States must take action to protect against unemployment fraud

Every April, tax season in the United States is accompanied by a flood of fraudulent income return requests, filed by cyber criminals who have access to legitimate personally identifiable information. While fraudulent filings to obtain unwarranted payments is nothing new, cyber actors are using the COVID-19 pandemic to evolve their methodologies and advance the same purpose — stealing money from the unsuspecting.

Cyber criminals are opportunistic, and when the status quo changes, they quickly discover how to leverage it to their benefit. These malicious actors are not limiting their attacks to tax returns and have now found a way to capitalize on the shifted landscape as a result of COVID-19.  

In mid-May, the U.S. Secret Service issued an alert regarding large-scale fraud against multiple state unemployment insurance programs, operated by a Nigerian criminal organization. The organized crime ring is capitalizing on the surge in lost jobs due to COVID-19 and is filing unemployment claims in order to receive payouts. U.S. officials stated the amount stolen is already in the millions.

These scams are happening daily and don’t require sophisticated techniques. Cyber actors are leveraging existing databases of stolen personally identifiable information from past breaches and using this data, like Social Security numbers, to submit what appear to be legitimate claims. State-level departments responsible for receiving these claims and processing payments are unaware that they are being submitted by criminals. Once the cyber actors receive the funds, it is virtually impossible for states to recoup the money.

This type of scam is preventable, but it requires states and individuals to implement additional security controls.

Action needed now

In certain states, only basic information is needed in order to file a claim, and there are no verification protocols in place, enabling fraudulent submissions to progress. States can combat this by requiring all claims be confirmed via a phone call or a secure link.

Further, states should proactively identify residents who might be at risk and take proactive measures to ensure they are protected. For instance, states can proactively check for fraud during the submission process. Alerts can be created to search for a variety of fraud indicators and from there, additional scrutiny of those submissions can be applied.

However, individuals should not rely solely on states for protection. Instead, they should familiarize themselves with their digital footprint and their unique cyber risks. If they received notification that their data was compromised in a previous breach, then they are potentially at risk of falling victim to this new cyber attack.

An unemployment scam can have damaging consequences, which go beyond not receiving monetary assistance. Individuals can protect themselves by following these steps:

• Lean on government resources. The U.S. Department of Labor published guidance on unemployment claims as part of their coronavirus resources page.
• Monitor credit reports. There are websites that provide free credit score reports and should be reviewed for fraudulent and suspicious activity.
• Keep a low profile. Be cognizant of what information is shared publicly, and if there is anything that could be used to verify an identity or used in an unemployment claim, remove it immediately. Relatedly, best practices regarding securing mobile devices can be found here.
• Report identity theft. Individuals who believe they are the victim of an unemployment claim scam should report this via the FTC’s identity theft website.

Cyber actors are exploiting what for them is a perfect storm: an uncertain situation, access to a large database of personally identifiable information, states without proper controls implemented, and a desire to process payments quickly to those in need. All together it makes stealing millions of dollars a relative breeze.

Conversely, combatting this unoriginal scam can be accomplished by taking proactive steps that are relatively simple to put into action, both by states and individuals.

Anthony J. Ferrante is the Global Head of Cybersecurity at FTI Consulting, and previously served as Director for Cyber Incident Response at the U.S. National Security Council at the White House.