What’s one sign a fraudulent scheme has hit it big in the year 2020? When it’s featured in a rap music video, of course.
The increasing prevalence of fraud in the unemployment insurance system made news this October when the rapper Nuke Bizzle (aka Fontrell Antonio Baines) was charged with fraudulently applying for over $1.2 million in jobless benefits. In his popular music video, titled “EDD” (an apparent reference to California’s Employment Development Department (EDD)), Baines described getting “rich off EDD”. If true, recent data suggests he is not alone.
As early as May, just two months after COVID-19 was declared a pandemic, the United States Secret Service issued an alert regarding “massive fraud against state unemployment insurance programs.” At the time, Washington State was the primary target. Since then, unemployment fraud has increased to the point that the U.S. Department of Labor (DOL) has committed $100 million in funding to support States as they attempt to combat and recover improper payments. The Federal Trade Commission (FTC) estimates that the risk of theft could top $26 billion.
“Because That’s Where the Money Is.”
Infamous bank robber, Willie Sutton, once explained his motive for robbing banks, “Because that’s where the money is.” Today, the money is in unemployment programs. In response to the pandemic, Congress enacted the $2.2 trillion Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020. The CARES Act provided emergency relief, including the Pandemic Unemployment Assistance program and a temporary supplement of $600 for those left jobless by the pandemic.
The $250 billion earmarked for unemployment insurance has proven irresistible to modern-day would-be robbers. Unprecedented spikes in unemployment applications have overloaded State unemployment agencies. That, coupled with the pressure on State agencies to quickly process claims, has created unprecedented opportunity for fraud. The most prevalent form of unemployment insurance fraud occurs when identity thieves file false claims for unemployment benefits using the stolen personal identifying information (PII) of victims left to deal with the fallout of the theft and mis-use of their identities.
There has been a stunning increase in cyber attacks since the pandemic hit. Phishing attacks have increased 600% since February and ransomware attacks rose 148% in March. These attacks and breaches often include the theft of sensitive PII that is subsequently monetized in various ways, including to commit unemployment insurance fraud.
In a brazen move, threat actors are naming vulnerable state agencies on the dark web and in hacker forums they view as “soft” targets. In mid-May, Washington State officials shut down their unemployment system for two days in an attempt to block the uncontrolled flow of fraudulent payments. As of October, Washington State estimates that up to $650 million has been stolen, of which only $330 million has, to date, been recovered. In July, Massachusetts announced that it had recovered over $158 million in fraudulent claims. Between March and August, the New York State Department of Labor referred more unemployment fraud cases to federal prosecutors than it has throughout the entirety of the last decade.
Often the people whose identities have been stolen first become aware of the identity theft either when they: (1) receive correspondence from their State unemployment agency, (2) are notified by their employer that a claim has been filed in their name, or (3) attempt to file for unemployment benefits and find someone else has already filed for the benefits using their identity. Recently, Aon’s Cyber Solutions has seen an uptick in clusters of fraudulent unemployment insurance claims within a single organization. While PII can be stolen in many ways and from varied sources, finding clusters within an organization may point to a data breach or other cyber event that has potentially exposed employees’ personal information.
In addition to the $100 million pledged to States, in response to the surge in identity theft and fraudulent unemployment insurance filings, the DOL, through its Unemployment Insurance Integrity Center, provides resources to help States adopt effective fraud prevention and detection strategies. These strategies include utilizing various identity verification resources through the Integrity Data Hub and employing data mining and analytics tools to detect fraudulent claims. However, the response to unemployment insurance fraud must not end with governmental agencies; there are proactive and reactive actions businesses and individuals can take to help prevent or mitigate the impact of identity theft and unemployment fraud.
When bad actors strike, while it may be the employee that feels hit hardest, pressure may also rest with the employer to respond in an appropriate manner. Discovery of multiple employees having been victimized, as is often the case, should trigger organizations into assessing the root-cause of the fraud on a programmatic level, rather than on an individual case-by-case basis. Organizations need to assess whether they were the source of the leak or theft of information and to what extent employee records may have been compromised.
There are steps that organizations can take to help protect themselves and their employees, including:
- Perform a threat hunt/compromise assessment. Discover active breaches and intrusions within a network by seeking out indicators of compromise and other cyber threats that are undetected on a network, reviewing forensic artifacts from the environment looking for behavioral patterns that may be indicative of a prior or current compromise, and performing a targeted or scenario-based threat hunt focused on portions of the environment where sensitive data is stored or handled that may be leveraged to conduct fraudulent unemployment claims. For example, a targeted threat hunt of an email environment like Microsoft O365 looking for signs of unauthorized access.
- Protect sensitive employee data with appropriate cyber security controls, access controls, network segmentation, and encryption. Raise awareness and provide training to employees with access to this sensitive data (including, for example, W-2, W-4, and I-9 information) regarding its sensitivity, the need to protect it, and common phishing and social engineering tactics used by criminals to gain access to it.
- Perform a cyber security risk assessment. One of the first steps to managing the risk is assessing it. Conduct an assessment today to identify where the organization may be most vulnerable and develop recommendations to bolster security and mitigate enterprise risk, especially related to sensitive employee data.
- Conduct an identity theft and unemployment insurance awareness campaign. Conduct an awareness campaign to alert your workforce about the current unemployment insurance scams, steps they can take to mitigate against this growing risk, and better position the organization and its people against becoming a victim.
- Report suspected fraud to the State unemployment benefits agency. Working with third-party industry-leading advisors with regulatory, investigative and law enforcement experience, report all instances of known or potential fraud to the relevant agency or authorities as early as practicably possible.
We would be remiss not to mention the true victim here: the employee. Should your organization discover its employees have fallen victim to fraudulent unemployment claims or identity theft, consider offering the following guidance to those affected:
1. Report the fraud to your state unemployment office.
2. Report the identity theft to local law enforcement and obtain a police report.
3. Report the fraud to the FTC (IdentityTheft.gov) and the FBI (IC3.gov).
4. Place a fraud alert on your credit by contacting one of the three credit bureaus (TransUnion, Equifax, Experian). A fraud alert will flag your account so that creditors must verify your identity before extending credit.
5. Consider placing a credit freeze by contacting all three credit bureaus. A credit freeze will lock access to your credit report. Nobody, including yourself, will have access to your credit history until you unlock the freeze.
6. Review credit report annually to verify accounts, addresses, etc.
7. Change passwords on all accounts and use multi-factor authentication when available.
8. Contact any financial institution where you have an account such as banks and brokerage houses and let them know that you are an identity theft victim, including by providing them a copy of a police report of the incident, if available. Follow the security advice they give you.
Identity theft has found a new gold mine in unemployment insurance fraud. Even as State agencies battle to thwart the thieves, companies and individuals can and should take steps to help protect themselves through proactive prevention and detection measures. A swift response to suspected fraud can be key to mitigating the impact of identity theft and unemployment insurance fraud. We are in a time of unprecedented fraud in unemployment insurance and these actions will go a long way to protecting organizations, its employees and the integrity of the unemployment insurance system.
By Rumbi Petrozzello and Vincent Minecci
Aon’s Cyber Solutions, Investigations and Forensic Accounting Practice
For Further Information, please contact:
Managing Director & Practice Leader
Investigations & Forensic Accounting