Bad data, antiquated systems mean it’s open season for stimulus payment pirates and scammers

Like moths to light, the CARES Act stimulus package will attract COVID-19 pirates – fraudsters and identity thieves who are eager to steal from a federal government under immense pressure to quickly distribute funds.
(Getty Images)

The Coronavirus Aid, Relief and Economic Security (CARES) Act, a $2 trillion economic stimulus package passed by the federal government, is designed to provide relief to American families and businesses impacted by the COVID-19 pandemic. Like moths to light, it will also attract COVID-19 pirates – fraudsters and identity thieves who are eager to steal from a federal government under immense pressure to quickly distribute relief funds. The IRS and FBI have already issued warnings about phishing scams and various other schemes that fraudsters will use.

Based on past events like Hurricane Katrina, it’s estimated that 10% of stimulus payments will go to COVID-19 pirates. Already, the German government has had to halt COVID-19 payments due to an influx of fake business websites created by pirates. Without collaboration between the federal government and private sector partners with advanced anti-fraud technology, billions of dollars meant for individuals who have lost jobs and loved ones, could go to criminals.

At this moment, 210 countries are being impacted by COVID-19, sending shockwaves through the global economy. Now, the U.S. government is processing stimulus requests with incomplete or out-of-date data for authentication and identity purposes. Legacy security systems and procedures are also processing this data.

The government is using 2018 and 2019 tax filings which don’t account for changes – death, divorce, moves, people who don’t file taxes, etc. – that make authentication through this data set nearly impossible. Pirates could file on behalf of someone who has recently passed away and the government won’t have the resources to verify whether that individual is still alive. Antiquated measures, like knowledge-based verification systems (“what is your mother’s maiden name”), won’t hold up against the attacks.


By using old data and systems, millions of individuals who are entitled to stimulus checks will be overlooked, leaving their stimulus payments open to fraudsters. Not everyone has a bank account or files taxes. Yet, according to nationally recognized security expert Brian Krebs, the site provided for those who don’t file tax returns is easy prey for pirates.

The government is hiring programmers as fast as possible, but without the advanced identity authentication tools used in the private sector, the COVID-19 pirates will raid with impunity. Banks and online retailers use shared intelligence from international networks to leverage data and resources across multiple countries.

These authentication measurements are updated in real-time, frictionless and secure to defend themselves from well-organized, international criminal syndicates. Velocity checks and advanced tools like behavioral biometrics, which analyze the way a user interacts with a device and differentiates between different user profiles, thwart criminals without impacting the user experience.

When it comes to fraud prevention, the federal government has a model agency within its own ranks. The General Services Administration (GSA) operates Login.Gov, which offers the public secure and private online access to participating government programs.

With one Login.Gov account, users can sign-in to multiple government agencies, making managing federal benefits, services and applications frictionless and secure. Before integrating private sector security solutions, over 70 million individuals – mainly the unbanked or underbanked, as well as credit-invisible consumers – were invisible to Login.Gov’s identity programs. These are the same people whose claims are currently at high risk due to inadequate security measures on the site the government is providing for stimulus requests.


The GSA fixed this problem by engaging private companies and enhanced the site’s overhaul security protection. Login.Gov is not currently being used to distribute CARES Act relief funds, but it is an example of the potential of public-private partnerships.

As they explore options, it’s important they look for success stories and case studies within their own agencies. At stake in the United States is an estimated $937 billion meant for individuals and small businesses.

Haywood Talcove is CEO, Government, LexisNexis Risk Solutions and a separate subsidiary, LexisNexis Special Services, Inc.

Latest Podcasts