COVID-19 Fraud Schemes

20-RISK-02 / August 2020
COVID-19 Fraud Schemes
Consumer Protection
Federally Insured Credit Unions
Federally Insured Credit Unions
COVID-19 Fraud Schemes

Dear Boards of Directors and Chief Executive Officers:

The NCUA Board is issuing this alert to inform credit unions about the risk of fraud associated with the COVID-19 pandemic. Those committing fraud often attempt to take advantage of opportunities made possible through new or expanded large government programs arising from emergency situations, such as the Coronavirus Aid, Relief, and Economic Security Act (CARES Act).

The CARES Act provides many ways for financial institutions to work with members impacted by the pandemic.1 This alert describes increased risks associated with routine operations, outlines red flags associated with common fraud schemes in major CARES Act programs, provides references and avenues to report fraud or misconduct to the most appropriate authorities2, and also provides member education resources.

Financial Institution Fraud

New account fraud, identity theft, cybersecurity risks,3 imposter and money mule schemes, and mobile banking application fraud are on the rise as a result of the opportunities related to the ongoing COVID-19 pandemic. Fraudsters are particularly motivated to attempt these schemes because of the predominately virtual environment, and the significant shift towards remote access. Fraudsters are increasingly seeking opportunities to exploit vulnerabilities in financial institutions’ remote access systems and customer-facing processes.

Information about evolving fraud trends associated with the pandemic are being released by many different federal agencies as they are identified. We encourage credit unions to monitor the Financial Crimes Enforcement Network (FinCEN), the FBI’s Internet Crimes Complaint Center, the Federal Trade Commission’s (FTC), the Department of Health and Human Services Office of the Inspector General, and other websites maintained by agencies mentioned in this alert to remain vigilant and aware of the rapidly changing nature of these schemes.

Small Business Administration Loan Fraud

The Small Business Administration (SBA) is currently providing relief to small businesses through the Paycheck Protection Program (PPP) and Economic Injury Disaster Loans (EIDL).4 The PPP was designed to provide payroll financial relief for businesses affected by the COVID-19 pandemic. The SBA may forgive PPP loans if employee retention and eligible expense criteria are met. The SBA estimates that, as of July 2020, more than 70 percent of U.S. small businesses have been supported by the PPP.

The EIDL program was designed to provide working capital (such as fixed debts, payroll, accounts payable, and certain eligible expenses) for businesses. While credit unions are not directly part of the application process, they can experience fraud related to it. A credit union may receive advances based on EIDL applications that do not have to be paid back, or see EIDL proceeds deposited into an account.

The most common red flags in these SBA programs include:

  • PPP applications with manipulated or fraudulent supporting documentation.
  • PPP applications in different names that contain nearly identical application information and supporting documentation, and originate from the same Internet Protocol (IP) address.
  • Fake businesses established during the pandemic that do not have an internet presence, and have minor differences between names on the application documents and public business registration documents.
  • Existing accounts may have a consistently low balance with no history of business payroll expenses.
  • New accounts created for the sole purpose of applying or receiving SBA funds. These accounts do not reflect any previous business-related transaction activity, and funds are quickly transferred after receiving loan advances or proceeds.
  • After loan advances or proceeds are deposited into an account, funds are immediately withdrawn in cash, wired out, transferred to an investment account, used to purchase luxury assets not associated with typical business-related expenses, or used to start an entirely new business.

Report fraud suspected through these or other SBA programs to the SBA Office of the Inspector General (SBA OIG).

Guidance on reporting ongoing PPP loans, how to cancel PPP loans, and additional information on fees paid to lenders is provided in SBA Procedural Notice 5000-20036. The SBA OIG has also published a lender alert regarding EIDL and how to return funds.

Business Tax Credits Fraud

The CARES Act allows businesses to take an Employee Retention Credit though business tax credits from the IRS. This credit is designed to encourage employers to keep employees on payroll through a refundable tax credit of 50 percent for up to $10,000 in qualified wages, which is paid to an employee by an eligible employer experiencing economic hardship related to the COVID-19 pandemic. The CARES Act also authorizes an additional Credit for Sick and Family Leave for employers that pay these wage types.

Employers eligible for both tax credits can request an advance of the credits. These advances are paid by U.S. Treasury paper checks, and may reference “IRS Form 7200 refund” on the memo line. Businesses must complete an IRS Form 7200 to receive advance payments of the CARES Act tax credits, and checks can be issued as frequently as an employer would have payroll expenses, such as every two weeks.

