Criminal networks in countries from Russia to Nigeria have bilked some $200 billion from U.S. pandemic unemployment programs via the dark web, estimates ID.me, the identity verification company weeding out the fraud for 15 states.
"It's the largest incident of fraud I expect to ever see in my lifetime. Certainly well beyond anything I've ever seen, and I don't expect that I will see anything like it again," said ID.me CEO Blake Hall.
- Blake Hall, CEO of ID.me, is leading efforts to block identity theft unemployment fraud in 15 states.
- Criminals have pillaged a federal pandemic relief program that gave unemployment benefits to gig workers, using identity theft to steal $200 billion or more, ID.me estimates.
- People whose identities have been stolen should report the fraud to state unemployment agencies.
- State unemployment agencies, often saddled with 1980s-era computer systems, have called for high-tech help from the private sector to weed out the scammers.
At least 30% of the unemployment claims submitted to the state governments that use ID.me are fraudulent, according to the McLean, Virginia-based company. The problem has gotten so bad that the U.S. Department of Labor announced earlier this month it was giving states another $49 million to fund efforts to stop the fraud—on top of $100 million announced in August—noting state offices have “struggled to balance enormous workloads” during the pandemic’s unemployment crisis. They were also unprepared for the onslaught of fraud, Hall said.
When the government created the Pandemic Unemployment Assistance (PUA) program with the CARES Act relief bill in March, it threw a lifeline to millions of independent contractors and gig workers who would normally never have had access to unemployment benefits. But state unemployment agencies have pointed out that the program has been especially susceptible to swindlers.
Unemployment fraud usually involves lying about wages or why you lost your job. With the PUA program, as long as your identity was verified and you declared you had a job, you got the funds, Hall said. (The PUA added stricter documentation requirements for new applicants when it was extended in December in an attempt to staunch the pilfering.)
Because it was possible at one point to file for unemployment retroactively back to February 2020, with states giving out back payments in a lump sum, a single unemployment debit card could be worth as much as $20,000—plenty of incentive for criminals to act.
In fact, the $200 billion in estimated losses so far may be a conservative one, according to ID.me, which based that on applying the 30% fraud rate to the $630 billion in federal funding that’s been allocated for unemployment insurance payments during the pandemic.
The Balance interviewed Hall for an inside look at the battle against identity theft. The interview has been edited for length and clarity.
Why has fraud for unemployment claims skyrocketed so much during the pandemic?
It really is just a perfect storm of events that came together to create a recipe for catastrophe. You basically have these workforce agencies that have been chronically underfunded for years. And part of that was a byproduct of a roaring economy, we had historically low unemployment rates coming into 2020. And in fact, many states had conducted reductions in force or layoffs, precisely because their staff just wasn't busy enough taking care of unemployment claims, right before COVID hit.
You also have 1980s technology, and a lot of these agencies are still running on COBOL [a programming language that dates back to the 1950s], and things like that. And then after COVID hits, you have the highest rates of unemployment since the Great Depression.
And you have the introduction of a new program called the Pandemic Unemployment Assistance program, which is really designed for the sharing economy and self-employed individuals. And that introduces a threat vector for a different type of fraud where it's identity theft instead of eligibility.
So traditional workforce fraud is usually, you are who you're claiming to be, but you're lying about your wages, or you're lying about the reason you lost your job. And maybe you can test that with your employer. Workforce agencies are really good at preventing that type of fraud. Investigating, they can compare against W2s [tax documents] they have. But this new program that was introduced by the CARES Act, said as long as you have a verified identity, pretty much from anywhere, and if they self-assert they were employed, pay them the benefits.
And as you can imagine, when you're talking about hundreds of dollars per week, you can take over an identity and then say "I've been unemployed since February 2," you can get a debit card loaded with $20,000 sent to you.
The whole point of security is to make the cost of an attack greater than the benefit. The benefit keeps going here, and here, and here, and here. [moving his hand up and up and up.]
Even really difficult forms of attack to take over someone's identity all of a sudden become profitable for these criminal enterprises.
Is all of this fraud causing delays for legitimate unemployment claims?
Absolutely. What we're fighting is not too dissimilar from a technology version of the hospital in the ICU, that there's a capacity issue where you have to both serve legitimate folks who need help, and then you also need to weed out fraud.
