Womply The Record

Primary source · the documented record

What Womply told the SBA and FBI about stopping fraud, May 2021.

As identity-theft attacks surged against federal relief programs in the spring of 2021, Womply gave the SBA, the FBI, and other agencies a detailed memo: seventeen concrete steps to detect, prevent, and investigate fraud, and a plain warning that the government’s own controls were having “minimal impact.” It is reproduced in full below.

The document Memorandum to federal agencies: steps to detect and prevent fraud
May 2021
17
concrete recommendations
4
relief programs flagged
(PPP, EIDL, SVOG, RRF)

Written while the attacks were underway, the memo set out the signals Womply was seeing (across IP and device, identity verification, banking, and loan structure) and told investigators how to use them. Womply did not wait to be asked; it brought the playbook to the government.

Identity fraud against the relief programs was not a problem Womply discovered after the fact. It was one the company was tracking in real time and escalating to the agencies responsible. The memo below is reproduced faithfully; the only edits are the bracketed generalizations explained in the note at the end.

Original title: “Steps to reduce fraud”

Recommendations to detect, prevent, and investigate fraud

To
U.S. Small Business Administration; FBI; and other federal agencies
From
Womply (Oto Analytics, Inc.)
Date
May 2021

In recent days we’ve seen a significant increase in fraudulent applications that contain stolen identities. Thousands of these applications have been approved by SBA, indicating that the processes used by SBA to detect and prevent identity fraud are having minimal impact. We did a cursory analysis of SVOG, EIDL, and RRF programs and observed that they are likely to have the same vulnerabilities today as the PPP program.

Here are some recommendations that may be applied to detect, prevent, and investigate fraud across government programs and by private participants.

Block all international IP addresses and all anonymous IPs

We’ve seen spikes in fraud from [several overseas regions] in the last two weeks. The geographies of attacks change, and therefore all international traffic should be blocked at the firewall. Most attackers mask their traffic with VPNs, proxies, or Tor. This is unlikely to have any impact on legitimate applicants. IP traffic must be blocked at all levels, including by any third-party solution [identity-verification, e-signature, and payment vendors, etc.].

Block all VOIP numbers

Using available telephony data, block VOIP numbers from being used for signup, verification, or notifications. Associated accounts and applications should be viewed as very high risk.

Database / KBA checks are widely exploited

Most digital KYC solutions are being systematically exploited, including [widely used database and knowledge-based-answer identity products]. Database checks for Name, Address, and SSN are routinely passing because identities have been stolen.

Block temporary, paper, or foreign IDs

US fake IDs are passing digital analysis, manual inspection, and barcode scanning. Other IDs should not be accepted. Expired IDs don’t appear to be a strong indicator of fraud at the moment.

Use video selfies with strict liveness checks

Dolls, mannequins, masks, animations, and deepfakes are exploiting technical holes in video-selfie technology, including liveness checks that require head movement, blinking, and mouth movement. Videos and images should be manually reviewed.

Block online banks at their routing number

[Several online-only and prepaid neobank providers] are all strongly correlated with fraud, and fund transfers to these banks should be blocked. The fact that someone has an account open with one of these companies should not be reassuring — their identity-verification processes provide little assurance — and instead should be viewed as a reason to classify their application as high risk.

Require funding into a named bank account via ACH

While many banks have substantial issues with KYC and stolen accounts, it’s still very important to have funds electronically deposited into a named account. Deposits onto prepaid cards should be strictly prohibited, because this eliminates a critical layer of fraud prevention.

Require business bank accounts

For programs or applications that require a registered business entity, require business bank accounts for all deposits. These should be independently verified with the RDFI. Where possible, ACH descriptors and routing numbers should be clearly separated and identifiable to aid RDFIs in their own fraud checks.

Apply strict rules after a funding failure

Conduct manual reviews on all data, and limit the number of retries or changes. Where possible under the rules of the program, add increasing delays for subsequent deposit attempts (a first retry adds a 5-day delay, a second adds 10 days, and so on). This adds time for the RDFI to close accounts if it detects fraud.

Require minimum bank activity

If possible, use [bank-transaction-data providers] to verify that bank activity existed at least 30 days ago. Bank statements aren’t useful for this purpose (too easy to fake).

Require a minimum bank balance of over $20

$20 is often the minimum required to open an account, and in general fraud rings are reluctant to deposit money that could be frozen. Often it’s not possible to collect this data due to institution or API failures.

Restrict bank account usage

Limit the count of deposits and the count of tax IDs on applications associated with each bank account.

Anonymous IDs & browser fingerprints

Identify clusters of browser fingerprints and cookie-based anonymous IDs to find fraud. Fraud rings rarely change their IDs or fingerprints across applications, so these links help connect fraudulent applications together.

Device count limits

Applications associated with more than two devices are high risk, particularly if those devices are located more than 50 miles apart (based on their IP address). This often indicates a vertically integrated fraud ring with specialists for each step (KYC, documents, bank accounts, etc.).

Limit IP-address distance from database address

Database checks of SSN will often return a recent address that is more than 250 miles from both the address shown on the ID and the IP-address location. This appears to be frequently associated with fraud.

Restrict tax IDs per bank login

Where possible, if using [a bank-aggregation provider], restrict the number of tax IDs from an application that can use the same login and password for a bank institution.

Use loan amount to identify risk

With PPP Schedule C and F filers, ~95% of confirmed fraudulent applications have been within $500 of the maximum allowable loan amount ($20,833 for draw 1).

Editorial note. This is a faithful reproduction of Womply’s May 2021 memo. The only changes are the generalizations shown in [brackets]: the names of specific third-party identity, banking, and telephony vendors, and a point-in-time list of countries, have been replaced with neutral descriptions. No recommendation has been added, removed, or altered. Womply named these third parties in a confidential communication to government investigators; they are generalized here because this is a public historical record, not to characterize any individual company.

Overview: Womply & the government → The data Womply gave investigators → How Womply screened applicants →
← Back to the full documented record

Read more of the record

Womply & the government → How Womply reported fraud and supported federal investigations. Government data sharing → Data on ~1.5M applications, to 48 agencies, across 370+ productions. How Womply screened for fraud → The multi-vendor identity and document checks behind the platform.