Small businesses are hurting, which has been reflected in record unemployment numbers, the near-total shutdown of mainstream businesses and in PYMNTS data revealing that as of about two weeks ago, a quarter of small businesses didn’t think they would survive the coronavirus pandemic at all.
Into that environment, the $350 billion in Paycheck Protection Program (PPP) funds represents more than simply an infusion of cash for small- to medium-sized businesses (SMBs). In many cases, it’s the difference between being closed temporarily and being shut down for good. As one might expect, applications for the federally backed loans have come in a tidal wave since applications went up a week ago.
Unfortunately, so have the fraudsters. For them, the PPP funds also represent a once-in-a-lifetime opportunity — to illicitly exploit a host of weak links within the systems that will distribute those loans to SMBs.
And as DataVisor CEO Yinglian Xie told Karen Webster in a recent conversation, those fraudsters have gotten out the door incredibly quickly. DataVisor has seen the fraud emails trickle in already — and some of them are very clever. Fraudsters have studied up on the process, Xie noted; they know when SMBs are expecting contact about their loans and even the times of day they are expecting to receive them.
DataVisor is a security firm that has been working hard to outwit fraudsters for over a decade. Xie said many SMBs will be vulnerable because they’re in a struggle for day-to-day survival and are desperately in need of those funds, making them an easier-than-normal mark.
And, she noted, the fraudsters are going to be going after more than just the SMBs in their quest to grab up PPP funds.
A Lot Of Weak Links To Target
The problem with unprecedented events is that they are nearly impossible to prepare for. And that reality, Xie said, has caught everyone flat-footed and designing responses in real time — the government, banks, third-party players like payroll companies and the millions of American SMBs currently gazing into the abyss.
The PPP, for all the good it is intended to do, is something nearly entirely new that an entire ecosystem is designing around overnight — and that is a massive task. Bank lending processes normally aren’t built for swiftness — they are built around anti-money laundering (AML) and know your customer (KYC) regulations, stability and security when it comes to handing out funds to SMBs. The process is slow, and denials are common. The PPP “loan” program lacks many of these features as a matter of design because the core value is designed around speed and getting funds into the hands that need them as soon as possible.
“That’s what makes PPP a particularly good target for so many types of fraud,” Xie explained. “It’s targeted at small businesses who are applying by the millions all at once with the kind of surge of applications online far beyond what banks would process on a day-to-day basis. And with everyone encouraged to apply online, many banks weren’t ready from an infrastructure perspective on the back end, which delayed the launch or meant it launched with various bugs.”
Those bugs, she noted, become a target for fraudsters who then try to insert themselves into the process and do things like steal a legitimate business’s identity (via the vast troves of information on the web) and move to misdirect their funds, or attempt to apply for funds from a business that doesn’t actually exist at all or qualify for the program.
To support that type of fraud, she said, you’ll see ancillary frauds — phishing scams launched at SMBs to harvest the data they need to successfully impersonate the business they want to steal from. There might also be attacks on providers like payroll processors that suddenly find themselves flooded with remote information requests from their clients who need it to apply to the program.
“People are trying to really submit the applications quickly, and so when we are thinking about security, it’s not just banks or lenders, you are also looking at relevant third parties being involved to make the whole process smooth,” she said. “If there are weak links and a payroll system is not set up to authenticate users — that channel becomes a broken link, and you find the information going into the hands of someone other than those who should have it.”
And even those links, when shored up, aren’t the end of the line. Some fraudsters, she noted, will let the business get through the tough work of securing the funds through the application process before springing malware on their systems and holding them hostage until they pay out their relief funds as a ransom.
The fraudsters, she said, are going to keep coming in waves to target different parts of this whole process, which means protecting those funds won’t simply be a matter of reinforcing one system or another but making sure the interconnected chain as a whole is secure. It won’t be easy work, but it will be done because it has to be — and will leave an important lesson behind in its wake.
An Ounce Of Preparation Vs. A Pound Of Cure
The great hope, of course, is that the world will never encounter another situation like the one we now face. But, Xie noted, while this will likely never happen again, something will happen, and the world has gotten a crash course in the last few weeks in what it will take to be ready.
“Always be ready to battle the unknown,” Xie said.
Pandemic or not, in the world of fraud fighting the unknown is always coming. The more security professionals evolve their tactics to stop fraudsters, the more fraudsters evolve their tactics for battling back. The arms race isn’t new and will outlast the current pandemic — although, for the time being, it has certainly gone into overdrive on both sides.
“What is happening now with PPP … is all of the issues are happening on a much bigger magnitude than we’ve ever seen,” she said. “The question is how do we head that off in the short term and then be ready to take on the always-emerging unknown in the longer term.”