Over the past three months since COVID-19 spread across the country, we’ve seen the biggest spike in unemployment in U.S. history. Following state-initiated orders to shelter in place and shutter non-essential businesses, unemployment claims surged with more than 44 million Americans filing for benefits.
And, not surprisingly, cyber criminals saw this as a goldmine of opportunity.
In recent weeks, the U.S. Secret Service warned of an international crime ring committing large-scale fraudulent claims against several state unemployment agencies. Losses are staggering. Washington state is already reporting potential losses of $1 billion, and, collectively, the U.S. Department of Labor estimates at least $26 billion will be pocketed by fraudsters instead of going to legitimate, unemployed citizens.
As states scramble to avoid future losses, many are halting payments. Michigan ceased payments for 340,000 claims, roughly 20 percent of its total, and Pennsylvania stopped 58,000 claims for its Pandemic Unemployment Assistance. Unfortunately, it appears that nearly every state unemployment department is vulnerable to this problem.
This is a classic third-party fraud problem where criminals employ common identity theft techniques to trick unemployment agencies into processing legitimate-looking claims. Government should take a cue from the financial services industry, who has contended with this type of cybercrime for decades. The majority of financial institutions have deployed day zero identity verification tools to mitigate their risk.
How does the fraud occur? In three steps…
Organized fraud rings like Nigerian-based Scattered Canary have cheap access to technology and data necessary to pull off digital heists. They purchase breached data off the dark web—including passwords, email addresses, social security and credit card numbers—for mere dollars per identity. They also take over established email addresses through business email compromise (BEC) schemes. Once they’ve gathered all the necessary data assets to build a convincing application, they apply for unemployment insurance using the stolen identities and route the payments through money mules who are recruited through romance scams and work-from-home schemes.
Stopping unemployment fraud with day zero identity verification
State unemployment agencies should implement industry-tested tools for day zero identity verification. As consumers in the modern age, we leave a natural digital exhaust trail in our everyday lives. When agencies process a new unemployment claim for a legitimate citizen, that digital exhaust trail can be scrutinized with algorithms and checked against mobile carrier history, utilities, social media, trade lines and other public and proprietary databases. Cutting edge techniques in machine learning and artificial intelligence make it possible to build an incredibly rich identity graph and ensure the person behind the keyboard is who they say they are.
The ideal identity verification tool should also incorporate consortium data into its framework. A consortium database is a collection of known outcomes and associated data collected from industry. Scattered Canary and other fraudsters are using personally identifiable information (PII) obtained from data breaches, which was likely used in previous attacks against the financial services industry. Socure leverages intelligence from consortium data, allowing it to apply the results from four hundred million historical known-outcomes to indicate if a collection of PII is linked to a previous fraud attack.
There are also ways to flag money mules, who are typically US residents that have been recruited to launder money through legitimate-looking accounts and then route those funds to illicit accounts overseas. Several financial infrastructure platforms, like Plaid and Yodlee, will verify bank account ownership records to determine if the claimant actually owns the account. If the name on the bank account doesn’t match the name of the claimant, that’s a red flag.
Many of the victims of fraudulent unemployment claims are currently working and have no idea that a claim has been filed in their name. A number of identity theft protection services will report in real-time if a user’s identity has been used to open an account. In the age of digital transactions, the mail is too slow. Unemployment agencies need to integrate with ID theft protection firms to quickly notify potential victims if their information has been used to file an unemployment claim. Prompt reporting can quickly stop the processing of fraudulent claims.
Scattered Canary is only the latest chapter in an increasingly sophisticated ecosystem of fraudulent actors around the globe. It won’t be the last. The financial services industry has been fighting this scourge for decades and made the investment in digital identity technology to mitigate risk.
Now the government sector can learn from the financial services industry’s experience. If it’s possible to print a trillion dollars overnight, then governments also must invest in identity verification tools to ensure this money isn’t lost to fraud. Investing in identity verification is the smart solution to manage this financial crisis—and avoid another crisis moving forward.
To learn more about how Socure can prevent unemployment fraud, visit:https://www.socure.com/products