate to each other in order to form an entirely new, but fictitious, identity. Synthetic ID fraud is the fastest-growing type of financial crime in the U.S., accounting for an estimated 10% to 15% of losses in a typical unsecured lending portfolio.
In this case, the synthetic identities intersect with PPP loans in that the synthetic IDs associated with the bank became “owners” or “employees” of the fictitious businesses for which the loans were secured. The FDIC-OIG investigation found many of those synthetic identities combined the names of inmates—likely obtained through a breached database posted on the dark web—with the Social Security numbers of minors.
Two of the synthetic identities tied to two of the PPP loans matched the actual names of legitimate Florida business owners. Additionally, one of those loan applications utilized the address of the registered business owner. However, after filing the PPP loan application, a change of address request was submitted to the U.S. Postal Service (USPS) to switch the address from the business owner to the home address of one of the perpetrators.
The other two loans were for fictitious shell companies established by the perpetrators. Once loan applications were approved, funds were delivered to bank accounts associated with the synthetic identities established in 2017, as well as to bank accounts in the names of the perpetrators’ fictitious businesses.
Later, the Florida Department of Revenue confirmed that no wages were paid in the prior year to employees at any of the organizations for which loans were obtained.
For several weeks after PPP funds were deposited, money was transferred from the synthetic accounts into the perpetrators’ shell company business accounts. Importantly, all of the loan applications and money transfers originated from just three IP addresses, which tied back to the homes of the perpetrators as well as a third co-conspirator, who was never charged.
Also around this time, purchases were made using synthetic ID credit cards that were tied to loyalty accounts in the names of the perpetrators and co-conspirator which happened to match the individuals identified by the ISP provider. The address of one of the perpetrators corresponded to the change of address request filed with the USPS.
Luckily, as consistent information and patterns emerged, investigators were able to identify the real people behind the scam, but not before significant damage was done.
<h2>Known Synthetic ID Characteristics</h2>
Several of the elements of this elaborate scheme can be tied to known characteristics of synthetic identity fraud, including:
<ul>
<li>Stolen PII and disparate elements of real identities repurposed from different victims were used to create the synthetic identities.</li>
<li>Synthetic IDs can go for long periods of time without detection when fraudulent accounts behave responsibly before becoming delinquent and, even then, it may look like a person having financial problems.</li>
<li>Fake IDs were used to establish fictitious depository accounts.</li>
<li>One or more of the accounts likely “busted out” which is why the bank became suspicious in 2019.</li>
</ul>
<h2>How to Mitigate Synthetic Identity Fraud</h2>
Financial institutions and other organizations, of which there are many, that have exposure to synthetic ID fraud should verify customers at digital entry points and other stages in the user lifecycle. The best defense is to rely on a multi-layered approach that looks beyond PII elements and leverages advanced analytics and diverse, deep data sets to gain conviction on the applicant’s identity. Furthermore, deploying machine learning to detect synthetic IDs creates efficiencies and avoids manual reviews and human error, without degrading customer experience
Socure’s <a href="https://www.socure.com/products/sigma-synthetic-fraud">Sigma Synthetic Fraud</a> solution tackles synthetic ID fraud through feature engineering and data source analysis. It used both supervised and unsupervised machine learning models to derive a common definition of synthetic identity fraud, upon which Socure developed classification models that achieve 97.3% under the ROC curve with an auto-fraud capture rate of 90% or higher in the riskiest 3% of users.
Sigma Synthetic Fraud is part of Socure&#8217;s <a href="/products/socure-id">identity verification platform</a>, Socure ID+, an integrated, digital identity verification and fraud platform—alongside <a href="https://www.socure.com/products/sigma-identity-fraud">Sigma Identity Fraud</a>, <a href="https://www.socure.com/products/identity-verification">KYC</a>, and <a href="https://www.socure.com/products/document-verification">DocV</a>. All Socure ID+ modules are available through a single API.
If you’d like to read the complete details surrounding this elaborate synthetic identity fraud scheme, be sure to download Socure’s white paper, <a href="https://offers.socure.com/the-state-of-synthetic-fraud.html">Anatomy of an Alleged PPP Synthetic Identity Fraud Deal</a>.