The coronavirus pandemic offered identity thieves a gold mine.
Using stolen identities, thieves targeted the federal relief program known as the Pandemic Unemployment Assistance, which was being administered by local state unemployment agencies.
The key to the gold mine was that workers could backdate claims all the way to February and collect thousands of dollars in payments in one request. They also were eligible to receive an extra $600 a week, thanks to another federal relief program — the Pandemic Unemployment Compensation — retroactive to March 29. As of July 18, Colorado had paid out $2.04 billion in $600 weekly federal benefits.
On June 19, the Colorado Department of Labor and Employment announced that 5,600 claims were likely fraudulent. While some were paid, about half were stopped, preventing $34 million in payments.
But last week, the department said there were 4,329 more fake claims between June 21 and July 18. Those claims were identified as fraud and were not paid, said Cher Haavind, deputy director of the labor department, who could not say how much was paid to fraudulent claimants. The agency took steps to reduce losses by limiting backdating to one week. But the missing money may never be returned.
In an email, Haavind said, “we are working with national law enforcement to freeze bank accounts and take back the money.”
Colorado wasn’t alone.
Pennsylvania flagged 58,000 claims as potentially fraudulent in May. Maryland uncovered 47,500 fraudulent unemployment claims attempting to collect $501 million in benefits. The state of Washington said it was duped by a Nigerian fraud ring to siphon off $550 million to $650 million in unemployment benefits, The Seattle Times reported. About $333 million has since been recovered.
UPDATE: Are you a victim of unemployment fraud? The state Department of Labor wants to know: Submit a fraud report
Many victims may not know their personal data was being used. That’s because we’re in a different phase of ID theft since, as many security experts believe, your data is already out there.
Thieves are compiling personal data to “build a digital fake you,” said Richard Bird, chief customer information officer at Ping Identity, a Denver-based security firm. And it’s getting even more personal.
“This is going to extend even further, all the way down to voice prints and biometrics,” said Bird, whose company develops technology to authenticate identities. “All of this stuff gets continuously stolen, which is actually problem No. 1. You don’t hear much in the news anymore about big banks waking up in the morning and $150 million is gone. But what you do hear about is breach after breach after breach. And what the bad guys are stealing is identity-related data.”
Interestingly, data breaches are down 33% in the first six months of 2020, compared to the same period last year, according to Identity Theft Resource Center’s midyear data-breach report.
But that’s not because fraudsters are taking a break, said Eva Velasquez, CEO of the nonprofit organization in San Diego that tracks breaches and helps victims of ID theft.
“They are not spending their time trying to get new data,” she said. “They are spending their time trying to monetize the data that they already have.”
Could it have been prevented?
The yikes factor here is that victims had no way of knowing their identities were being abused.
According to the FBI, which earlier this month warned of the rise in unemployment claims using stolen identities, victims found out because they tried to file for unemployment themselves, received a notice from the state unemployment agency, received an IRS Form 1099-G showing benefits were collected, or learned about it from their employer.
Part of the issue is the antiquated way data is used to identify people, such as Social Security numbers. The nine-digit number was meant for record keeping, but today, many financial institutions, health care agencies, employers and government agencies require it to secure a loan, get hired or file taxes. It’s a number that lasts a lifetime, which isn’t good if it’s stolen.
Another issue is that local governments that collect a lot of personal data often have outdated systems that are ill prepared for modern life, let alone a pandemic where everything has moved online. Colorado’s Department of Labor got dinged early on, along with several other states, for relying on COBOL, a 1970s-era computer language. The state was moving off COBOL to a new system just before the pandemic hit.
But it’s not just about aging technology. A lack of adequate funding to invest in cybersecurity and competitive wages to hire cybersecurity professionals also is a problem.
Colorado’s Office of IT did increase its cybersecurity budget last year, but only after a major security incident breached the Department of Transportation.
Colorado Attorney General Phil Weiser said his department has learned to be scrappy in order to be proactive instead of reactive. He reached out to tech professionals on a “tour of civic duty” with the new Colorado Digital Service. He tapped into the entrepreneur accelerator at the University of Colorado’s Silicon Flatirons Center for Law, Technology and Entrepreneurship, which Weiser founded, for help his office otherwise couldn’t afford.
Those efforts helped the AG’s office develop a consumer complaint portal and add an innovative mindset to the team to think how technology can prevent threats from even reaching consumers.
There are also policies to change the way fraudsters reach consumers. He points to robocalls, which can inundate a person’s phone line with unwanted, automated calls. Weiser worked with AGs from other states to get the Traced Act passed in Congress and force phone companies to provide better identification of who’s calling.
Between February 23 and July 24, the Colorado Attorney General’s Office has received 1449 complaints related to the coronavirus pandemic. They break down into four main categories:
- Potential scam/fraud, 141
- Price gouging, 420
- Refund complaints, 734
- Public health concern, 48
“They’re having to now build in a technological standard called shaken and stir — I often say it must be a James Bond fan who’s pushing it — and that will help us figure out is this a real phone number calling or is this a spoofed phone number calling? And that way we can identify the fraudsters and protect people from ever getting such basically annoying, or even some cases dangerous, calls.”
