A nationwide fraudulent unemployment benefits cyber scam has been making headlines for many months now and still continues to threaten employers and countless individuals throughout the United States.   Threat actors continue to exploit overwhelmed governmental agencies and are filing claims for benefits using the personal information of people who have not lost their jobs.  The false claims have been estimated in the hundreds of millions of dollars of fraudulent unemployment claims being paid to threat actors.  This fraud is a sharp reminder that sensitive personal information in the wrong hands can result in tremendous harm.  Employers should remain vigilant and alert their workforce, promptly challenge fraudulent claims, and check cyber-security practices and policies to help protect against this and other cyber threats.

It is estimated that nearly 53 million unemployment claims were filed during the few months of the coronavirus pandemic and the threat has continued into 2021.  Many state agencies, already understaffed and functioning with older technology and fraud detention protocols, were not prepared for the onslaught and have become tremendously overwhelmed.  The resulting delays and chaos in processing so many unemployment claims in such a short time has set the perfect stage for threat actors to take advantage.

Under normal circumstances, when the unemployment claim is filed, the agency will send  timely notice to the employer to provide the opportunity to protest the claim.  Typically the employer has ten days to protest.  However, during the pandemic, unemployment offices across the country have struggled to get the notices out to employers – taking months rather than days.  Consequently, employers are receiving the protest notices after the time has expired to protest the claim.  Most people learn they are affected when they get a notice from the state unemployment benefits office about their supposed application for benefits.  By then, however, the benefits usually have been paid to an account the criminals control.  Further, it is not clear given the magnitude of claims and impact on individuals whether in some instances agencies are paying even before they send the protest notice.

Employers and individuals effected by the scam have scrambled to identify the source of the personal identifying information (PII) used in the fraud.  For this unemployment scam to work, it generally requires four critical pieces of information of the employee – name, employer, social security number and date of birth.  More recently some agencies have required additional information such as driver license numbers.  However, that has just created a new approach for attackers to now seek out driver license numbers too.

In addition, in many instance the threat actors appear to be targeting more highly compensated individuals to maximize the payouts.  Because this fraud is a pandemic-specific threat taking advantage of overwhelmed state agencies and has hit employers across the country, it is more likely that the threat actors obtained the PII of employees on the dark web, rather than as a result of a recent cyber-attack directed specifically at individual employers.  In other words, it is more likely that the PII was exposed sometime in the past as a result of an individual’s ID theft or as a result of one of a number of headline breaches that effected millions.  However, employers should not completely rule out the possibility of a past or recent breach if they have been impacted by a significant number of fraudulent claims.

Employers should remain vigilant of this scam.  Here are steps you can take to help your business respond quickly to any phony claims and assist employees whose personal information has been misused.

  • Inform your employees. Educate employees about the scam and ask them to report potentially fraudulent benefits claims.  Similarly, direct your HR team to flag any notice they get from the state about a claim supposedly filed by a current employee and immediately notify the employee about any suspicious claim that your business receives.
  • Report the fraud. If your company and employees have become victims, report the fraud to the state agency. Check your state unemployment benefits agency’s website for reporting instructions.
  • Enhance and communicate cyber-security practices. This fraud serves as a reminder that when sensitive personal information is compromised it can result in tremendous harm.  The risks of potential missteps leading to a breach are amplified by so many employees now working from home. Remind employees of your company’s cyber-security policies and practices and provide tips to help your employees maintain personal security when working from home.

Individual employees who find themselves the victim of a fraudulent unemployment claim should consider rapidly completing the following to help protect against identity theft and potential benefit repayment liabilities.

  • Report the fraudulent claim to the following: Your local HR department, your state’s unemployment benefits agency, the FBI via their Internet Crime Complaint Center (IC3), and your financial institutions (bank, credit card companies, retirement & trading accounts, etc.).
  • Contact the three major credit bureaus to place a fraud alert on your account: Equifax, Experian, and Transunion.
  • Follow FTC guidance for reporting Identity Theft: identitytheft.gov
  • Consider Submitting IRS Form 14039: “Identity Theft Affidavit,” irs.gov.

For more information on how the pandemic is effecting cyber security and information governances issues, see: “COVID-19 Remote Workforce Risks – Preservation, Compliance, Privacy, and Data Security Risks

For additional COVID-19 legal resources and information, check out Seyfarth’s COVID-19 Resource Center.