COVID-19 Economic Injury Disaster Loan Applications Submitted from Foreign IP Addresses

We evaluated the U.S. Small Business Administration’s (SBA) controls to flag or prevent potentially fraudulent Coronavirus Disease 2019 (COVID-19) Economic Injury Disaster Loan (EIDL) applications submitted from foreign Internet Protocol (IP) addresses.

Although the agency implemented several layers of controls to prevent or reduce fraud from foreign countries, individuals at foreign IP addresses were able to access the COVID-19 EIDL application system. SBA received millions of attempts to submit COVID-19 EIDL applications from foreign IP addresses and stopped most of them; however, the agency processed more than 233,000 of these applications from March 20, 2020 to November 12, 2021, our review period. Of this amount, SBA approved and disbursed 41,638 COVID-19 EIDLs, advances, and grants for $1.3 billion.

The numerous applications submitted from foreign IP addresses are an indication of potential fraud that may involve international criminal organizations. OIG has ongoing investigations into international organized crime operations that applied for and stole pandemic relief funds. SBA officials were aware of and concerned about the potential fraud from overseas.

We recommended the agency thoroughly review the loans in our test sample and the $1.3 billion disbursed to applicants from foreign IP addresses. The agency should stop any further or future disbursements to any applicants deemed to be ineligible or fraudulent. We also recommended SBA recover any disbursed loans and advances determined to be ineligible or fraudulent. Additionally, we recommended that the agency examine controls related to foreign IP addresses and ensure these controls are more effective in future disaster processing systems.

Management partially agreed with recommendation 1, stating they would conduct a proactive review of COVID-19 EIDL applications that received funds for potentially ineligible or fraudulent businesses. They will attempt recovery and continue to refer suspected fraud to the OIG. SBA agreed with recommendation 2, stating the agency will examine controls related to foreign IP addresses and ensure these controls are more effective in future disaster processing systems.