Stanch the flow

Fraudsters have stolen an unprecedented amount of U.S. COVID-19 relief funds — possibly more than the GDPs of many world economies. But millions of dollars had already been streaming from government programs long before the pandemic, and those cases hold valuable lessons. Here’s how to stanch the flow of money from vulnerable agencies.

Fraud in federal programs is getting bigger, more complex and more ambitious than ever. Although the unprecedented public spending in the wake of the COVID-19 pandemic — and the similarly unprecedented amount of taxpayer dollars lost to fraud — have drawn more attention to this problem in recent years, the government’s fraud woes long predate the pandemic. Consider the complex fraud case of Eugene Sickle, the former deputy executive director of the Wits Reproductive Health and HIV Institute, a South African research institute focusing on sexual and reproductive health and vaccine-preventable diseases. The U.S. Agency for International Development (USAID) was the institute’s primary source of funding, and Sickle administered U.S. grant funds for its projects.

In October 2015, Sickle and his boss signed a noncompetitive $206,250 subcontract with a company called Alzar Consulting Services Ltd. to develop a mobile phone software application to facilitate safer childbirth deliveries in South Africa. An individual, named “Dr. Carla Das Neves,” signed the contract on behalf of Alzar. However, both Alzar Consulting and “Carla Das Neves” were complete fabrications. Subsequent investigation revealed that Sickle created Alzar in the British Virgin Islands, and he was the sole owner of the company. Sickle created email accounts for Alzar and numerous fake Alzar employees, including “Carla Das Neves,” to mislead USAID and his colleagues at the Wits Institute. He even created a fake LinkedIn page for “Carla Das Neves” to support her supposed credentials as a trained expert in international development. Sickle didn’t perform any of the work required under the contract, nor did anyone else. None of the USAID grant money was used for its intended purpose to facilitate safer childbirth in South Africa. Instead, Sickle diverted the money to himself and an accomplice. [See “Former Deputy Executive Director of USAID Contractor Sentenced for Theft of Grant Funds,” U.S. Department of Justice (DOJ), Aug. 1, 2017.]

Sickle’s scheme involved elements of diversion, contract steering, subcontract self-dealing, document falsification, fictitious entities with opaque ownership and ghost employees, and even social media deception. His case demonstrates the deviousness of some fraudsters who stole U.S. government grant funds — long before the disbursement of COVID-19 relief monies.

Fraudsters’ 34th largest economy

Source: World Bank

Since April 2020, the U.S. government has appropriated nearly 12 times as much money as it did during the New Deal on pandemic relief — $9.3 trillion during the Biden and Trump administrations versus $793 billion in today’s dollars for the New Deal. And the government disbursed it at a much faster pace. (See “How Recent Fiscal Interventions Compare with the New Deal,” by Bill Dupor, Federal Reserve Bank of St. Louis, July 13, 2021, and “New Deal,” History.com, updated Oct. 5, 2022.)

As we’ve heard repeatedly, this huge pot of money, and the speed with which it was distributed, was irresistible to fraudsters. Law enforcement officials estimate that fraudsters stole between $87 billion to $400 billion of the $900 billion Pandemic Unemployment Assistance (PUA) program alone, with nearly half of that amount going to foreign crime syndicates.

To give a sense of the scale, $400 billion is more than the gross domestic products of all but the top 30 world economies, including Denmark ($397.1 billion), Singapore ($396.9 billion) and the Philippines ($394 billion). (See “‘Easy Money’: How international scam artists pulled off an epic theft of Covid benefits,” by Ken Dilanian, Kit Ramgopal and Chloe Atkins, NBC News, Aug. 15, 2021, and “Gross domestic product 2021,” World Bank.)

We’ve never seen fraud this huge. Where a fraudster might once have aspired to steal hundreds or thousands of taxpayer dollars, sophisticated tools and techniques now allow them to steal millions in a distressingly short amount of time. Ten years ago, stealing identities or creating fake ones was expensive and rare; techniques were out of reach for most fraudsters. But now, following scores of large data breaches, and with the introduction of untraceable cryptocurrencies and the explosion of darknet marketplaces, criminals can purchase valid Social Security numbers online for as little as $2 per number. (See “Americans Fear for Their Data More Than Their Wallet, Radware Survey Finds,” radware, Aug. 7, 2018.)

