ANALYSIS
In the rush to get financial assistance to Americans who were hurt in the economic turmoil created by the COVID-19 pandemic, a number of highly successful and extraordinarily expensive unemployment scams have arisen from the resulting bureaucratic confusion. Caught too late, these scams have resulted in losses that have been measured in the hundreds of millions of dollars.
These kind of unemployment scams may not be as much in evidence in the news lately, but they are still around and represent an ongoing danger to both employers and employees. “Threat actors continue to exploit overwhelmed governmental agencies and are filing claims for benefits using the personal information of people who have not lost their jobs,” say attorneys Jay Carle and Scott Carlson of the Seyfarth Shaw law firm.
“This fraud is a sharp reminder that sensitive personal information in the wrong hands can result in tremendous harm. Employers should remain vigilant and alert their workforce, promptly challenge fraudulent claims, and check cybersecurity practices and policies to help protect against this and other cyber threats.”
The total number of unemployment claims that have been filed during the coronavirus pandemic are estimated at upwards of nearly 53 million. State agencies that process unemployment insurance claims were already understaffed and dependent on older technology and fraud detention protocols. It didn’t take long for the scammers to uncover and exploit these weaknesses after the state agencies quickly become totally overwhelmed by the crush of applications.
“The resulting delays and chaos in processing so many unemployment claims in such a short time has set the perfect stage for threat actors to take advantage, and the threat has continued into 2021,” explain Carle and Carlson.
Before the pandemic, when an unemployment claim was filed, the state agency usually would send a timely notice to an employer to provide them with an opportunity to protest the claim. In normal circumstances, the employer would then have about 10 days to challenge the claim.
Because of the overwhelming numbers of claims that were filed during the pandemic, unemployment offices found this schedule impossible to meet, taking months rather than days to get the notices out to employers. The end result is that employers have been receiving the protest notices long after the time has expired to protest the claim.
Most employees learn this has happened when they get a notice from the state unemployment benefits office about their supposed application for benefits. “By then, however, the benefits usually have been paid to an account the criminals’ control,” Carle and Carlson note. “Further, it is not clear given the magnitude of claims and impact on individuals whether in some instances agencies are paying even before they send the protest notice.”
Employers and individuals affected by the scam are then left to find out the source of the Personal Identifying Information (PII) used in the fraud. For this unemployment scam to work, it usually requires possession of at least four critical pieces of information obtained from the employee—name, employer, Social Security number, and date of birth.
A number of the state agencies responsible for maintaining this information have begun requiring additional forms of information such as driver license numbers. However, that has just created a new approach for attackers to now seek out driver license numbers, too, the attorneys point out. The scammers also appear to be making a point of targeting highly-compensated individuals in order to maximize the payouts.
Not a Targeted Hack
Because this fraud is a pandemic-specific threat that is designed to take advantage of overwhelmed state agencies and has hit employers across the country, Carle and Carlson believe it is more likely that the threat actors obtained the PII of employees on the Dark Web, rather than as a result of phishing and other cyber-attacks directed specifically at individual employers.
Not exactly a comforting thought, either, but it appears to be more likely that the PII was exposed sometime in the past as a result of ID theft or as a result of one of the high-profile hacks of retailers and other corporations breaches that gathered the personal information of millions of people. “However, employers should not completely rule out the possibility of a past or recent breach if they have been impacted by a significant number of fraudulent claims,” the attorneys warn.
Carle and Carlson urge employers to remain vigilant about this scam. They outline several steps that can help an employer respond quickly to any phony claims and help employees whose personal information has been misused.
Inform your employees. Educate employees about the scam and ask them to report potentially fraudulent benefits claims. Similarly, direct your human resources team to flag any notice they get from the state about a claim supposedly filed by a current employee and immediately notify the employee about any suspicious claim that your business receives.
Report the fraud. If your company and employees have become victims, report the fraud to the state agency. Check your state unemployment benefits agency’s website for reporting instructions.
Enhance and communicate cybersecurity practices. This fraud serves as a reminder that when sensitive personal information is compromised it can result in tremendous harm. The risks of potential missteps leading to a breach are amplified by so many employees now working from home. Remind employees of your company’s cybersecurity policies and practices and provide tips to help your employees maintain personal security when working from home.
Carle and Carlson also offer advice to those individual employees who find themselves the victim of fraudulent unemployment claims, by taking the following steps as quickly as possible to help protect against identity theft and potential benefit repayment liabilities:
• Report the fraudulent claim to the following: your local HR department, your state’s unemployment benefits agency, the FBI via their Internet Crime Complaint Center (IC3), and your financial institutions (bank, credit card companies, retirement and trading accounts, etc.).
• Contact the three major credit bureaus to place a fraud alert on your account: Equifax, Experian and Transunion.
• Follow the Federal Trade Commission’s guidance for reporting Identity Theft at https://identitytheft.gov/.
• Consider submitting IRS Form 14039: “Identity Theft Affidavit.”