We got prisoners and they were in scams, and assisted living centers where orderlies were bringing in mentally challenged people, literally sitting them on the toilet, and trying to speak for them off camera. And when, when you're trying to detect it, knock that stuff down, while serving the legitimate people in line, it makes the problem a lot more difficult than it should be.
On Dec. 27, the government passed a relief bill, extending unemployment programs, including the one that you're talking about, the PUA. Numerous states reported delays in resuming unemployment payments to people. So behind the scenes, why did it take so long for states to start sending checks out again? Was it related to this fraud problem?
There are a few things. I think the legitimate reasons were, they have to update their systems and reprogram them according to whatever the legislation requires. And again, that's just constraints of 1980s technology, they just have to reprogram for the rules.
But the other reason that's not as acceptable is that the second stimulus included requirements and strong language that workforce agencies needed to introduce better identity verification tooling, prior to distributing claims. There really was no workforce agency in the country that could have been prepared for COVID, and this new stimulus act that nobody even knew about in January, February of 2020, and was just introduced.
But after five or six months have passed, and you can see the fraud ticking up, you have to take action. Kudos to the states that moved quickly to say, "Something's wrong here, let's go shields-up on identity verification, in addition to our eligibility checks," but there are still some states out there that didn't take any real meaningful action to change their fraud prevention strategy. We can literally see the fraud on the Dark Web shift from the states that we're protecting to states that are weaker.
It's that analogy that you don't need to be faster than the bear, you just need to be faster than your slowest friend, if you're running away. And there are just some states that are pretty slow.
The legislation was really a stick to say, "Hey, you've got to do a better job on the cybersecurity and fraud prevention front, because we're distributing hundreds of billions of dollars here."
What is the fallout for someone whose information has been used to file a false unemployment claim?
Unclear, because there's a lot of stuff that needs to get sorted out in terms of the rules. It's going to differ according to how the federal government treats it and how each state treats it.
Unemployment income benefits in some states are taxable, in some states are not taxable, but they are reported. And there is pretty strict language in the legislation where there's no loan forgiveness for monies that were paid out.
As these 1099s go out, these tax forms, where the IRS sends out letters that say, "Hey, your tax return is a match to other sources of income," the scope of the problem will become clear. But how legislators plan on dealing with loan forgiveness or benefits forgiveness in the event of fraud, we'll see how that shakes out.
When asked how taxpayers should handle this situation if it arises, the IRS said those who receive 1099 tax forms for unemployment benefits they never received should contact their state unemployment agencies to report the fraud. Many states have set up special websites to do this.
People in Nigeria are claiming unemployment benefits from the United States? Is the fraud coming from overseas?
Oh, yeah, the Nigerians are all over these programs. In the early days of the pandemic, the Secret Service reported that Scattered Canary, which is a Nigerian organized crime ring, was involved in preparing some of these hacks.
This is an international problem and what makes it more difficult is that these organized crime rings are essentially the cooks that come up with the recipe. It's called "sauce" on the Dark Web. And like normal cooking, the chefs have the rare skills that tell you how to make a meal that works. Once they find that sauce, or that recipe, for how to defraud a government agency, they're open-sourcing it on the dark web in much the same way that developers will open source code to collaborate.
And so now, domestic criminals and everything else can follow that playbook. The number of attackers that are targeting these programs with these playbooks that are out there on the dark web is just astronomical.
So since hackers are targeting your company so heavily, can customers be sure that the information that they've given to you is safe?
We're being targeted because we're stopping the attacks, right?
Information security is what we do. Without us, these workforce agencies would be naked, essentially, with 1980s technology standing between Nigerian and Russian crime rings and hundreds of billions of taxpayer dollars.
We are a federally certified identity provider with all that goes along with that on both security, and not just on the technical side, also on the people side too, and screening folks and everything else. So we take a lot of pride, 10 years into this, that we've been built the right way. And right now we're holding the line against a tsunami of fraud.
Where are identity thieves getting the personal information that they're using to file these false claims?
It's all out there on the Dark Web. Pick your favorite breach. Equifax, 147 million Americans. Anthem is 80 million Americans. Two breaches, you're already over 200 million American adults. Our name, date of birth, Social, address, it's out there, you can pretty much buy it for anyone for a few bucks. So the toothpaste is out of the tube.
That's why a lot of the things that we do to prevent identity theft and to verify identity are related to possession of a phone with tenure, or a government ID, or a biometric like matching the face to the photo on the government ID.
