Imagine a vendor your nonprofit client has worked with for years calls to confirm updated banking details for an upcoming payment. The request seems routine. The caller knows the organization's name, its EIN, and — helpfully — even references the PPP loan it received back in 2020. So your client updates the record. And two weeks later, $40,000 goes to an account that belongs to no one they've ever worked with.

This scenario isn't hypothetical. It's happening right now — and the PPP and SBA loan data that made the pandemic relief programs possible is one of the reasons why.

What Fraudsters Already Know About Your Clients

When Congress mandated transparency in pandemic-era lending, it required the SBA to disclose loan recipient data for PPP and Economic Injury Disaster Loans (EIDL). That data — including organization names, loan amounts, lender information, and in many cases addresses and business types — is publicly available through databases like ProPublica's Nonprofit Explorer and various federal data repositories.

For nonprofits, the exposure is compounded. Form 990 filings are already public record, revealing executive compensation, major vendors, program expenses, and board member names. Layer PPP data on top of that, and a bad actor has a remarkably complete picture of an organization — its financial scale, its leadership, its lenders, and the fact that it received a federal loan it may have had forgiven.

That information doesn't expire. Fraudsters are using it today, years after the loans were made.

The Fraud Schemes CPAs Should Recognize

Several fraud patterns have emerged that specifically target nonprofits using publicly available government data:

• Vendor impersonation and business email compromise (BEC). Armed with details from public filings, fraudsters pose as known vendors or lenders and request changes to payment instructions. Because the caller already knows specific details about the organization, staff may not question the legitimacy of the request.
• Grant application fraud. Criminals use stolen organizational identifiers — EINs, addresses, executive names — to apply for grants or loans on behalf of an organization. The nonprofit may not discover the fraud until a funder asks about an application it never filed.
• Phishing and social engineering. Targeted phishing emails that reference an organization's PPP loan, its lender, or its SBA loan number lend an air of legitimacy to requests for credentials, wire transfers, or sensitive financial information.
• Fake audit or compliance notices. Some schemes involve fraudulent communications purportedly from the SBA, the IRS, or an auditing body, claiming the organization must provide documentation related to its PPP loan — and requesting financial data or payments to resolve a fabricated issue.
  
  

What CPAs Can Do Right Now

CPAs serving nonprofit clients are uniquely positioned to raise awareness and strengthen defenses. Consider working through the following with the organizations you serve:

• Conduct a public data audit. Search for your client's organization in ProPublica's Nonprofit Explorer and the SBA's PPP loan database. Know what information is publicly visible and make sure your client's leadership is aware of its exposure.
• Review payment change controls. Nonprofit finance teams often operate lean. Ensure your client has a formal, written policy requiring multi-step verification before any banking or payment information is changed — regardless of how convincing the request appears.
• Train staff on targeted social engineering. General phishing training isn't enough. Staff should understand that a caller who references specific loan details, lender names, or executive information has not earned trust — that information is available to anyone who looks for it.
• Set up monitoring for unauthorized filings. Encourage clients to periodically search for their organization name in grant databases and to monitor their credit profile for unexpected activity that could indicate identity-based fraud.
• Know the reporting channels. Suspected SBA-related fraud should be reported to the SBA Office of Inspector General at sba.gov/oig. The FBI's Internet Crime Complaint Center (IC3) at ic3.gov is the appropriate channel for BEC and wire fraud incidents.
  
  

A Note on Audit Implications

For CPAs performing audits or agreed-upon procedures engagements for nonprofits, this trend has practical implications for risk assessment. The availability of detailed financial and organizational data through public sources increases the likelihood of targeted fraud attempts — which should be factored into your assessment of control environment risks and your conversations with management about the design of anti-fraud controls.

If your client received PPP or EIDL funds and hasn't revisited its internal controls since the pandemic, now is the right time for that conversation.

The CPA's Role Is More Important Than Ever

The organizations your nonprofit clients serve — community members, families, students, people in crisis — depend on those organizations being financially sound. Fraud doesn't just cost money. It erodes donor trust, diverts resources from mission, and can destabilize an organization that took years to build.

As the trusted financial advisor in the room, you're often the first line of defense. Use that position. Bring this conversation to your clients before a fraudster does.

Resources

SBA Office of Inspector General — Report Fraud

FBI Internet Crime Complaint Center (IC3)

ProPublica Nonprofit Explorer — Search your clients' public data

AICPA — Fraud Risk Management Guide

Questions or feedback? Reach the COCPA Nonprofit Working Group through COCPA Connect or contact Stacy Svendsen at stacy@cocpa.org to contribute to an upcoming blog post.