Fraud as a threat to the body politic

Like the COVID-19 virus, fraud can attack in many ways. A virus may enter the body through the mouth, eyes, nose or breaks in the skin; fraud may enter government programs through procurement, grant award or financial management processes. And just as air, food, water or creatures can transmit viruses, banks, government agents, colleagues, friends or family members can unknowingly facilitate fraud. So too must we map the entry points for fraud and identify its pathways into vulnerable government programs. And like any viral illness, preventing fraud, of course, will always lead to superior outcomes than treating it after it appears — a basic tenet of the ACFE.

The government already has the scalpel it needs to dissect its programs and examine them for fraud risks. Recognizing the need to strategically mitigate the likelihood and effects of fraud across the government, the U.S. Government Accountability Office (GAO) issued “A Framework for Managing Fraud Risks in Federal Government” in 2015. The framework provides a template for conducting fraud risk assessments to generate insights about fraud threats that entities could face, the key risk factors driving those threats and the fraud controls that agencies can use to guard against fraud. GAO recommends that agencies conduct fraud risk assessments whenever there are changes to its programming or operating environment, and unquestionably an infusion of billions of new dollars during a global pandemic qualifies as such a case.

This isn’t an optional exercise. Under the U.S. Fraud Reduction and Data Analytics Act of 2015 and its successor provisions in the U.S. Payment Integrity Information Act of 2019, Congress directed agencies to incorporate the leading practices of the GAO framework into their operations. Agencies were further directed to establish the practices in GAO’s guide through Office of Management and Budget’s (OMB) guidelines. Beyond these statutory and regulatory requirements, it’s simply a matter of good business hygiene and common sense that agencies should examine their programs for fraud risks before they send money out the door. Although the pandemic’s $4.5 trillion in funding and eye-watering fraud losses put the government’s existing vulnerabilities on full display, these vulnerabilities existed long before COVID-19, and they’ll remain afterward if nothing is done.

The government has started to address these concerns by holding “gold-standard” meetings, which bring together different federal agency officials to fine-tune pandemic-relief programs and build on lessons to help reduce fraud. (See the ACFE Board of Regents interview in this issue.) Nevertheless, few federal or state agencies have conducted robust, proactive fraud risk assessments. With $550 billion in new federal assistance programming under the Infrastructure Investment and Jobs Act, the question remains: How much of this money will end up in the hands of communities who desperately need to repair and replace their crumbling infrastructure, and how much of it will end up in the pockets of fraudsters? If the federal government doesn’t consider its fraud risks and corresponding controls before implementing these new programs, it will continue to hemorrhage money to rampant fraud and spend additional taxpayer dollars on expensive “pay-and-chase” treatments rather than cheaper preventive measures.

Dissecting fraud vulnerabilities in new benefits programs

To demonstrate the ways that fraud can impact a single program, we illustrate below one segment of the Infrastructure Investment and Jobs Act — the $65 billion it provides for broadband expansion initiatives, which consists of four programs:

1. The Broadband Equity, Access, and Deployment Program (BEAD): $42.5 billion in funding to be administered by the National Telecommunications and Information Administration (NTIA) as formula-based grants to the states for broadband infrastructure deployment.
2. The Enabling Middle Mile Broadband Infrastructure (EMMBI) Program: $1 billion in new grants to be administered by NTIA for the construction, improvement or acquisition of “middle-mile” infrastructure, prioritizing funding for middle-mile infrastructure to serve households in unserved or underserved areas. (Middle-mile infrastructure is any broadband infrastructure that doesn’t connect directly to an end-user location, including an anchor institution. See more in “Internet for All,” U.S. Department of Commerce.)
3. Digital Equity Act programs: $2.75 billion in funding to create grant programs administered by the U.S. Department of Commerce: a Capacity Grant Program, directed toward broader state efforts to achieve digital equity and inclusion, and a $250-million-per-year Competitive Grant Program focused more narrowly on covered populations, such as senior citizens, veterans, minorities and individuals with a language barrier.
4. The Affordable Connectivity Program (ACP): $14.2 billion to be administered by the Federal Communications Commission (FCC) for providing a discount of up to $30 per month toward internet service for eligible households and up to $75 per month for households on qualifying tribal lands. Eligible households can also receive one-time discounts of up to $100 to purchase laptops, desktop computers or tablets from participating providers.

