As federal and state officials scramble to send unemployment and stimulus funds to help people hit hard by COVID-19 business shutdowns, it has become a perfect storm for cyber fraud.
The payments are an easy target for cybercriminals as hackers and cyber gangs around the world have started to file unemployment claims use stolen identities. Some criminals claim benefits in the names of dead or incarcerated people, while others set up shell companies, “hiring and firing” fictitious employees to collect payments.
For example, cyber gangs in Nigeria have stolen millions in benefits from multiple states using hacked names, Social Security numbers and other information sold for as little as two dollars each on the dark web. In New York, a man was charged with filing more than $1.4 million in false COVID-19 unemployment claims, using the stolen identities of over 250 unknowing victims. According to U.S. attorneys, he was caught in part because he used the same IP address and security question and answer—the name of his family dog, Benji—to submit the applications.
The U.S. Department of Labor estimates fraudsters may already have stolen at least $63 billion through phony jobless claims, while other reports say the losses could be as high as $200 billion. In addition, unsuspecting victims are at risk of receiving surprise tax bills because cybercriminals stole their identities and filed fraudulent claims for COVID-19 unemployment payments.
Watch Closely for Signs of Fraud
The Federal Trade Commission warns that unemployment fraud puts workers at additional risk of identity theft crimes including tax fraud. What can you do to help protect your employees?
Unemployment fraud is often uncovered when employers are notified by state officials that employees have applied for benefits. If they are still working, they may be the victim of identity theft.
Be alert to the signs of cybercrimes and unemployment fraud. Contact your human resources department or tax administrator and ask them to look carefully at any notices or requests they receive from state unemployment officials. If you get a report about unemployment benefits that an employee did not request or receive, contact the employment division of your state labor department. Unemployment fraud is so widespread that most states have set up special procedures to deal with these situations.
Warn Your Employees
Let employees know that unemployment scams are a serious problem. Identity theft can also lead to tax fraud, credit card theft and loans taken out in their names.
Notify a working employee immediately if the state informs you they have filed for unemployment benefits. They may be the victim of identity theft and should file a police report. Officials say workers scammed by cybercriminals do not have to pay unemployment taxes, but they must report the crime to the state labor department. And they should file their federal and state taxes on time for the correct amount of their income. The U.S. Labor Department has created a special website for victims of unemployment fraud.
Review Your Cybersecurity
Much of the personally identifiable information used by cyber thieves comes from data breaches, phishing schemes and other cyberattacks. Remind employees, particularly in human resources and tax departments, to be alert for suspicious emails, telephone calls and text messages about payroll information or W-2 forms.
The threat will continue beyond the pandemic. Business email compromise, in which employees are tricked into paying company funds into fraudulent accounts, is at an all-time high, so make sure employees have regular cybersecurity training. If you haven’t conducted a data inventory, do so now. Once you know what data you keep, you can determine what controls you require to protect that data. Store employee records securely and dispose of personally identifiable information carefully. It is also advisable to use a secure email gateway, which protects from spam, viruses, malware and denial-of-service attacks, and make sure employees working remotely are using secure company devices. Install patches and software updates, setting up automatic software updates whenever possible.
Unemployment or tax fraud targeting multiple employees may indicate a data breach. If you have a theft or cyberattack, contact your insurance carrier and, if necessary, seek expert help to identify the source, the extent of the problem and how best to respond.