The most common red flags associated with these tax credits include:

  • U.S. Treasury check deposits while receiving loan proceeds from SBA programs. Businesses are only allowed to take advantage of the Employee Retention Credit or the PPP program. They may not take advantage of both programs.
  • Inflated wages or numbers of employees to increase the amount of tax credits or advances received through a U.S. Treasury check.
  • U.S. Treasury check deposits into accounts with no indication of business or payroll activity.
  • U.S. Treasury check deposits used to pay personal expenses.

Report fraud suspected through these business tax credits to IRS Criminal Investigation.

Unemployment Insurance Fraud

The CARES Act provides additional unemployment insurance funding for eligible individuals through the Pandemic Unemployment Assistance (PUA) program, the Federal Pandemic Unemployment Compensation program (FPUC), and the Pandemic Emergency Unemployment Compensation (PEUC) program. It also provides guidance to state unemployment insurance programs on administration and eligibility criteria.

The PUA program provides benefits for eligible individuals who do not typically qualify for unemployment insurance benefits through state or federal programs, such as self-employment or while looking for part-time employment. The FPUC program provided an additional $600 per week in compensation for individuals collecting certain unemployment insurance benefits5, and the PEUC program allows individuals that have exhausted current unemployment insurance benefits to receive an additional 13 weeks of compensation. Unemployment insurance benefits can be disbursed using different mechanisms, such as debit cards or direct deposits. Risks and fraud schemes can vary significantly based on inherent risks posed by the particular mechanism used to receive the funds.

The most common red flags associated with these programs include:

  • An account receiving unemployment insurance benefits from another state without a reasonable explanation, or from multiple other states other than where the individual resides.
  • An account receiving unemployment insurance benefits on behalf of multiple individuals.
  • New or established accounts are opened, but they lack transactional activity. Then they are suddenly used to collect unemployment insurance benefits.
  • Imposter schemes, where a fraudster poses as an official entity to defraud victims, such as obtaining personally identifiable information to fraudulently file for unemployment insurance benefits.
  • Money mules, where an individual knowingly or unknowingly obtains money on behalf of, or at the direction of, someone else to improperly obtain unemployment insurance benefits.

Report fraud suspected in unemployment insurance benefits to the Department of Labor Office of the Inspector General.

Reporting Fraud

Credit unions should contact the respective federal agencies described in this alert to report fraud, and file Suspicious Activity Reports (SARs) through FinCEN, as appropriate. Credit unions should include the type of fraud and/or name of the scam or scheme (for example, imposter scam or money mule scheme) in the appropriate field of the SAR. Including other detailed information, such as the potentially affected programs, common methodologies, identities, and IP addresses can significantly enhance law enforcement’s ability to detect and respond to CARES Act related frauds.

The NCUA will continue to issue updated information as it becomes available. If you suspect credit union employees, officers, or volunteers have engaged in fraud in connection with these or other programs, contact the NCUA’s Fraud Hotline at 800.827.9650. You can also provide this information to your NCUA regional office or state supervisory authority, along with any questions. Allegations provided to the NCUA Fraud Hotline or the NCUA regional offices will also be reported to the NCUA OIG.

Member Education

Credit union members may also be vulnerable to the risks of fraud associated with the pandemic. Federal agencies such as the IRS and FTC warn consumers to guard against financial scams related to COVID-19.

Credit unions are encouraged to share fraud prevention and financial literacy resources with their members. If you have questions about NCUA’s financial literacy resources, please contact the NCUA’s Office of Consumer Financial Protection at 703.518.1140.



Rodney E. Hood


1 See NCUA Letter of Credit Unions, 20-CU-13, Working with Borrowers Affected by the COVID-19 Pandemic and NCUA’s webpage Coronavirus (COVID-19): Information for Federally Insured Credit Unions and Members.

2 The program information and red flags in this risk alert are not intended to be comprehensive. Credit unions should familiarize themselves and coordinate with relevant individual government agencies for guidance, purpose, eligibility limits, restrictions, extensions, specifications, or other programs associated with the COVID-19 pandemic.

3 See NCUA Risk Alert, 20-RISK-01, Cybersecurity Considerations for Remote Work.

4 See NCUA Letter of Credit Unions, 20-CU-06, Small Business Administration Loan Programs to Help Small Businesses and Members During the COVID-19 Pandemic.

5 This program recently ended but could be modified or extended by Congress.

Last modified on