The security failings surrounding the distribution of economic relief funds as a result of COVID-19 continues to be widely reported. From the Paycheck Protection Program (PPP) to stimulus payments and unemployment benefits, cybercriminals are making in one scam what most will never make in a lifetime. Massive data hacks, fake companies, forged business documents and multiple other efforts to take advantage of federal, state and local governments will ultimately cost billions in losses to U.S. taxpayers, and it is still costing us.

Government agencies have been investigating claims for more than a year and only just started to bring charges against individuals and cybercrime rings who attempted to cash in on the crisis. The U.S. Justice Department recently charged at least 209 people with attempting to defraud nearly $445 million in PPP loans. Many U.S. states have also started to investigate fraud at the local level, mostly related to the theft of unemployment benefits, with California alone accounting for $11 billion in losses, although the estimate has been put as high as $30 billion. In an interview with NBC News, Vern Pierson, president of the California District Attorneys Association, stated, "In California, this is unquestionably the largest fraud against public agencies in our history.” Other states are also providing initial reports of fraud reaching epic proportions.

Banks Left Holding the Bag

Global economic relief programs were ripe for fraud from the start because of the open-door policies designed to distribute money fast to businesses and consumers. While much attention has been paid to the reported fraud, not nearly as much has focused on how it is happening. There is a hidden underbelly to the crisis that continues to unfold in the world of consumer deposit accounts, and banks have been left in the unenviable position of fighting off these invisible digital enemies downstream.

While a layman might believe these fraud schemes to be the work of sophisticated hackers, the reality is quite the opposite. The schemes are simple to perpetrate. Individuals and fraud crime rings are using stolen identities to apply in mass for federal and state benefits and then open deposit accounts to serve as mule accounts where they will receive and ultimately cash out or launder the money somewhere else. While the average rate of high-risk applications that get flagged in the account opening process is less than one percent, BioCatch has been witnessing some financial institutions experience rates between 10-50%.

So how is it possible that jobless claims continue to soar in some states even as unemployment rates drop nationwide with more people getting back to work? The answer: fraud. Only recently, the state of Virginia saw jobless claims increase 58% in a single week. BioCatch saw a correlation in our data when looking at the proportion of high-risk applications for new deposit accounts originating from this state based on significant spikes in volume that cannot easily be explained by variation. Common sense dictates that if criminals are targeting unemployment relief programs, we can assume that they are also attempting to open new deposit accounts using the same identities to receive the funds.

In another example to demonstrate the magnitude of the problem, in one state, at one bank, in just one weekend, 800 fraudulent attempts were made to open new deposit accounts. While many failed initial identity verification checks, 223 attempts, or 27%, were successful in creating deposit accounts. BioCatch identified these accounts were high-risk as indicated by the patterns associated with cybercriminal behavior during the account opening process, and they were promptly locked by the financial institution before they could be used for fraudulent purposes.

Criminals Step Up Their Game With Hybrid Bots

In one cluster of high-risk applications flagged by BioCatch, we worked directly with one of our customers to investigate the matter further. In doing so, we saw one group of criminals had stepped up their game looking to gain efficiencies in their process. The attack strategy operates in a hybrid bot model where we observed a combination of human and robotic interactions in the sessions. The mouse movements are completed by a human, but many of the important elements are filled out by a bot.

When we compared the mouse movement patterns of a genuine applicant to one of the hybrid examples, it is obvious that the mouse patterns are the result of human interaction. However, when we looked deeper into the behavior exhibited across other data entry points in the application process, there were strong indicators of bot activity. When comparing the entry speed of First Name and SSN between a ‘fast human’ and a representative bot session from the fraud population, the characters are entered at a speed that cannot possibly be attained by a human. 

In studying the patterns associated with this attack, we found that 75% of all fraudulent applications were completed using this hybrid bot method. There were also several other commonalities uncovered specific to copy and paste events and the use of the clipboard after an application was submitted.


Stimulus fraud is clearly still prevalent, and banks have been working around the clock to come up with innovative ways to stop it. One of the prevention tactics many banks have deployed is to stop fraudulent accounts from being opened at all. Simply put, if criminals have nowhere to send the money, they can’t steal it.

As we continue to work with our top customers in the U.S., the power of behavioral biometrics has been on full display. In all the cases we have observed of account opening fraud, there was no significantly linked devices in the samples nor were there any device features that could provide the same accuracy for detection. Behavioral biometrics provided the extra layer of visibility needed to detect fraud in the account opening process and uncover new customers who really weren’t customers at all.



Learn more about how behavioral biometrics is detecting fraud in the account opening process or view our recent webinar with Aite Group, “Mule Accounts: Risk Mitigation Strategies for Financial Institutions.

A version of this blog was published as a feature article in The Paypers

Recent Posts