To understand how to prevent fraud occurring in these new or expanded government broadband programs, it’s worth examining past scams that have resulted in fraud losses for similar programs, such as the Community Development Block Grant (CDBG) program. Here are a few of those cases and lessons learned.

Eligibility misrepresentation

Eligibility misrepresentation is common among benefits programs. Sometimes, local government agencies even seek to fraudulently qualify for federal benefits. For example, in February 2019, the New York City Department of Transportation fraudulently obtained more than $5.3 million in federal reconstruction dollars by falsely claiming that numerous vehicles were damaged during Hurricane Sandy. (See “Manhattan U.S. Attorney Announces $5.3 Million Proposed Settlement Of Lawsuit Against New York City For Fraudulently Obtaining FEMA Funds Following Superstorm Sandy,” DOJ, Feb. 20, 2019.)

Because BEAD and EMMBI grants are partially targeted toward unserved and underserved communities, NTIA will need to take care that the individuals, businesses, nonprofits and municipalities that apply don’t misrepresent their needs for broadband infrastructure. Verifying self-reported information, by requesting tax returns or pay stubs that demonstrate eligibility, for example, will be vital for protecting program integrity.

Eligibility misrepresentation schemes can also manifest with federal contracts and grants that are set aside for small businesses, such as businesses owned by minorities, women and veterans. For example, in August 2018, a Kansas City businessman, Jeffrey Wilson, fraudulently obtained $13.7 million in federal construction contracts using a “rent-a-vet” scheme. On paper, Wilson, who isn’t a veteran, shared ownership of his construction company, Patriot Co. Inc., with Paul Slavitch, a service-disabled veteran. But in practice, Wilson owned and operated the company alone — Slavitch worked full time at a government facility more than 40 miles away — and Wilson paid Slavitch a small salary in exchange for using his name to fraudulently apply for federal contracts reserved for veteran-owned small businesses. (See “Former Company Owner Sentenced for $13.7 Million ‘Rent-A-Vet’ Scheme,” DOJ, Aug. 23, 2018.) If the Department of Commerce aims to set aside some of its grants under the Digital Equity Act Competitive Grant Programs for small businesses owned and operated by covered populations, it will need to be on the lookout for unethical business owners misrepresenting their eligibility to apply — again by requiring the submission of data that verifies the veracity of eligibility claims.

Agencies can fight eligibility misrepresentation by validating applications using publicly available data. For example, the Department of Commerce’s Bureau of Economic Analysis publishes information about per capita income and purchasing power that could be useful in validating community need for infrastructure investment. Securities and Exchange filings can also be useful for verifying names and salaries of high-ranking executive officers of public companies. Even a search of online U.S. Postal Service records can provide an agency with valuable intelligence on whether a person resides at the address they listed on their benefit application.

Ghost beneficiaries

In 2021, the FCC preapproved internet service providers (ISP) to enroll any student participating in the U.S. Department of Agriculture National School Lunch Program’s Community Eligibility Provision (CEP) into the Emergency Broadband Benefit (EBB) program (the precursor to the ACP). The EBB was meant to provide a $50 per month subsidy for eligible low-income families to pay for home broadband service used during the pandemic for online schooling; the FCC paid the ISPs directly rather than the families themselves. However, as the FCC Office of Inspector General later found, the CEP was “commonly abused by providers and their sales agents as an entry point for fraud in the [EBB] program,” and “a number of CEB schools are grossly overrepresented in EBB household enrollments when compared to the actual student enrollment at those schools.” (See “Advisory Regarding Fraudulent EBB Enrollments Based On USDA National School Lunch Program Community Eligibility Provision,” FCC Office of Inspector General, Nov. 22, 2021.)

