New report warns federal fraud controls are falling behind

A new fraud-prevention report sponsored by Socure argues that the federal government is facing a fraud environment that is changing faster than the systems that are designed to stop it, with AI, automation, and globally distributed digital infrastructure making identity-based fraud cheaper, faster, and easier to scale.

The report says the challenge for government is no longer just the volume of fraud, but the speed at which schemes now evolve while public sector controls often move on annual or multi-year timelines.

The central conclusion of the report is that fraud prevention must move earlier in the payment lifecycle, that data access and privacy should be treated as compatible rather than competing values, and that agencies need stronger incentives to prevent fraud before money goes out the door.

The report grounds its warning on the scale of existing losses. It cites Government Accountability Office estimates that the federal government loses between $233 billion and $521 billion each year to fraud.

It also points to Pandemic Response Accountability Committee (PRAC) estimates that three major pandemic relief programs disbursed roughly $79 billion in fraudulent payments tied to stolen or invalid Social Security numbers, losses the report says could have been identified before payment if more modern analytics had been in place upstream.

What has changed most, according to the report, is how quickly fraud operations can now be built and deployed.

Rather than treating fraud as a series of isolated bad actors, the report describes increasingly industrialized operations built around “identity farms.”

These criminal enterprises assemble stolen or synthetic identity elements such as names, dates of birth, Social Security numbers, email addresses, phone numbers and IP addresses, then age those identities to make them look legitimate before using them across multiple programs and platforms.

One example cited in the report illustrates that acceleration. According to Socure’s analysis, one fraud ring used AI to create 24,148 synthetic identities from 340 purchased Internet domains, and launched 35,894 application attacks in roughly 30 days, with many attacks beginning within 48 hours of the identities being created.

The report presents that case as evidence that fraud schemes can now adapt in days or even hours, while government oversight and procurement processes remain far slower.

The report also says some of the identity signals that fraud systems have historically relied on are weakening.

Socure analysis of nearly 100 million consumer transaction records found that between November 2023 and August 2025, identity address linkage in fraud populations dropped ten percent, identity email linkage fell 13 percent, and email phone linkage dropped two percent.

The report says these trends suggest fraudsters are deliberately suppressing traditional signals by avoiding reuse of email addresses, phone numbers and devices, making older forms of pattern detection less effective.

Even so, the report argues that the government is not powerless and says recent federal efforts show meaningful gains are possible when agencies intervene before disbursement.

It points to the Department of Treasury, Office of Management and Budget (OMB), and PRAC as evidence that earlier screening, better data access, and more modern analytics can stop large volumes of improper payments without broadly restricting access to benefits.

The report repeatedly stresses that the lesson is not that programs should slow down, but that speed and integrity no longer must be mutually exclusive.

A major focus is Treasury’s Do Not Pay system, which the report describes less as a static compliance tool than as an orchestration layer that can combine multiple data sources, generate risk indicators, and support real-time decisions.

According to the report, the first year of Treasury’s pilot using the Social Security Administration’s Death Master File identified, prevented, or recovered $113.5 million in improper payments, representing a return on investment of about 23 times the pilot’s cost.

It also says that in fiscal year 2024 only four percent of federal programs had completed the legal requirements needed to access all Do Not Pay databases, though Treasury and OMB have since shortened the designation process from more than a year to a few months and are aiming for full use by all large agencies by the end of this year.

The report highlights other recent results it says show prevention can work at scale. It says AI-assisted check fraud detection at Treasury prevented and recovered more than $1.9 billion in fiscal years 2024 and 2025 combined.

It says the Public Assistance Reporting Information System’s (PARIS) Interstate Duplicate Benefits System identified about $1.3 billion in improper payments in fiscal year 2025, with another $156 million expected from expanded death matching across 19 states.

PARIS is a federal-state partnership administered by the Administration for Children and Families that identifies duplicate benefits for public assistance programs across state lines.

The report also says a Treasury cross-functional tiger team identified 19 datasets that could prevent an estimated $28 billion in improper payments, framing that as a roadmap for the next phase of federal anti-fraud work.

The report argues, however, that technology is not the main bottleneck. In the federal grants system especially, it says the larger problem is fragmented governance.

Because grants are administered through states, localities, and other non-federal entities, while oversight authority and data remain scattered across federal and state silos, agencies often struggle to coordinate identity verification, eligibility checks, and cross-program visibility.

In that sense, the report says, governance rather than capability is the binding constraint.

That is why much of the document centers on incentives. It says federal officials are still often rewarded for rapid disbursement, high transaction volume, and post-payment recovery, while pre-payment prevention and “dollars never lost” receive less institutional support.

The report points to the Ending Improper Payments to Deceased People Act of 2026, which permanently authorizes the Social Security Administration to share its complete death records with Treasury’s Do Not Pay service as an example of Congress beginning to move toward prevention-first governance.

But it argues that broader oversight and funding structures still need to change so agencies are not punished for adding targeted friction to suspicious claims while allowing legitimate payments to move quickly.

Looking ahead, the report casts Congress as the best institution to turn scattered successes into standard operating procedure across government.

It says lawmakers can scale proven practices by expanding PRAC jurisdiction over cross-agency grant programs, protecting fraud-prevention funding, extending the statute of limitations for pandemic fraud from five years to 10 years, codifying early screening authorities, reinforcing data-sharing guardrails, and encouraging modernization of state-administered grant systems.

The broader goal, the report says, is to make prevention early, permanent and interoperable rather than episodic or crisis-driven.

In the end, the report’s message is not that government needs a single new anti-fraud tool. It is that fraud prevention now must be treated as a continuous, shared, and data-driven function that begins before payment and adapts as quickly as the threat does.

Article Topics

digital identity  |  fraud prevention  |  GAO (Government Accountability Office)  |  identity verification  |  Socure  |  United States