Thousands of workers across New York are finding something in their mailboxes that is freaking them out — a letter from the state that says they qualify for unemployment insurance. Sometimes, it comes with a debit card full of money.
But the people have jobs. They haven’t applied for unemployment.
It’s fraud. And it’s rampant across New York and other states that suddenly started taking in millions of unemployment claims on outdated computer systems during the coronavirus pandemic.
The Syracuse City School District said last summer that phony claims had been filed on behalf of more than 150 employees who were still working.
Onondaga County’s human resources department has handled about 100 complaints. Syracuse City Hall has dealt with about 50 stolen identities.
The same has happened in utility companies, private businesses and college campuses.
Syracuse University saw an increase in fraudulent claims in February. The university has hired an identity protection service for employees that comes with dark web monitoring and $1 million of identity theft insurance.
Sophisticated organized crime outfits in places like Nigeria, Russia and China — and more amateur operations in the U.S. — have seized the Covid recession as an opportunity.
They’ve taken information seized in data breaches to exploit inadequate state computer systems and overwhelmed agencies to steal billions of dollars and alarm Americans.
Leslie Carbo, director of cybersecurity programs at Utica College, is getting calls from friends who want to know what’s going on.
Carbo tells them to call the state labor department and to freeze their credit.
Whatever you do, she said, do not respond to an email from someone who says you need to pay the money back immediately or you’ll be arrested. That’s someone trying to get your bank account routing number.
“I’ve seen and read so much about this kind of stuff that, hey, it’s my job to make other people paranoid, too,” she said. “I want them to understand. All of our information is out there.”
Like other states, New York state suddenly started processing hundreds of thousands of new claims last March with no time to boost its security systems.
Criminals went state by state, armed with millions of identities stolen from previous data breaches. It only takes a few pieces of information to successfully apply for unemployment insurance.
New York state officials say they have caught 521,000 fraudulent claims, avoiding $6.4 billion in losses.
That is often with the help of victims and human resources offices. The department won’t say how much money got away.
By the federal government’s own estimate, about 10% — or $36 billion of the $360 billion in the CARES Act could be paid improperly, according to a report to Congress.
Experts estimate state unemployment systems across the country have lost more than $100 billion in one year. Some put the number closer to $200 billion.
“The numbers are staggering,” said Haywood Talcove, CEO of LexisNexis Risk Solutions. “It’s bigger than Enron.”
And it’s only going to get bigger, he said, until states catch up.
How it’s caught
Victims and employers can easily catch many of these fraudulent claims.
That’s because, in some cases, paperwork and even debit cards are mailed directly to the victim or the employer. Someone who is still employed gets a surprise debit card or a letter from the state that estimates the amount they can claim. Sometimes, victims get tax forms in the mail, saying they owe income taxes on unemployment benefits.
Criminals target people with jobs because they don’t already have claims in the unemployment system.
Those cases are reported to the labor department and are often stopped before money is lost.
Those kinds of easy catches can be attributed to mistakes made by criminals who are filing so many millions of fraudulent cases, they sometimes forget to reroute the mail.
Fraudsters recently impersonated Ohio Gov. Mike DeWine, First Lady Fran DeWine and Lt. Gov. Jon Husted.
Erie County District Attorney John Flynn got scammed earlier this month.
“If someone tried to use my name, everybody’s at risk,” he told The Buffalo News.
When the criminals strike out, they simply move on to another name.
“Fraudsters, by definition, are lazy,” said Armen Najarian, chief marketing officer at RSA Fraud and Risk Intelligence. “They’re going after volume. … It’s as many as they can, as fast as they can.”
Here’s how it works when it works
Organized criminal operations, mostly overseas, buy datasets on the dark web that contain millions of Americans’ names, addresses, dates of birth and Social Security numbers. These lists have been stolen in previous data breaches at big retailers, banks and health insurance companies. They can be purchased with Bitcoin.
“There’s a whole underground economy for identity assembly,” Najarian said.
Next, criminals can buy a step-by-step playbook that explains how to file a fraudulent claim in each state. Najarian’s firm has a collection of them.
Fraudsters file a claim in the name of a real person at their real address. Then, they quickly change the address.
Most states give clients a choice to direct deposit the money in a bank account or put it on a debit card. If they choose a bank account, fraudsters bounce the money to various accounts until they have access.
If they choose a debit card, there is another economy of “mules” who help launder cards to cash and move it offshore. The U.S. Postal Service has a public service message advising “Don’t be a mule.”