In one particularly egregious example, an ISP claimed 1,884 CEP-eligible households at a single Florida school, even though there were only 200 students enrolled, which works out to more than seven families per enrolled student. The FCC Office of Inspector General found similarly obvious instances of CEP-eligible families exceeding enrolled students in Alaska, Arizona, California, Colorado and New York. In many cases, the ISP failed to provide the name of the family’s child who was supposedly participating in the CEP, gave retail addresses as the purported home addresses for eligible families or provided unlikely home addresses indicating families who lived more than 50 miles away from their schools. (See “Advisory Regarding Fraudulent EBB Enrollments Based On USDA National School Lunch Program Community Eligibility Provision.”)

This type of ghost beneficiary scheme — where the fraudster enrolls bogus beneficiaries or recycles the identities of beneficiaries who previously qualified for a program but have since aged out — is all too common in federal benefits programs.

Unlike a fraud scheme where a single beneficiary misrepresents their own eligibility to enroll in a program, ghost beneficiary schemes typically involve service providers or their sales agents fraudulently enrolling people en masse. ACP subsidies are particularly susceptible to ghost beneficiary schemes because the FCC allows ISPs to use a family’s eligibility for other means-tested benefits programs (such as the CEP, Supplemental Nutrition Assistance Program, Medicaid, Veterans Pension, or U.S. Veteran Affairs Survivors Pension) as a shortcut for determining ACP eligibility. This quickens the FCC’s ability to enroll eligible families in the program but leaves the ACP vulnerable to fraud as the weakest link among these other federal benefits programs. As we’ve seen with the EBB, it’s all too simple for an unscrupulous business or sales agent to invent thousands of ghost beneficiaries.

One easy way for government programs to prevent ghost beneficiary schemes is to require beneficiaries to work with their providers when going through the enrollment process. Instead of allowing providers to enroll anyone who appears eligible, the government should require an affirmative act of a possible beneficiary to identify themselves and assert their desire to participate in a program. Something as simple as submitting a signed affirmation, Social Security number or photocopy of a driver’s license to show their interest in being part of a benefit program would limit the number of providers who are enrolling customers in programs not for the good of the beneficiary but for the good of the provider. This might slow down delivery of an ACP benefit, but it would also create a helpful gatekeeping check on providers and agents. The government could also integrate data analytics checks to identify potential red flags — for example, by automatically cross-referencing a beneficiary’s listed home address against property records and using Google maps to identify when fictitious or business addresses are used. Program officials could supplement this analysis using manual checks of statistical samples.

Cost mischarging

In this common scheme, a grantee charges the government for costs that aren’t allowable, reasonable, or allocated directly or indirectly to the grant. For example, in March 2022, Project Concern International settled with the U.S. for $537,500 to resolve allegations that it knowingly submitted false claims to the USAID during its performance of grants from 2014 to 2016 to provide agricultural and other aid to developing countries.

Based on information from a whistleblower, U.S. investigators determined that the nonprofit improperly shifted costs between projects and sometimes used U.S. grant funds to cover privately funded projects.

In at least one case, the nonprofit’s supervisors instructed their staff to bill time or other costs to separate and unrelated USAID grant projects that had money remaining in their accounts even though those employees didn’t work on those projects. Project Concern International then falsely certified to USAID that it used the grant funds only as allowed under each project. (See “Project Concern International, a Global Health Non-Profit Organization, Agrees to Pay $537,500 to Resolve False Claims Act Action,” DOJ, press release, March 10, 2022.)

Cost mischarging also frequently occurs when grantees attempt to use program funds for ineligible or nonexistent administrative costs. For example, in March 2011, the U.S. State Department awarded a grant totaling over $5 million to a nonprofit named Women for Afghan Women to provide support for the promotion and protection of Afghan women’s rights in Afghanistan. The grant agreement allowed Women for Afghan Women to charge a fixed monthly amount of $4,167 to pay the salary for a full-time administrative coordinator; the nonprofit never hired anyone for this position but billed the State Department for it anyway from March 2011 until June 2014. Women for Afghan Women ultimately agreed to pay the State Department $301,247 in restitution for these fraudulent salary payments and other ineligible administrative costs. (See “Quarterly Report to the United States Congress,” Special Inspector General for Afghanistan Reconstruction, Oct. 30, 2016.)

