The government failed to put adequate measures in place to prevent fraudsters stealing billions through its Bounce Back Loan scheme to businesses, the National Audit Office (NAO) has said.
Counter-fraud activity was "implemented too slowly", which resulted in "high levels of estimated fraud", it said.
It added the Department for Business estimated fraudulent loans were worth £4.9bn, 11% of the total, as of March.
The government said it would "not tolerate" people defrauding taxpayers.
The Bounce Bank Loan scheme was set up in April 2020 with the aim of keeping afloat small firms struggling due to the coronavirus pandemic.
A total of 1.5 million loans worth £47bn were issued through the initiative, after about a quarter of UK businesses applied.
'My name was used to steal a government Covid loan'
Ministers were warned of Covid loans fraud risk
In its report, the NAO said the government estimated more than a third of loans, worth £17bn, may never be repaid due to both fraudulent activity and legitimate borrowers defaulting.
As of 30 September, figures from the state-owned British Business Bank, which supervises the scheme, showed £2bn worth of loans had been repaid and £1.3bn had been defaulted on. The bank said about 7% of all loans were at least one month in arrears.
But the spending watchdog said predicted losses through both fraud and businesses being unable to pay were "highly uncertain".
Gareth Davies, the head of the NAO, said: "The true level of fraud will become clearer over time."
Mr Davies said the government prioritised loans to small businesses quickly but "failed" to put adequate fraud prevention measures in place.
"It is clear government needs to improve on its identification, quantification and recovery of fraudulent loans within the scheme," he added.
'High risk of fraud'
Banks, building societies and peer-to-peer lenders were accredited by the British Business Bank to provide firms with 100% government-backed finance worth up to £50,000, or a maximum of 25% of annual turnover.
The NAO said the scheme had "limited verification, and no credit checks on borrowers, which made it vulnerable to fraud and losses".
Labour MP Meg Hillier, chair of the public accounts committee, said the figures made for "sobering reading".
"Government has tried to impose some counter fraud measures but it's too little, too late," she added. "It's now focussing on recovering money from organised crime, yet many of the smaller scale fraudsters will have slipped through its fingers."
In May 2020, the British Business Bank warned the government its flagship loan scheme was at "very high risk of fraud" from organised crime.
A BBC investigation also revealed how criminals were setting up fake firms to get loans worth tens of thousands of pounds.
In its report, the NAO said 13 additional counter-fraud measures had been deployed to tackle the issue, but added "most came too late to prevent fraud and were focused instead on detection".
Measures to identify duplicate applications were introduced in June 2020, and checks on director changes were introduced in July 2020.
"The duplicate application check was designed to prevent fraud, but was implemented after 61% of the loans by value had been made. All other counter-fraud activities began in, or after, September 2020," the NAO added.
It said that the National Investigation Service had received more than 2,100 intelligence reports of fraud by October 2021, but it only had the capacity to pursue a maximum of 50 cases per year.
The Department for Business has set a target of recovering at least £6m of fraudulent loans over three years, and so far the agency's work has resulted in 43 arrests and more than £3m in recoveries.
A statement from the Department for Business said it was "continuing to crack down on Covid-19 fraud and will not tolerate those that seek to defraud the British taxpayer".
"We are pleased to see the National Audit Office recognise that our response to serious fraud has been strengthened since the scheme was first introduced," it added.
"The government support schemes have provided a lifeline to millions of businesses across the UK - helping them survive the pandemic and protecting millions of jobs."
The figures on fraud are eye watering - but should come as no real surprise. Why? Well because we warned about exactly this last year.
Working with an undercover investigator we learned that criminal gangs were exploiting the system. They stole the identities of real people, set up fake companies and claimed the maximum £50,000.
Back then, I'll call him "Mike", said the system was wide open to fraud, something confirmed by the NAO today. "Mike" told us the gangs saw Bounce Back Loans as "free money" and that the tax payer stood to "lose billions". Now we know officially it could be as much as £4.9bn.
The government said it had robust anti-fraud measures. A unit I had never heard of, the National Investigation Service would aggressively pursue fraudsters.
So I went on a "job" with NATIS, meeting up with the team outside a police station in the West Midlands, in the snow, before the sun was even up. A knock on the door of a flat on an estate led to a man being taken into custody. It all seemed very efficient.
Now we learn that NATIS received more than 2,000 intelligence reports by October 2021 - but only has the capacity to work on 50 cases per year.
And there is an elephant in the room here. And that's the vast majority of legitimate firms who took out loans in good faith. Who, through no fault of their own now find they can't afford to pay them back.
The NAO says a hundred thousand are already in arrears. One campaigner told me he expected a "tidal wave" of firms going bust and defaulting in the new year.
As he said: "How can you pay back a Bounce Back Loan, when you haven't bounced back?"