Lenders to small- and medium-size businesses have seen fraud attempts increase since 2021. At the same time, their losses to such fraud, as a percentage of their revenue, has dropped. Still, those losses remain higher than prior to the pandemic, according to
These lenders say the cost of fraud as a fraction of their overall revenues decreased from 6.2% in 2021 to 5.5% last year. In 2019, the rate was 4.2%. Nonbank digital lenders including fintechs continue to see greater losses than their institutional counterparts — 8% of revenue in 2021 and 7% in 2022. In 2019, the rate was 5.8%.
At the same time, the amount of fraud attempted through these channels has also increased. Lenders reported a 14.5% increase in fraud from 2021 to 2022 on average. From 2019 to 2020, that increase was 4.1%, and from 2020 to 2021, it was 6.9%.
Market research firm KS&R conducted the survey on behalf of fraud prevention company LexisNexis Risk Solutions. KS&R based its findings off 147 survey completions collected from September to October.
SMB loan fraud skyrocketed early during the COVID-19 pandemic, when the U.S. extended Paycheck Protection Program loans through the Small Business Administration. The fintechs and financial institutions that administered these loans did not directly bear the costs, as the loans were government-backed, but they have been heavily criticized for allowing the fraudulent applications through.
Many fraudsters see SMB loans as easier, less sophisticated targets than consumer loans, according to Tom Hunt, director of business risk strategy at LexisNexis Risk Solutions. Financial institutions have invested heavily in preventing consumer loan fraud, but they have not given the same degree of attention to SMB loans, he said.
Defrauding business lenders can also be lucrative.
"If you can defraud your way into an $80,000 line of credit, that's a lot of consumer credit cards that you would have to set up to get to that same number," Hunt said.
Fraudsters who take advantage of SMB lenders can use consumer identity theft to take over or misrepresent ownership of a business, or they can lie about the nature of their business entity when applying for a loan. They can also do both.
The business a fraudster uses to apply for a loan can lie on a spectrum of totally bogus to real and legitimate. In cases of a bogus business, the entity could have no prior records and no state registrations. Cases involving a legitimate business applying for a loan can involve a fraudster misrepresenting that they are the business owner.
The personal identities fraudsters employ in these schemes also vary. They can impersonate a real person whose information they have stolen, or they can create an identity from bits and pieces of stolen identities, also known as a synthetic identity.
As lenders look to counter the multiple layers of subterfuge that criminals can employ to commit SMB fraud, these financial institutions at times overlook simple verification steps, according to Hunt.
An example is verifying that any Social Security number the lender collects during an SMB loan application process is valid. One way to do this is by rejecting any SSN that begins with a 9 because the Social Security Administration does not issue any such numbers (although Individual Taxpayer Identification Numbers can start with a 9).
As of last year, lenders even have a direct means of verifying that a name, date of birth and Social Security number all match the Social Security Administration's records.
The SSA's Electronic Consent-Based Social Security Number Verification (
The eCBSV service does not mitigate the possibility of using stolen personal information in a loan application. The SSA can verify that a name, date of birth and SSN match its records, but it cannot determine whether the information is stolen. So, lenders can use other signals to determine whether an application looks fraudulent.
Lenders can use their own application data to screen for fraud by paying attention to the domain names users enter for their email addresses, according to Sara Seguin, principal advisor on fraud and identity risk for identity verification platform Alloy. They can also screen applications that claim an applicant lives in a housing unit where hundreds of other applicants also claim to live.
In these cases, rather than turning away a potentially legitimate customer who merely looks risky, businesses can use step-up verification, like asking for a selfie of the applicant, phone number verification or an in-person meeting.
But meeting an applicant in person at a bank or credit union branch does not guarantee the application is legit. Fraudsters use a number of strategies to pull off
"The strategy you may use at account opening will differ" depending on where it happens, Seguin said, "but it is important to not relax your controls just because the opening is occurring in person."
Hunt said many of his clients see trends in applications that suggest fraudsters are trying to reverse engineer the lender's application process by submitting multiple applications from the same device. This trial-and-error strategy is significantly easier with digital transactions compared to in-person transactions.
"If you walk into the branch of a bank or credit union and apply for a loan then get denied, you're not going to walk out to the parking lot then turn around 15 minutes later and come back in with a completely different identity," Hunt said.
Using additional verification steps when warning signs flash is often just enough to ward off fraudsters engaged in less sophisticated schemes, according to Hunt, and he added that lenders tend to underrate the impact these criminals have.
"There's a lot of low hanging fruit," Hunt said. "You don't need LexisNexis Risk Solutions to tell you that all fives on a Social Security number [is suspicious.]"
Just as consumers tend to find it embarrassing to fall for fraud that looks obvious in hindsight, the same goes for lenders, Hunt said. For that reason, cases of obvious fraud that go uncaught tend to get less attention than they ought to.
"There's at least some dignity and honor in saying you got beat by a very sophisticated, organized crime ring," Hunt said. "But I do think there's plenty of opportunity to mitigate fraud that is not very sophisticated."