Now, the way that we separate like a Nigerian student who might be claiming someone's identity is to say, okay, it's great that you know, the name, date of birth Social, address: do you actually have possession of this person's phone? And can you click a short link that we send to that device? And there is no known way to intercept those short links.
Those controls alone, that's blocking about 20% of fraudulent claims. And so then the attack shifts now to social engineering where the attacker is trying to convince the actual victim to aid them in their attack, which is good because it means that the tools were effective and now they have to have the victim in the loop to succeed in the attack.
We also send a text notification in much the same way that a bank will notify you of suspicious activity on your credit card. Like, "Hey, somebody's buying a big-screen TV at Walmart at two in the morning." So, we send a message that says, "Your identity was just used to apply for unemployment at Indiana DWD, at California EDD, at Arizona DES, is that an authorized use of your identity?” And we're getting hundreds of "no" responses per day where individuals were tricked into thinking they were winning prize money or getting a job. And we're shutting that down.
What makes me concerned is that in other states, that type of fraud goes completely undetected. Once these attackers have convinced somebody that they're a representative of a telecom or workforce agency or whatever, and they harvest their information through Telegram or WhatsApp, they can file as that person with the state workforce agency none the wiser that it's actually the attacker who has extracted all that data and the information from the victim.
But because we have that feedback loop to pierce the scam and say, "Maybe you thought you were going to win prize money, but your identity was actually used for unemployment," it gives them one more opportunity to say, "Whoa, hold on, I never authorized that." And then, when each claim is worth $10,000, $20,000, that's really meaningful when you're looking at 2,300 text messages that say "no" per day.
What can an average person do to protect themselves from having this happen to them?
There's not a whole lot that an average person could do. The best recourse you have as an individual is to contact your credit bureau, any one of them, and put a credit freeze in your information to make it more difficult for somebody to use your name, date of birth, Social, even if it has been breached. So that would be the first and unfortunately, probably the only step.
I think it's more on us, as technologists, and with the government workforce agencies, to make sure that there's effective toolings that bad guys can't claim your identity.
How is your process for verifying identity different from what the state unemployment systems previously were doing?
If your data matches the records, and you have a phone with tenure, a driver's license or state ID, and you take a picture of your face, you get through, and about 90% of folks who verify with us do that, and it takes typically less than five minutes.
The other 10% need to go through a process called supervised remote. It allows individuals to go into a video chat session and prove their identity.
You can also verify who you are online, and we record that session for audit purposes, because criminals could obviously try to counterfeit documents, and then exploit that accessibility tool, which is where we're dealing with the prisoners and the mentally challenged, folks who are being manipulated by orderlies, and nursing homes and all that stuff.
States that are using credit bureaus or data brokers alone, they're missing all these signals that we have to pick up fraud. And if you're not in the records, or if your data is wrong in the records, you literally have no recourse at all. That's where folks wait weeks and months. And they can't get through to this overwhelmed workforce agency that doesn't have enough staff.
It sounds like the identity thieves have resorted to some pretty extreme tactics to try to get around these measures that you've taken. Can you give me any other examples? Beyond the nursing home one?
Two to two-and-a-half percent of all the gross claims fraud that we see, they try to defeat the selfie check. And that's where we have liveness controls. So I mean: look at [this mask] here.
That was one mask they tried to use. It's insane. And then, he had documents like this:
And you're like, well, you might be who you're claiming to be, but you're clearly not eligible if you're an inmate. These jokers are just gumming up the whole system for folks who need help. And that's why we're working our tails off to give them some TLC and just make sure we can help them take care of their families while keeping this massive fraud out.
Based on what I'm seeing, I think the country has lost about $200 billion. And that might be low.
Is there anything I've not asked you about yet that you'd like to talk about?
I just think it's a national problem. We've watched it for the last few months, and the rates of fraud were just so high. When we first got in, I couldn't believe what I was seeing, I literally had the team rerun reports, because I thought something might be broken in the product. And then we're like, "Nope, actually, these numbers are consistent across all the state workforce programs." And then that's when we were like, "What is going on here?" We just waded into this market for fraud.
Once there is a market for something, like the War on Drugs, you can't stop it. Once you get into it, you see how overwhelming the criminal activity is. What we've largely done since then, is just try to help sound the alarm, so that there's a collective effort to block them.