With $26 billion at risk, we provide recommendations for government agencies, fraud teams, employers & individuals on how to stop the bleed.
As quickly as the onslaught of Americans’ unemployment claims hit state governments, the domino effect of outdated systems and the need for process improvements became abundantly clear. As if COVID-19 and U.S. joblessness weren’t enough to tackle, the chaos and urgency created the perfect opportunity for criminals to devise targeted fraud strikes on both state government agencies and individuals who had just been laid off – a scheme that’s putting $26 billion in unemployment benefits at risk.
What is fueling growth in unemployment fraud right now?
A lack of anti-fraud measures, bypassed processes that had been in place to help verify benefit claims, and data inaccuracies combined with the rampant availability of cheap, stolen account credentials and personally identifiable information on dark web markets has led to an unprecedented increase in unemployment fraud.
The problem stems from criminals impersonating unemployed workers by using stolen credentials and PII and diverting the funds from benefit claims into their own pockets. PII, which can help answer security questions during the claims verification process, can be extracted from stolen pay slips, W-2 forms and credit reports.
Labor Department Inspector General Scott Dahl told the House Subcommittee on Government Operations in a recent briefing that even in the best of times, about 10% of unemployment insurance payments can be attributed to fraud. However, with the new strains on unemployment, he said losses could rise to $26 billion, with the bulk of it due to fraud.
It’s not just domestic criminals who are taking advantage of the system. The Secret Service identified a Nigerian Fraud Ring targeting at least 11 states including North Carolina, Massachusetts, Rhode Island, Oklahoma, Wyoming, Florida and Washington. Reportedly, although Washington state was the hardest hit by the fraud ring, it was able to recover $333 million from the $650 million in stolen unemployment payments.
The average weekly unemployment benefit of $371.88 coupled with the CARE Act’s $600 stimulus has presented an attractive target for criminals. Below are some states’ reported percentages of fraudulent claims between March and July of 2020.
Total claims submitted and those recorded as fraudulent and suspect from March to July 2020.
In response to increased fraud, Michigan, Pennsylvania and Maine halted unemployment payments to remediate fraudulent claims, leaving legitimate jobless claimants without their payments. While the delays were to take only days, in some cases they have taken weeks.
Prepaid cards also have been targeted by fraud rings to cash in on unemployment claims and stimulus payments. Once again, by leveraging stolen credentials to open new unemployment claims or take over existing accounts where the account holder reuses a compromised password, fraudsters are able to receive funds and drain the prepaid cards.
What can be done to limit unemployment fraud?
Recommendations for government agencies:
Report after report indicate that fraudulent state unemployment claims stem from stolen identities related to data breaches and leaks. A practical method to proactively mitigate fraud risk is monitoring new benefit claims against breached data services that identify compromised passwords and PII. Claims that seem suspicious can be flagged for further manual verification.
Recommendations for fraud analysts and investigators:
Although we are living under extraordinary circumstances, premature go-live updates and platform releases have left unemployment programs with undetected vulnerabilities. Analysts and investigators employed or contracted by states facing the daunting task of sifting through unemployment claims for abnormalities and high-risk indicators have some steps they can take to here to identify criminal activities and reduce fraud:
- If updates have been made to the unemployment claims platform, gain a complete understanding of changes by thoroughly reviewing communications and participating in training offered by the teams responsible.
- Maintain processes that have proved successful in preventing fraud.
- Ensure there is a method to monitor user activities, such as user origin, logins, account creations, account modifications and fraud claim filings.
- Tie disparate data sources together, comparing and verifying new accounts against existing accounts to detect anomalies.
- Watch for uncommon claims, such as those filed from out of state.
- Verify claimants’ contact information to stop criminals from:
- Creating new or temporary email addresses.
- Using burner phones.
- Making slight variations in house numbers or completely changing the claimant’s physical address.
- Encourage knowledge-sharing between states by making trend analyses and fraud reports available to your fellow fraud analysts and investigators.
Recommendations for employers:
Public and private-sector organizations must continuously monitor and remediate their employees’ exposed credentials. Fraud, whether payments-related or simply theft of data, is a concern for all organizations, and it’s important to remember that the human attack surface extends past their own employees to those in the supply chain. Security teams who take responsibility for educating their employees — as well as their partners and vendors — on the dangers of password reuse, the importance of complex, unique passwords for all accounts (personal and corporate) and the necessity of multi-factor authentication are performing a public service.
Recommendations for individuals:
If your state sends you a prepaid debit card or paperwork for unemployment benefits when you never filed for them, it is a sign you are a victim of identity theft. You can be sure that someone else has filed an unemployment claim using your stolen PII. If this happens, report the fraud to your state immediately. Continue to follow up until you are sure it has been handled and get the resolution in writing. If you haven’t filed and may need to in the future, fraudulent filing will prevent you from receiving unemployment benefits for which you are entitled. One final precaution you can take here is freezing your credit to avoid new unauthorized account openings.
Watch out for email phishing or phone scams offering assistance with filing your unemployment claims. The only legitimate way to file for unemployment benefits is directly with your state. Don’t fall victim to emails or texts from unknown senders that prompt you to click on links. They may be leading you to spoofed sites with fraudulent forms intended to capture your sensitive PII or to download malicious malware onto your devices.
Sign up for free breach exposure monitoring to detect when your credentials have been found in a breach. You will receive an alert in your inbox so you can take immediate action.
Finally, make it more difficult for criminals to gain access to your accounts by using a password manager. This will help to stop the temptation to reuse the same or variations of your favorite passwords.
Ultimately, the importance of enhancing verification processes and efficiencies, combined with individuals and employers taking responsibility for PII protection, will limit the financial waste due to fraud and payment delays to the Americans in the most need.