Of course money, he said, is “a painful point, which is part of why the government often ends up behind the curve.” That’s why government agencies need to be scrappy.
“If we stick with what’s called 20th century technology and fraudsters are using 21st century technology, we’re putting ourselves at a disadvantage,” he said. “We need to develop technological solutions that meet the challenges we’re facing.”
Another example of the state government working with private security companies was unveiled in October. Ping Identity helped the state develop authentication for a digital driver’s license, which is stored on the state’s official mobile app.
The Colorado digital ID has a holographic image of the driver’s license that rotates as the phone rotates — it’s not a static image. There’s a barcode that can be scanned to electronically confirm the person is who they say they are. So far, 55,579 citizens have downloaded the app and created myCO accounts. Of those, 1,150 have renewed their driver’s license on it.
The mobile ID is meant for in-person use. But it also allows a user to limit how much personal data is shared, said Russell Castagnaro, digital transformation director with the state’s Office of Information Technology.
“Everything is an intentional share,” Castagnaro said. “Somebody couldn’t just scan it and get something from you. You’d have to share it with them. So if you walk into a liquor store and scan a QR code, it would say, ‘Would you like to share the fact that you’re over 21, your name and your picture with them?’ And then it gets sent to them and pops up on their screen.”
In the future, the app could help authenticate a user’s identity online with an agency sending a single-use password to the app. That could be used to, for example, file an unemployment claim. But the labor department isn’t ready for that yet.
“We’ve focused on the ones that have the most impact and the most interaction with individuals, so we’ve gone through the different business lines with the Department of Revenue, DMV, tax, and even enforcement, liquor, cannabis and gambling. They’re all 100% on board and they’ve updated their statutes,” he said. “We’re making headway, but you have to let the technology prove itself out.”
Results from vigilance, education
Strange emails from a friend that turn out to be phishing. Pop-up windows asking for your credit card number to clean the malware off your PC and are complete fraud. A Facebook message from someone who never messages you but asks you to watch a video.
People still fall for these long-time tricks, said Mark Fetterhoff, an advisor with AARP in Denver who works on AARP ElderWatch to help people identify fraud before they become a victim. A recent ElderWatch survey conducted during the pandemic found that the majority of folks over 50 had been contacted by someone pretending to work for the IRS, Social Security Administration, fake tech support or other imposters.
“In our survey we found out that almost 70% of Coloradans 50-plus had received that type of scam requests before,” he said. “When you’re in a room of 10 people and seven of them have got that scam, that’s pretty huge.”
Even though fraud prevention tips have been around for years, Fetterhoff feels that constant reminders help. The one thing everyone should do right now is check their credit report to see who’s asking about their credit. Right now, all three credit reporting agencies are offering free credit reports every week through April 2021.
But only 28% of Coloradans have inquired in the past 12 months, according to the AARP survey, he said.
“If someone has your name, address, Social Security number and birthday, it’s pretty easy to open a line of credit in your name online,” he said.
Velasquez, with the ID Theft Resource Center, says consumers shouldn’t shrug off protecting personal data because they think it has been stolen already.
“Not every thief has every piece of your data,” she said. “And instead of trying to figure out which ones they have or which ones you’re going to protect, just adopt the mindset that your identity credentials are valuable.”
There’s anecdotal evidence that people are remembering good digital hygiene and not oversharing personal data. That will help in the long run by keeping updates away from companies with poor security and the attackers who breach those systems. About 70% of the calls to her organization used to be from victims. Now, the majority are proactively calling about a suspicious email, strange Facebook message or pushy caller.
“I believe that over time, people are becoming more and more vigilant and aware and doing their part, and it’s helping,” Velasquez said. “We still get victims and we get people who call us after that fact and say ‘I think I fell for a scam,’ but we’re getting a lot of people that are heeding the advice that you can take a moment to decide whether to engage, particularly online. That, to me, is telling us that people are absolutely learning.”
Suspect your ID was stolen?
- Victims have reported receiving a debit card from U.S. Bank, which handles unemployment benefit payments for Colorado. Report it to the bank at 1-855-279-1678.
- Report it to the Colorado Department of Labor through this link.
- If you suspect someone is guilty of unemployment fraud, report them to the state HERE.
- File a police report to get it on the record and have a copy of the report for your files.
- Report it to the Federal Trade Commission at identitytheft.gov
- See more tips from the state labor department
Tips and reminders
Practice good digital hygiene by being wary of messages with links and diligently check financial accounts for suspicious activity. A few more:
- Don’t overshare sensitive personal information.
- Familiarize yourself with methods fraudsters use to collect personal information via social engineering, phishing attacks and malicious code.
- Check your credit report regularly. The site annualcreditreport.com is sponsored by Experian, Equifax and TransUnion and all three are offering free weekly reports until April 2021. You can place a fraud alert or freeze accounts, if needed. Phone numbers are Equifax: 1-800-525-6285; Experian: 1-888-397-3742; or TransUnion: 1-800-680-7289
- Use two-factor authentication instead of just relying on passwords.
- Make your email password unique since unlocking it could lead an attacker into all your other accounts.