The for-sale ad appeared last week in an underground internet bazaar that specializes in selling stolen accounts and data. It was for access to a filched unemployment insurance claim in California that had been approved and offered benefits worth $17,550.
The black-market sale of jobless benefits is just one sign that the unemployment insurance system — the main artery for delivering financial assistance to laid-off workers — has been besieged during the coronavirus crisis by criminal networks intent on bilking the government out of hundreds of millions of dollars.
In California, fraud was so pervasive that officials have suspended processing jobless claims for two weeks to put new controls in place and reduce a bulging backlog.
The U.S. Labor Department recently made fraud detection a priority, dedicating $100 million to combat the problem. But several state officials and cybersecurity experts say some of the efforts have been misdirected, designed to uncover workers misrepresenting their eligibility instead of large-scale identity theft.
“The focus continues to be on lying instead of stealing,” said Suzi LeVine, the commissioner of the Employment Security Department in Washington, one of the first states to be flooded with fraudulent claims.
Social service agencies have historically been preoccupied with preventing potential beneficiaries from cheating the government — individuals who lie about seeking a job or the date of their return to work.
“Anti-fraud systems are organized around that,” Ms. LeVine said. “Saying I was looking for a job when I was actually on a beach in Cabo.”
But most fraud is now being engineered by cybercriminals, some of them working together, who have stolen or bought other people’s identities and are using them to raid state unemployment systems.
Since March, Washington State has turned up nearly 87,000 impostor cases. From January 2018 to June 2019, there were 184.
Traditional fraud-prevention strategies, Ms. LeVine said, “will not help us catch these thieves.”
Think of it as the difference between an attack within and one coming from the outside. Previously the cheating came mostly from workers who were in the system and trying to get something they were not entitled to. Now “it’s people outside of the system who are impersonating other people or breaking in,” explained Roman Sannikov, director of cybercrime and underground intelligence at the cybersecurity firm Recorded Future.
Using stolen identities to steal from the government, of course, is not new. Such thefts have bedeviled programs from school loans to Medicare and disaster relief. But unemployment insurance has generally not been a ripe target because states have been reducing benefits and tightening access since the last recession and caseloads have been falling.
That changed after Congress moved quickly in March to deliver assistance to suddenly jobless workers when the coronavirus outbreak upended the economy.
“Criminals go where the money is,” said Avivah Litan, an at the research and consulting firm Gartner. After Congress passed the CARES Act, the emergency relief — including the Pandemic Unemployment Assistance program and a temporary $600 weekly supplement — was where the money was.
And that is where the bulk of the fraud has been aimed. Handled by the states, pandemic jobless benefits were meant to fill gaping holes in the safety net by covering self-employed, part-time and gig workers; independent contractors; and others ordinarily ineligible for unemployment insurance.
But the desire to quickly get money to households facing eviction, hunger or financial ruin made the program vulnerable to swindlers.
In Ms. Litan’s view, the federal government has not devoted sufficient resources to secure its systems against cybercrime and identity theft.
Some of the schemes, like those that hit Washington State in the spring, were linked by federal investigators to a Nigerian-based criminal ring called Scattered Canary. The ring used stolen Social Security numbers and other identity theft, and was suspected of operating in North Carolina, Massachusetts, Rhode Island, Oklahoma, Wyoming and Florida.
Washington State officials shut down the unemployment system for two days in mid-May as part of an effort to halt illegitimate payments that ended up totaling $576 million. The state has recovered $346 million so far.
Parker Crucq, a senior threat intelligence analyst at Recorded Future, said the number and types of perpetrators had grown, ranging from organized networks and technological whizzes to bush-league hucksters.
“While many of these threats require knowledge of social engineering techniques, they likely do not require a degree of technical sophistication,” Mr. Crucq wrote in an assessment of unemployment insurance schemes. “This means that there is a low barrier to entry for potential scammers and criminals who are interested in getting involved with this form of fraud.”
In hacker forums and on the so-called dark web, where users can hide their identity and location, “some of these actors are specifically calling out state agencies by name, boasting that it’s quite easy to fill out applications on multiple occasions from information scraped from previous data breaches,” he said.
Over three weeks in September, the police in Beverly Hills, Calif., arrested 87 people from states as far away as Alaska and New York on charges related to unemployment insurance fraud. The accused were not working in tandem but followed a similar pattern, applying for benefits with Social Security numbers stolen from people who had died or were in prison or nursing homes, said Lt. Max Subin, a department spokesman.
Sometimes using false addresses and “mules” or intermediaries, they then picked up debit cards loaded with thousands of dollars’ worth of jobless benefits from the state’s Employment Development Department.
Those involved used the cards — often several at a time — to embark on shopping sprees, buying high-end handbags, belts, wallets, shoes and clothing or renting luxury cars, the police said.
Identify theft is a particularly insidious form of unemployment insurance fraud, frequently pre-empting benefits for those entitled to them and undermining confidence in the program.
“The thing that is so maddening about impostor fraud is that it strikes at the core of how unemployment insurance systems operate,” said Scott Jensen, director of the Rhode Island Department of Labor and Training. “If fraudsters are giving us fake information, it’s hard to verify it.”
An inaccurate Social Security number, for instance, is spotted immediately. “But if a fake Scott Jensen comes in with the real Scott Jensen’s Social Security number, then it checks out,” he said. Most of the fraud is not discovered until people get letters or checks from the agency and call to say they never applied.
For years, “this has been a weakness that has been really hard to fix,” Mr. Jensen said. “What is different now is the scale.”
Fraud linked to identity theft made up about 3 percent of all unemployment claims last year, according to government audits. With the pandemic program, that figure has skyrocketed.
Last week, Arizona said it had flagged over one million of 2.4 million claims — more than 40 percent — as potentially fraudulent. Over the summer, Connecticut found that 77 percent of Pandemic Unemployment Assistance claims were faked.
With state unemployment claims, there is a built-in verification process because employees have to submit their W-2 tax form and a document from their employer showing that they are no longer employed. Pandemic Unemployment Assistance, by contrast, depends largely on individuals’ certifying that they are unemployed because of the coronavirus outbreak.
Ms. LeVine in Washington State said that the U.S. Labor Department’s most recent directives focused more on data integrity, but that other efforts — like demanding that applicants certify their status each week — did little to catch the widespread fraud linked to identity theft.
“It’s better suited to catching people who might be lying or making sure they comply with eligibility requirements,” she said. “It will not help us fight impostor fraud.” For thieves, it’s just another box to check on an already fraudulent claim.
In response, a Labor Department representative said that “the department has been focused on ensuring program integrity” and that it provided a wide range of information, tools and resources as well as extensive technical assistance to prevent fraud and improper payments.
State and federal officials are caught between getting money as quickly and efficiently as possible to people who desperately need it and erecting roadblocks to cut off criminals from improperly collecting benefits.
“There are a lot of fraud tools,” like multifactor identification, said Mr. Jensen, Rhode Island’s labor chief, “but if you front-load the unemployment insurance system with them, then claimants can’t get through.”
Mr. Jensen contends that significant improvements and more sophisticated detection tools — including questions to verify a user’s identity, like the model of a first car — could be put in place quickly and inexpensively if unemployment insurance systems, antiquated in many states, switched to cloud-based computing.
“People are always going to try to steal money,” he said. “We have to work harder and faster and smarter to defeat them.”