There have been few prosecutions of overseas criminals associated with unemployment fraud.
But the federal government has gone after suspected mules in this country. In the last two months of 2020, the feds took action against 2,300 money mules, compared to 600 the year before.
There have also been arrests that involved homegrown American schemes to defraud the unemployment system.
Two California men have been accused of creating fake companies to file 72 unemployment claims, paying out $609,000. They used real names, dates of birth and Social Security numbers and had debit cards sent to addresses they controlled.
In January, three people in Michigan were accused of filing dozens of claims in several states. Two of them used their own names, or versions of their own names, with other people’s Social Security numbers. The third person had debit cards mailed to various addresses and spent the day repeatedly withdrawing high dollar amounts from ATMs.
People have also been busted after filing claims in the names of inmates in Pennsylvania and West Virginia.
The federal government charged Elvin German, of the Bronx, this month in a scheme that involved the loss of more than $1.4 million from the New York labor department. He is accused of using the identities of more than 250 victims to file false claims.
He gave himself away by using the same IP address and the same security question and answer — the name of the family dog, Benji, investigators said.
When they searched his home, investigators found a computer loaded to the unemployment benefits page with the identifying information of four victims open in another computer file, authorities said. They also found a dog wearing a collar inscribed with the name “Benji.”
Corbo, in Utica, said she has heard of a more aggressive scheme:
Fraudsters apply for unemployment benefits and the debit card is sent to the person they impostered. Then, the fraudsters call, posing as the state or federal government, and demand that the victim pay the money back. These victims know they’ve done something wrong and they may be eager to get out of trouble. The victims are asked to go online and fill out a fraudulent form, signing away their savings.
“People are typing in their Social Security numbers, bank account numbers and verifying to the criminal. Then, the criminal goes and removes the money,” Corbo said.
States were not prepared
Why were the states so vulnerable to attack?
Unemployment programs have historically had some of the highest improper payment rates of all federal government programs, the U.S. Department of Labor Inspector General Office reported to Congress last fall.
One of the federal government’s new pandemic programs was especially vulnerable, they said.
For the first time, the federal government allowed self-contractors to get help under the new Pandemic Unemployment Assistance program.
It allowed gig workers — artists, freelancers and Uber drivers — to apply without first proving they made wages. That opened the door for fraudsters to file claims by simply swearing that they were unemployed for Covid-related reasons and they had worked until that point.
For victims who work for themselves, there is no human resources department to catch phony claims.
If someone files a fraudulent claim in their name, and gets away with it, those workers are the least likely to discover it. And they are the most likely to have a hard time fixing the situation and tapping into benefits if they actually become unemployed.
There can be a long delay when they try to file a legitimate claim because there is already one on file in their name.
In February, the state labor department said it had hired a company called ID.me to help verify identities. Now, applicants will get an email or text message asking them to set up multi-factor authentication. They’ll be asked to upload a photo of a driver’s license or passport and take a selfie.
Other states, like Ohio, are hiring data collection services like LexisNexis to verify claims.
Talcove said states are starting to catch up to the methods banks and other private companies have used for a long time.
“Although the people that are doing it are very sophisticated,” he said. “The fraud really is easy to stop.”
What to do if it happens to you
Don’t panic. Don’t send confidential information to unknown websites or email addresses, or to a voice on the phone.
If you get a letter or a debit card that says you have qualified for unemployment when you have not filed a claim, report it to the New York State Department of Labor.
Report it to your employer.
Change your passwords, logins and pins for online accounts.
Put a fraud alert on your accounts with credit bureaus Experian, TransUnion and Equifax. Get a free credit report from report.com.
Report the identity theft to the Federal Trade Commission at identitytheft.gov.
If you get a 1099-G tax form for income you did not receive, the IRS says you should contact the state and request a corrected 1099-G. Do not pay taxes on income you did not receive.
Some companies that have had data breaches offer credit monitoring services to customers. That includes Equifax and Marriott’s Starwood Hotels & Resorts.
NY has short delay in getting extra $300 unemployment benefit to some
Unemployment in NY: How to figure out if you need to reapply after one year
3rd stimulus check update: IRS updates Get My Payment tool; see when you’ll get paid
Inside CNY’s job disaster: What industries fell off a cliff?
Have you been a victim of unemployment fraud? If you want to tell your story, contact Michelle Breidenbach | firstname.lastname@example.org | 315-470-3186.
Let’s block ads! (Why?)