New estimates suggest that international criminal outfits are stealing hundreds of billions of dollars from the US government every year. One of the major goals of the second Trump administration has been to cut what it perceives as government waste thousands of jobs or federal funding programs, for example. It has not gone so smoothly, and it has caused a lot of furors, but there is one non-partisan area the government might consider applying its resources, if the goal is to save money. In April 2025, the US Government Accountability Office (GAO) estimated that the US government loses somewhere between $233 billion and $521 billion to fraud annually. Taxpayer dollars are siphoned off by criminals at a rate equivalent to the annual gross domestic product (GDP) of countries like Hungary or Qatar.
Jordan Burris, head of public sector at Socure, thinks that even that may be a lowball guess. During the COVID-19 pandemic, the federal government was just starting to put in place the foundation for measuring [fraud]. As we look at the numbers that are being estimated today, I think they do not account for the total of what we are seeing happen thanks to identity fraud across both federal and state organizations. "The reality," he says, "is that government programs are being treated like ATMs by international crime rings."[1]
The ammunition fraudsters use to steal from the government is all of our personally identifying information (PII) leaked online in data breaches. "All of our information is available on the Dark Web. It's easy for attackers to curate that information and use it to beat what are inconsistent or porous fraud controls that exist across several agencies today," Burris says. "Many agencies still rely on methods [of authentication] that have been proven to be beatable. This could be something as simple as them asking for a Social Security number (SSN) to see if you're a real person. Or perhaps asking you questions, such as, 'Did you live at this one address 10 years ago?' The reality is that those can be easily beaten by adversaries."
According to Socure's recent report on the subject, four in every five cases of government grift involves a real American's identity. A bad actor will file an application for some sort of government check, supplying a real person's PII but their own contact information. Real people are, of course, inclined to notice when their identities have been stolen, so more risk-averse, creative attackers have used synthetic identities for the same purposes. In these cases, Socure noted, there are often patterns to their forged PII repetitive patterns in online user IDs and fake SSNs, or email addresses with silly references or racy language. Sometimes the discrepancies are more subtle, such as when a contrived SSN doesn't align with the number the imaginary person would have been assigned based on their year of birth.
Typically, fraudsters are not content with defrauding just one government agency. Around one in four attempts at fraud is repeated across multiple agencies, and fraudsters will use the same identities to target organizations in the private sector. When they do double dip, many attackers will play it slow, going days or weeks between attacks, either at their own convenience, in cases involving synthetic IDs, or to avoid raising too much alarm at once, in cases of identity theft. Sometimes, though, an attacker will perform several attempts at fraud in a single day, doing as much damage as possible before their victim has time to notice and react.
In retrospect, Socure highlights COVID-19 stimulus as a potential wakeup call wasted. The government spent more than $4 trillion keeping the economy afloat during that period, and while many ordinary business owners, newly unemployed individuals, and ordinary citizens collected what they were allotted, fraudsters took a healthy chunk for themselves: hundreds of billions in taxpayer funds, if some estimates are accurate.
Instead of addressing the wanton grift, Burris says, these attacks are still just as possible today as they were then possibly more so, in fact, thanks to advancing artificial intelligence (AI) technologies that can help the scammers with scale. The solution, he thinks, is not longer application forms with more personal questions to fill out. "The burden shouldn't be placed on the public in order to prove and assert who they are online. Instead, we should be leveraging the power of what already exists today to help detect this type of malicious activity."
"It's very simple," he continues. "Think about it this way: If for some reason, we're saying that you're applying for an account in California for government aid, and yet the IP address is coming from Russia, and it's using an email address that's never been associated with you, why should that be allowed to get through?" Indeed, Socure identified crime rings stealing from the US from as far away as China, India, the Philippines, Poland, Russia, South Africa, and beyond, using disposable email addresses from shady providers. "Every dollar that doesn't make it to a member of the American public you can bet is going to a nation-state actor, which is using it for nefarious activities, which can be criminal rings or everything from human trafficking to terrorist activities," he warns.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.darkreading.com/threat-intelligence/international-crime-rings-defraud-us-govt-billions
Comments