Cost mischarging often involves fraudulent salary payments and misuse of staff time. Agencies can fight against this kind of fraud by monitoring time and attendance records for suspicious activities and requiring grantees and subgrantees to post signage that advertises whistleblower hotlines.

Complex fraud schemes

Unlike the opening case, which just one person perpetrated, complex fraud schemes often involve a conspiracy of actors both within and outside the government. For instance, in 2018, Kelli R. Davis and Denon Hopkins pleaded guilty to engaging in a conspiracy to commit honest services wire fraud and theft of public money. The former was a federal grants officer responsible for administering the U.S. State Department’s Sports Visitors Program through a grant with George Mason University, and the latter was a subcontractor who provided transportation services for the program. Davis and Hopkins colluded to falsify vendor-related invoices and make fraudulent checks payable to Hopkins. Hopkins paid Davis kickbacks as part of the scheme; in exchange, Davis ensured that Hopkins continued to receive contracts with George Mason University. Together, the two stole thousands of dollars meant to support foreign exchange students and coaches. Davis was sentenced to 13 months in prison and Hopkins sentenced to 14 months for their parts in this crime. Like the Sickle case, Davis and Hopkins’ scheme involved diversion, contract steering and document falsification, as well as bribery and invoicing manipulation. (See “State Department Official Sentenced to Prison for Engaging in Honest Services Wire Fraud and Theft of Federal Funds,” DOJ, Sept. 7, 2018.)

NTIA, FCC and the Department of Commerce might find social network analytics to be a useful tool in identifying conspiracies and fake identities underpinning complex-fraud schemes like these. For example, agency investigators could examine the social distance between the grants officer, grantee executives and key staff, and subcontract executives and key staff to uncover hidden relationships or dummy social media accounts.

Agencies could also trace the internet protocol address of a suspicious email account to see if the geolocation matches the physical address on record for a grantee or subcontractor.

Risk assessment

We summarize the schemes we’ve discussed and our recommended mitigation techniques in the table below. In the end, however, the federal government’s four new or expanded broadband programs could be the target of dozens, if not hundreds, of potential fraud schemes. That isn’t an indictment of the administering agencies’ individual business practices; they have no choice but to operate in broad fraud risk environments. The fraud challenges faced by the federal government in the wake of the COVID-19 pandemic are immense, and a fraud risk assessment should reflect that.

Developing an awareness of potential fraud risks is just the first step in the fraud risk assessment process. From there, agencies will want to prioritize a smaller number of risks for in-depth analysis. They might use surveys among their managers and staffs to help identify the most likely or highest-impact fraud risks and then use targeted interviews with senior leaders and subject-matter experts for more detailed feedback. Also, workshops among cross-functional groups can help break down silos and discover how fraud risk responses should bridge across multiple internal actors who don’t normally work together. Armed with this understanding of the risk, agencies can put in place mitigating controls, such as proactive data checks, prior to approving payments.

The U.S. government needs to move with haste to systematically identify fraud risks that threaten its new benefit programs. If these agencies don’t take proactive steps to prevent fraud now — choosing instead to let law enforcement entities chase after fraudsters only after they’ve stolen program funds — the U.S. government stands to lose several billion more in taxpayer dollars, with dubious prospects for recovery.

Linda Miller is principal, fraud & financial crimes at Grant Thornton. Contact her at linda.miller@us.gt.com.

Taylor Larimore, CFE, is senior manager, fraud & financial crimes at Grant Thornton. Contact him at taylor.larimore@us.gt.com.

Zachary Rosenfeld is manager, fraud & financial crimes at Grant Thornton. Contact him at zachary.rosenfeld@us.gt.com.

Joe Abeska is associate, fraud & financial crimes at Grant Thornton. Contact him at joe.abeska@us.gt.com.