Unemployment insurance programs in Colorado and around the country are struggling with an unprecedented wave of fraudulent claims, something cybersecurity experts say numerous data breaches the past decade have made possible.
Self-employed workers seeking assistance have found their applications stalled or payments delayed because of tighter security. Already stretched thin, the Colorado Department of Labor and Employment has redirected its limited resources. And thousands of unsuspecting Colorado residents have had to spend hours trying to rectify the fallout from the scam after claims were made in their names.
“The issue is that anyone can fill out these applications and get paid in a couple of days. All the personal identifiable information they need is readily available on the dark web as a result of countless breaches,” said Tyler Moffitt, a security analyst at Webroot, a Broomfield-based cybersecurity company.
Software that spoofs Internet Protocol addresses allows scammers to hide their digital location and operate across state and national borders. Emails are easy to obtain and disposable. And although banks are supposed to know their customers, it remains too easy to set up an account and accept deposits under a stolen identity, experts say.
“This situation highlights how weak the verification process is, considering all the requirements can be bought. There isn’t a thorough enough process to verify people are who they say they are in an online form,” Moffitt said.
Since mid-July, the CDLE estimates it has blocked somewhere around 73,000 fraudulent claims seeking between $750 million to $1.25 billion in payments under Pandemic Unemployment Assistance, a new federal program designed to help self-employed and contract workers. As of Thursday, the labor department reported 162,454 Coloradans have applied for the PUA program files claims that have not been flagged fraudulent since the COVID-19 pandemic began. Just over 2,400 new PUA claims were accepted last week.
When the PUA program launched in late April, a surge of initial claims followed. As the economy reopened in May, the number of claims fell in line with the drop in traditional unemployment insurance claims. Those have continued to trend lower across the summer. But by mid-June, PUA initial claims spiked again until the state implemented 17 safeguards, which lowered the number of approved claims.
But fraudsters found a workaround. PUA claims started rising again in late July and August, which didn’t make sense given improvements in the larger economy. By late August, there were around 20,000 claims a week coming in, about three-fold the number of conventional claims, even though self-employed workers are only a tenth or so of the overall labor force in Colorado.
In early September, the state added an undisclosed 18th security measure which has proved effective in flagging and blocking the bulk of bogus claims.
“The number of initial PUA claim attempts are down considerably since implementing the additional safeguard. An indication that some fraudsters have moved on from attempting to file in Colorado,” said Jeff Fitzgerald, division director of the state’s unemployment insurance program.
And while the number of attempts is down, Fitzgerald acknowledges a high percentage of PUA claims are still being deemed fraudulent and stopped before payments are received. About $40 million has gone into the hands of scammers, the CDLE estimated in September. That’s more than the $2.2 million that The Ascent estimates Colorado residents have lost in scams related to the pandemic, but a fraction of the money applied for.
Unemployment insurance programs have always had to deal with improper payments, which in normal times have involved around one in 10 claims, said Jon Coss, founder and CEO of Pondera Solution, a part of Thomson Reuters.
But since mid-July, about three in four PUA claims Colorado has received were fraudulent, and at the peak, about nine in 10 were.
Coss, who has been working with state and local governments to detect fraud for two decades, said the pandemic and related closures brought an unprecedented surge in claims in every state. States had to roll out the new PUA program on the fly, without the safeguards developed over the years in the traditional program.
Unemployment insurance programs were overwhelmed and under intense pressure to get the money out the door and help households.
“The first thing states did was to relax controls,” he said. “We have seen states where staff dedicated to program integrity were reassigned to processing claims.”
He is aware of someone who successfully filed for benefits claiming to be a 10-year-old bricklayer. Other states have approved claims with zero documentation.
Authorities in Pennsylvania did a crosscheck comparing prison rolls with the list of unemployment benefit recipients and found 10,000 matches. About a fifth of the state’s prison population received benefits that they were not eligible for, according to The Associated Press.
“While we will not get into details on any specific fraud schemes, this is something that we are familiar with and we have had safeguards in place to root this out well in advance of the pandemic. I would not categorize this as a widespread problem in Colorado,” Fitzgerald said.
The biggest problem by far has come from claims made under stolen identities. Coss said in 2011 there were 23 million personal identity records available for sale on the dark web. By 2018, it is estimated more than 470 million were available, more than the U.S. population of 328 million. That indicates some people have had their identities pilfered multiple times from retailers and credit reporting agencies. And the information now available is more detailed than in the past.
In May, a Nigerian cybercrime ring authorities called Scattered Canary stole up to $650 million from Washington state’s unemployment insurance system and then targeted other states. And the crime wave accelerated from there.
The scheme wouldn’t work absent bank accounts accepting direct deposits of benefit payments. Scammers often use a single account to accept payments from multiple claims.
“This isn’t a new fraud or special fraud. It is identity theft. We have special measures in place to catch it and prevent it,” said Jenifer Waller, president of the Colorado Bankers Association.
Waller said bankers have been made aware of the problem and are watching for it, but that she hasn’t heard from anyone who describes it as a significant problem. But she also adds it would be naive to assume it wasn’t happening on some level in Colorado.
Coss said scammers increasingly don’t need to steal an identity — they can fabricate one. An emerging twist in unemployment fraud involves creating a company with fictitious workers who report under artificial identities. Once the company goes under, usually in short order, the “workers” file for unemployment benefits on the wages they supposedly earned.
Moffitt said there isn’t a single way to eliminate fraud, but he offers a simple change that could make a big difference. Cryptocurrency exchanges that adhere to know-your-customer policies require members to submit a picture of themselves holding their government-issued ID.
“This is how many criminals have been caught when attempting to cash out illicitly gained assets, and could also help limit the fraud taking place in Colorado’s and other states’ unemployment system,” Moffitt said.
Coss adds pattern recognition algorithms could help find commonalities among applications. The human mind can’t properly randomize numbers, so patterns will emerge when it comes to making up emails and synthetic social security numbers.
Aside from the diversion of taxpayers’ dollars that must be repaid at some point, Coss said there are other reasons to push hard to stop the fraud. Organized crime rings are using unemployment funds to support other criminal enterprises, such as illegal arms purchases, human trafficking and terrorist activities
That puts the crime on a much different level than the people who took out Paycheck Protection Program loans to buy a Lamborghini or other luxury goods, Coss said.
“It is an insidious crime and it hasn’t gotten the attention it deserves,” Coss said. “The way the money is used, it is never for good.”
Groups that advocate for the poor and lower-income earners are also concerned that the public will view the fraud committed as an indictment on social assistance programs that have proved a vital lifeline during the pandemic.
“We are always concerned about the notion of welfare fraud, that it is rife in any social benefit program. We are trying to push back. These folks are victims themselves,” said Charlie Brennan, assistant director of research at the Colorado Center for Law and Policy in Denver.
Unemployed workers in Colorado have faced multiple hurdles in trying to receive assistance, from system crashes early on to overwhelmed call centers and delays stretching a month or longer to get help from a live person.
California said last weekend that it will stop accepting unemployment applications for two weeks as it adds a new online identity verification tool designed to stem the large number of fraudulent applications it is receiving.
And for those who learn they are an unwitting part of the scam when a debit card from the state shows up, the process of making things right can be frustrating and time-consuming.
“This fraud requires the victim to perform all the necessary steps with bank, police, and credit bureaus while the state claims they have saved millions through their actions. What a joke!,” said Highlands Ranch resident Ed Kramer in an email.