What the government can learn from pandemic fraudsters

Pandemic relief programs allowed agencies to quickly provide aid for millions of Americans and businesses — they also opened a gateway for fraud. Here’s how agencies can bolster their fraud prevention efforts. 

The pandemic left countless Americans struggling and in need of financial assistance. To provide immediate assistance, the American Rescue Plan Act put nearly $43 billion into the hands of state and local governments nationwide to provide relief for Americans through unemployment insurance, housing, health care and much more. However, the speed which funds were dispersed left little room to prevent fraud, making the system highly vulnerable to threat actors.


“Agencies working to get funds to the public at the scope, scale and speed necessary were often having to do that by removing a lot of the fraud controls that existed,” said James Ruotolo, senior manager of the Fraud and Financial Crimes Department at Grant Thornton Public Sector, a professional services firm that helps agencies manage their finances. “Unfortunately, in most of the pandemic stimulus programs, the fraud rates are off the charts compared to what we would normally see.”


So, how can agencies better prepare themselves to combat and prevent fraud?


Here, Ruotolo delves further into the methods of fraudsters, what actions agencies can take to counteract theft and build fraud protection into their programs from the ground up.


Understanding Threat Actors

Over the course of the pandemic, threat actors across the globe — including organized crime networks, nation-state-funded organizations and opportunists simply looking for an easy way to steal some extra money — quickly found, and shared, loopholes in the rollout of pandemic aid programs.


“One of the things we learned during the pandemic is that the bad guys improved their information-sharing capabilities,” Ruotolo said. “They use the dark web to communicate with each other in chat rooms or sell some of the techniques they have developed in dark web marketplaces.”


Once a threat actor is successful, Ruotolo states, they will exploit the loophole as long as they can, then continue to rapidly adjust their tactics to exploit programs as long as possible.


“When they run into a roadblock, they continue to try and try again, until they get a chance to get around that new control that's been put in place,” he said. “In the anti-fraud business, we have to be right all the time; the bad guys really only have to be right once.”


Successfully Combating Fraud

In this ever-evolving threatscape, Ruotolo states agencies must strengthen three core areas to run successful interference against fraud: risk assessment, data and technology.


Assess Risk Holistically:

With fraud, protection and prevention is not “one size fits all.” Although most agencies have traditionally focused fraud evaluations solely on improper payments, the truth is each agency has varying levels of fraud risk in a variety of categories — some they may not have even identified yet.


Ruotolo recommended when agencies undergo risk assessment, they take a holistic approach and examine each part of their organization to ensure evaluations encompass all possible risks. From there, they can then prioritize and focus on the biggest gaps to guide decisions about improving their fraud controls.


“Agencies need to take a step back and fully evaluate their programs, benefits, application processes and procedures,” he said. “That should influence the types of controls they deploy.”


Leverage Data:

Most pandemic loan programs sacrificed identity verification for speed, a vulnerability that served as a main entry point for fraudulent actors. According to Ruotolo, one way agencies can verify data is through a third party source, who can look at application data as soon as it's submitted and instantly verify.


While data sharing might be a challenge for government in most cases, Ruotolo said privacy regulations often contain provisions that permit information sharing for the purpose of preventing fraudulent activity, making it a critical step for fraud control.


“Leveraging third party sources to verify the information that's been submitted is one of the simplest types of fraud controls that we can put in place,” he said.


Invest in Technology:

Finally, for agencies to successfully implement and maintain fraud controls, Ruotolo explained it is critical for agencies to invest in updated technology.


“There is incredible value in maintaining technology over time,” he said. “If we fail to modernize technology and applications in a timely fashion, we also lose agility — and in times of crisis, that agility is paramount.”


Taking a Proactive Approach

For agencies to truly optimize their approach to fraud, it must be a priority focus from the start. When Ruotolo starts work advising agencies, he first urges them to abandon the traditional “pay and chase” mentality that waits for action only after the fraud occurs. Instead, he recommends they take a more proactive approach by building in fraud prevention up front when they are designing program workflows and applications.


“It’s critical to think about fraud risk upfront when you're designing your process, [as] this prevents you from constantly being in reactive mode,” he said. “Which can result in unnecessary addition of complex controls that can actually make it difficult for citizens to access their benefits.”


Ultimately, when agencies take a holistic and proactive approach to fraud prevention, it becomes fully integrated into an agency’s culture, which leaves room for the growth and innovation necessary to stop it, Ruotolo explained.


“You have the laser focus and attention on fraud,” he said. “Then it becomes easier to take into account the value of data and technology and enact the best capabilities to prepare your programs for success.”




“What the government can learn from pandemic fraudsters” was originally published in Government Executive on June 15, 2022.  





More public sector insights