Federal Officials: COVID-19 Fraud Highlights Need for a New Digital Identity System

From February to December of last year, the U.S.’s top financial intelligence unit received more than 167,000 suspicious activity reports related to COVID-19.

The fraud often involved business email compromise scams and stolen identities, targeting government relief programs including unemployment insurance, economic impact payments, and small business lending programs. Over the last two months alone, the organization has seen over 10,000 account takeover reports that caused approximately $800 million in damages.

These figures were unveiled during a two-day virtual policy forum where intelligence officials, lawmakers, and cybersecurity experts discussed—among other things—the extent to which pandemic-related fraud exposed the weaknesses in the U.S.’s identity and authentication practices.

“We’ve seen how billions of dollars in fraud involving COVID-19 relief programs have exposed weaknesses in current identity and payment systems. These forced us to take a really hard look at how identity is managed, verified, and authenticated,” said Michael Mosier, deputy director of the Treasury Department’s Financial Crimes Enforcement Network, also known as FinCEN. “To get payments right, we have to get identity right and we have to do it in a way that preserves privacy while ensuring security in the system.”

Some participants in the policy forum, which was hosted by the Better Identity Coalition, Fido Alliance, and Identity Theft Resource Center, called on the Biden administration to focus on establishing a new digital identification system that would make it harder for cybercriminals and fraudsters to steal from financial institutions and victims who had their account credentials and personal information compromised.

All these things would be made massively easier with a secure digital ID and a means for our citizens to demonstrate who they are."

—Bill Foster, U.S. representative for Illinois’s 11th district.

A digital ID, advocates say, would make it easier for organizations to know that a user or customer is who they say they are. This would help prevent scams targeting unemployment insurance and tax refunds, but would also streamline government services and make it easier to do things like deliver vaccines.

“All these things would be made massively easier with a secure digital ID and a means for our citizens to demonstrate who they are,” said Bill Foster, a U.S. representative for Illinois’s 11th district, speaking at the event.

Digital IDs are already used widely outside of the U.S. to facilitate a range of government services and commercial transactions. Estonia, for example, gives citizens a digital ID that allows them to cryptographically sign digital documents, purchase “virtual” public transportation tickets, and even vote online.

In an interview published by The Record earlier this week, the head of Belgium’s top cybersecurity authority said the country has an app-based system that allows citizens to verify their identity to perform tasks such as filing taxes online. He said more robust digital ID would help prevent a wide range of cybersecurity issues, including phishing scams.

“Digital identity in the future will play a key role in cybersecurity,” said Miguel De Bruycker, managing director of the Centre for Cyber Security Belgium, which runs the country’s Computer Emergency Response Team (CERT). “But I think it will be as important to be able to send messages to someone and the receiver knows there’s a known digital identity linked to that message, and that I can see the difference between a message that is sent with and without a digital identity attached to it.”

In addition to email-related fraud, Mosier said the technology could help curb another type of scam that has ballooned in recent years: imposter fraud. In this type of scenario, a fraudster could pretend to be a government employee offering assistance in securing public funds, or a U.S. citizen who is stuck abroad and needs money to return home. 

The U.S. Department of Health and Human Services’ Office of the Inspector General issued an alert last month warning of scammers impersonating state and federal government officials asking for information, including Medicare details, to sign up for a COVID-19 vaccination. The Internal Revenue Service also warned taxpayers this month of impersonation scams, and advised that the agency never requests personal or financial information via email, text, letter, or social media.

In response to these scams, Mosier said that FinCEN is training law enforcement to identify emerging attack methodologies and issuing alerts and advisories with risk indicators to banks.

Although advocates of digital IDs say they could help combat this type of fraud and provide a wide range of other benefits, the technology has a mixed track record so far, according to research from consulting firm McKinsey. “To date, governments around the world have launched around 165 digital, or partially digital, ID schemes. However… only a few programs have achieved high levels of adoption, and use rates are often low, averaging just once or twice a year per person in some countries.”