When the first massive coronavirus aid package was passed in Congress it included substantial benefits for workers who lost their jobs because of the government-mandated shutdown. One of the biggest was the federal enhancement of state unemployment benefits, increasing weekly payments by up to six hundred dollars. As we quickly learned, Senate Republicans’ concerns over not having a cap on those benefits to prevent the payments from exceeding the employee’s previous salary were fully justified.
That didn’t wind up being the only problem with the plan, however. We’re now learning that the hastily rushed through bill and the flood of people applying for benefits left the door open for scammers and identity thieves to tap into the system and falsely claim benefits to the tune of hundreds of millions of dollars. The first epicenter of this massive scheme was detected in Washington State, but it quickly spread to others. (Associated Press)
It turned out that, like thousands of Washington state residents, [Dayna] Lurie’s identity was used by criminals seeking to capitalize on a flood of legitimate unemployment claims by sneaking in fraudulent ones.
Washington’s race to help newly laid-off residents as the coronavirus pandemic ravaged the economy left it vulnerable to such scams, and last week officials hinted at the scope of the damage done: hundreds of millions of dollars paid out in fake claims. Much of it apparently went to a West African fraud ring using identities stolen in prior data breaches, such as the massive 2017 Equifax breach.
State and federal authorities have tried to claw back as much money as possible and say they have blocked hundreds of millions more from being paid out, but Washington’s experience is nevertheless a cautionary tale.
At first glance, it may seem like a difficult scheme to pull off. How could someone file for unemployment under another person’s name if they are alive and working? As it turns out, all of those massive data breaches we’ve heard about over the years are probably coming back to haunt us. If scammers have enough of your personal data, they can file a claim in your name in the overloaded state online benefits systems. They can elect to have their payments made to prepaid debit cards associated with your account which they’ve already gained access to.
After that, it’s simply a matter of using the debit card to immediately transfer any payments that arrive to overseas accounts or convert the funds to bitcoin, gift cards or other financial devices. By the time the identity theft victim and their employer realize that the fraud is taking place, the scammers could have secured thousands of dollars in illicit payments. And if the hackers are from Africa, Europe or Asia, any hopes of recovering the money and bringing them to justice are slim.
This isn’t just happening in Washington. Hackers have been found running the same scam in at least nine other states including Ohio and Hawaii. This opportunity for the criminals only arose because both the states and the federal government were in such a rush to make sure it looked like they were doing something (anything) to help that the system was quickly overwhelmed.
In Washington, for example, they had been processing an average of 6,000 unemployment claims per week prior to the shutdown. Suddenly they were hit with more than 100,000 claims at a time. The choices were to tell all of the workers that they would have to wait weeks or even months for their checks while they vetted the claims, or simply approve them and start sending out the money. In order to avoid looking heartless, they went with the latter.
Some of these problems – like ensuring payments didn’t exceed wages – were foreseeable and could have been mitigated. Others, such as these fraudulent claims, were probably unavoidable because the state unemployment systems are outdated and incapable of handling a massive surge in demand on short notice. But if nothing else, this should be a cautionary tale and all of the states will need to invest in making their systems more responsive and secure.