Unearned unemployment: Who is collecting money meant for Americans in need?

As quickly as the onslaught of American’s unemployment claims hit state governments, the domino effect of outdated systems and the need for process improvements became abundantly clear. As if COVID-19 and U.S. joblessness weren’t enough to tackle, the chaos and urgency created the perfect opportunity for criminals to devise targeted fraud strikes on both state government agencies and individuals who had just been laid off – a scheme that’s putting $26 billion in unemployment benefits at risk.

What is fueling growth in unemployment fraud right now?

A lack of anti-fraud measures, bypassed processes that had been in place to help verify benefit claims  and data inaccuracies -- all combined with the rampant availability of cheap, stolen account credentials and personally identifiable information on dark web markets -- has led to an unprecedented increase in unemployment fraud.

The problem stems from criminals impersonating unemployed workers by using stolen credentials and PII and diverting the funds from benefit claims into their own pockets. PII, which can help answer security questions during the claims verification process, can be extracted from stolen pay slips, W-2 forms and credit reports.

Labor Department Inspector General Scott Dahl told the House Subcommittee on Government Operations in a recent briefing that even in the best of times, about 10% of unemployment insurance payments can be attributed to fraud. However, with the new strains on unemployment, he said losses could rise to $26 billion, with the bulk of it due to fraud.

It’s not just domestic criminals who are taking advantage of the system. The Secret Service identified a Nigerian Fraud Ring targeting at least 11 states including North Carolina, Massachusetts, Rhode Island, Oklahoma, Wyoming, Florida and Washington. Reportedly, although Washington state was the hardest hit by the fraud ring, it was able to recover $333 million from the $650 million in stolen unemployment payments.

The average weekly unemployment benefit of $371.88 coupled with the CARE Act’s $600 stimulus has presented an attractive target for criminals. Below are some states’ reported percentages of fraudulent claims between April and July of 2020.

Total claims submitted and those recorded as fraudulent and suspect from March to July 2020.

Source: SpyCloud

In response to increased fraud, Michigan, Pennsylvania and Maine halted unemployment payments to remediate fraudulent claims, leaving legitimate jobless claimants without their payments. While the delays were to take only days, in some cases they have taken weeks.

Prepaid cards also have been targeted by fraud rings to cash in on unemployment claims and stimulus payments. Once again, by leveraging stolen credentials to open new unemployment claims or take over existing accounts where the account holder reuses a compromised password, fraudsters are able to receive funds and drain the prepaid cards.

What can be done to limit unemployment fraud?

Recommendations for government agencies: Report after report indicate that fraudulent state unemployment claims stem from stolen identities related to data breaches and leaks. A practical method to proactively mitigate fraud risk is monitoring new benefit claims against breached data services that identify compromised passwords and PII. Claims that seem suspicious can be flagged for further manual verification.

Recommendations for fraud analysts and IT teams: Although we are living under extraordinary circumstances, premature go-live updates and platform releases have left unemployment programs with undetected vulnerabilities discovered by the public or, worse yet, by criminals. Analyst and investigators employed or contracted by states facing the daunting task of sifting through unemployment claims for abnormalities and high-risk indicators, have some steps they can take to here to identify criminal activities and reduce fraud:

1. If updates have been made to the unemployment claims platform, gain a complete understanding of changes by thoroughly reviewing communications and participating in training offered by the teams responsible.
2. Maintain processes that have proved successful in preventing fraud.
3. Ensure there is a method to monitor user activities, such as user origin, logins, account creations, account modifications and fraud claim filings.
4. Tie disparate data sources together, comparing and verifying new accounts against existing accounts to detect anomalies.
5. Watch for uncommon claims, such as those filed from out of state.
6. Verify claimants’ contact information to stop criminals from:

• Creating new or temporary email addresses.
• Using burner phones.
• Making slight variations in house numbers or completely changing the claimant’s physical address.

Recommendations for employers: Public- and private-sector organizations must continuously monitor and remediate their employees’ exposed credentials. Fraud, whether payments-related or simply theft of data, is a concern for all organizations, and it’s important to remember that the human attack surface extends past their own employees to those in the supply chain. Security teams who take responsibility for educating their employees -- as well as their partners and vendors -- on the dangers of password reuse, the importance of complex, unique passwords for all accounts (personal and corporate) and the necessity of multi-factor authentication are performing a public service.

Ultimately, the importance of enhancing verification processes and efficiencies, combined with individuals and employers taking responsibility for PII protection, will limit the financial waste due to fraud and payment delays to the Americans in the most need.