The Economic Injury Disaster Loan (EIDL) program may not be as talked about as the Paycheck Protection Program (PPP). And, it might not have issued as many loans to small businesses ($200B vs. $525B), but fraudsters were agnostic as to which program to target.
They hit them both.
The reports of fraud related to EIDL focus more on the use of “money mules,” a scheme in which fraudsters lure unsuspecting consumers into using their personal ID and bank account information to accept criminal proceeds into their account and transfer these funds on the fraudster’s behalf.
At SentiLink, we found evidence that synthetic identities were likely used to secure funds from the EIDL program, but let’s review the highlights of EIDL before diving into this analysis.
The EIDL program was created decades ago by the Small Business Administration’s (SBA) Office of Disaster Assistance to help small business, agricultural cooperatives, and private non-profits recover from the physical and economic damages incurred due to declared disasters (typically natural disasters).
The EIDL program was expanded under the CARES ACT to assist small businesses, agricultural cooperatives, and certain non-profits adversely affected by COVID-19 with their working capital needs and operating expenses.
Unlike the PPP, where the SBA enlisted the help of banks and lenders, the EIDL program remained wholly SBA-administered.
Small businesses could apply for EIDL loans of up to $2MM, although some news outlets reported that the amount was capped at a much lower amount, closer to $150K, due to the high application volumes. EIDL loans were meant to cover working capital expenses to keep businesses running during the pandemic.
Much like the PPP, speed was paramount for the EIDL program. Checking for fraud was likely a secondary exercise.
As reported in Bloomberg Businessweek, “To speed money to struggling businesses, lawmakers required the SBA to take applicants’ word that they were eligible for the money — a requirement that SBA Administrator, Jovia Carranza, has called lowered guardrails against fraud.”
The Office of the Inspector General (OIG) was the first to raise red flags about potential fraud related to EIDL. The OIG audits government programs to protect the public against fraud, waste, and abuse. They issued an alert in July that they had received complaints of more than 5,000 instances of suspected fraud from financial institutions receiving EIDL deposits. Nearly 3,800 complaints came from 6 banks. Nine financial institutions reported a total of $187M suspected loan transactions. The following statement was made in this July 28, 2020 alert from the SBA Inspector General:
“Our review of SBA’s initial disaster assistance response has identified $250 million in economic injury loans and advance grants given to potentially ineligible recipients. We have also found approximately $45.6 million in potentially duplicate payments.”
While investigations into EIDL schemes remain ongoing, it is evident that fraudulent activities and bad actors were present since the onset of the expanded EIDL program.
There is evidence to suggest that synthetic identities were used to access EIDL funds, just like with the PPP.
To understand whether synthetic identity fraud was involved in EIDL fraud schemes, SentiLink analyzed 25 known synthetic identities who had an inquiry with the SBA between April and August 2020.
An inquiry that appears on a consumer’s credit report is technically referred to as a “hard credit pull.” Lenders make a hard credit pull to evaluate a consumer’s credit history when they are making a credit decision. An inquiry on a credit report associated with a lender indicates that a consumer has applied for credit with that company.
We are assuming identities with an inquiry to the SBA between April and August 2020 were applying for an EIDL loan. The EIDL does have two other programs, military reservist and physical damage loans, but there are limitations on who can apply, and less likely that inquiries during this short time period were related to them.
Twenty-one of the identities with an SBA inquiry were first party synthetics, which means they were real people using Social Security numbers (SSN) that didn’t belong to them. Four of the identities were third party synthetics, which means they were totally fabricated identities. Third party synthetic identities are often created by organized crime groups with malicious intent.
For the most part, the synthetic identities who applied for credit with the SBA were quite established. Most had inquiries and tradelines dating back to 2018. Only three were created in early 2020.
This evidence of synthetic identities used to apply for EIDL loans was only based on a small dataset. A more comprehensive analysis is only possible with access to the entire dataset of loans issued through the EIDL program.
Based on the presence of synthetic fraud in the PPP loans, it is only natural to assume that fraudsters would abuse similarly structured federal loan programs such as the EIDL. While investigations continue into the fraud perpetuated through federal loan programs, it is likely that synthetic identities will emerge as one of the illegal EIDL schemes pursued by fraudsters.