Like many victims of unemployment fraud, Duane Thomas only learned that someone had used his identity to file for jobless benefits when a strange 1099-G tax document arrived in his mailbox last month.
He reported the mistake in an online form provided by the state Department of Labor and Employment. Within about three weeks, the state sent him a corrected 1099-G form to let him and the IRS know he wasn’t on the hook for taxes on $12,000 of benefits he never received. He also got an email from the agency acknowledging receipt.
But he’s clueless about how it could have even happened.
“I have no idea,” Thomas said.
Officials from the state Department of Labor and the Colorado Attorney General’s office, plus cybersecurity professionals shared what likely happened during an online broadcast this week.
Thomas’ personal data and millions of others — from home addresses, birthdates and Social Security numbers — were compromised in recent and long-ago data breaches of well-known companies. That includes the 500,000 guest accounts pilfered during the Marriott International data breach in 2018 to the Equifax breach of 2017, when data on nearly every American with credit was exposed.
“Now today, if you all have been paying attention to the news, we’ve had SolarWinds and Sonicwall have (data breach) issues,” said Carlin Dornbusch, president of American Cyber Security Management in Superior. “We’re still calculating the numbers in potentially the tens of thousands of businesses that have been impacted by just these two breaches alone.”
But while one can cancel a credit card and get a new one, it’s not the same for birthdates, Social Security numbers and other personal identifiable information (PII) that rarely change.
“That PII, like gender, hair color, birthdate, those are long-lived data elements,” Dornbusch said. “That’s the metadata of the human race, so when that information is compromised, it can lead to disastrous returns as that data can be assimilated to help build profiles and then those individuals can be targeted.”
That’s why thousands of Coloradans have become victims of unemployment fraud, discovering the issue only after getting a debit card or 1099-G form in the mail, learning from their employer or even when filing for unemployment and finding someone else has used their identity.
“This is a new type of fraud. Our systems are based on the idea that a Social Security number is truly sacrosanct. It’s not known by everyone,” said Daniel Chase, chief of staff for the Colorado Department of Labor. “These Social Security numbers are no longer private data points for people. They are known to criminals, they’re known on the dark web and they’re easily accessible for people to use them for these kinds of things.”
How fraud happened
Money motivates fraudsters, said Shameka Walker, a senior attorney in ID theft program management at the Federal Trade Commission. The federal CARES Act provided unemployment benefits to a type of worker for the first time: gig workers, contractors and the self-employed, who normally aren’t covered by unemployment insurance. The CARES Act also paid a $600 per week bonus, which made backdating claims to February 2020 more lucrative. Scammers could get tens of thousands of dollars in the first payment.
“This kind of identity theft has been around for years, but because of the pandemic it’s really increased,” Walker said. “And that’s because people lost jobs, and then they got enhanced benefits, which makes it very attractive to identity thieves. Also, some states relaxed the verification process so it made it easier for identity thieves to get access to this kind of information to begin with.”
Colorado’s Department of Labor began noticing the increase in suspicious claims in June when an excessive number of Pandemic Unemployment Assistance claims were filed. While some were paid, about half were stopped, preventing $34 million in payments that month. Anti-fraud measures the state put in place prevented 30% to 50% of the false claims from being paid in July.
But there were so many suspicious claims. By January, the state said 1 million claims had been flagged for fraud during the pandemic. While $7 billion was prevented from being paid out, the labor agency said about $10 million was paid to accounts deemed fraudulent. The state is trying to recover the money.
Colorado isn’t alone.
The Office of Inspector General for the U.S. Department of Labor said unemployment fraud now accounts for 70% of its investigative case load, compared with 12% pre-pandemic. It estimated in November that $36 billion in benefits may have been improperly paid due to fraud.
Other states also shared their “wins,” including New York, which said last week it had identified 425,000 fraudulent claims and prevented $5.5 billion in payments. A USA Today story in December interviewed an unemployment scammer in Nigeria about how he compiles a list of real people and then pays $2 in cryptocurrency for hacked data to link the name to a birthdate and a Social Security number.
Colorado makes some changes
So far, there’s no move by the state labor department to do away with Social Security numbers on unemployment applications. It’s relying on other available tools, like IDme, to verify an individual’s identity, said Jessica Hudgins Smith, press secretary for the Division of Unemployment Insurance.
“This is where ID.me comes into play,” Smith said. “Through ID.me, a claimant with an integrity hold will receive an email and has an opportunity to verify their identity in three different ways — by phone, through a third party provided by ID.me or through their local workforce center.”
By September, the state had 18 fraud triggers that flagged accounts for fraud, up from five before the pandemic.
In Colorado, fraud holds affected legitimate users who then struggled to get accounts reinstated. The state relaxed some of the holds in the fall, such as one that flagged two unemployed people sharing an address. To get holds released, people must contact the department and prove their identity.
There are now at least 50 triggers that could create a hold on an unemployment claim. The state said there are about 1 million fraud holds in its system.
“A mere fraction of a percent of those people that we have implemented a payment hold on have actually contacted us to get us to release it,” Chase said. “So what that’s showing us is that that 1 million number is likely truly fraudulent claims that are being filed in our system.”
Recovery for victims
Scammers have been known to use real addresses of homes for sale or empty apartments to pick up the mail.
They also can switch to direct deposit instead of a bank card. That means by the time a victim receives the plastic card from the bank — the state uses U.S. Bank — the money has been moved elsewhere.
When victims receive these ReliaCards, they should call U.S. Bank at 1-855-279-1678 to deactivate the card and take steps to protect their identity. The official free credit report site, annualcreditreport.com, offers free reports each week from all three credit reporting agencies until April.
The Department of Labor added a form last August so victims and employers can report fraudulent claims. When the 1099-Gs started showing up in January, the agency added another form to report the invalid 1099-G. As of this Tuesday, 8,787 invalid 1099s had been reported and 1,200 corrected forms mailed.
Dornbusch, with American Cyber Security Management, pointed to the site HaveIBeenPwned.com, which people can type in an email address to see what data breaches may have exposed their email and other private data. The site, run by security consultant Troy Hunt, also has an area to test one’s password and see if it’s also floating out on the dark web for someone to purchase.
There are some built-in anti-fraud measures in the unemployment system. When someone files for unemployment using a Social Security number associated with someone who has worked in Colorado, the state automatically notifies all of that person’s past employers for the prior 18 months. That’s how employers — and the state — quickly find out about impostors making claims for an existing employee.
Chase encouraged employers to fill out the fraud reports if someone filed illegally. But any benefits paid to an impostor won’t be charged to that employer’s account, nor will it affect their experience rating, which causes an employer’s insurance premium to change.
“The problem that we’re facing is we don’t have contact information for victims until they file that fraud report form on our website,” Chase said. “The best thing that we can do is continue to notify employers and their networks to notify those workers that their identities have been stolen.”
But people who aren’t employed or are retired no longer have that connection. Guy Mendt, who is retired, reported fraud to the state Department of Labor when he received a ReliaCard in August, but hadn’t heard back by the time he received a 1099-G tax form in January.
Mendt, who believes it was the Equifax data breach that exposed his information, experienced the backlog of the system. The state said in January that it had received 80,000 fraud reports from victims and employers. Those had to be manually entered into the computer system to flag accounts. Some of that changed when the state upgraded its entire system earlier this year.
The agency later said it would acknowledge receipt of victims reports with a message “on department letterhead.”
People who haven’t received a corrected 1099-G form can still file their taxes anyway. The IRS requires people to pay taxes on income received — not income on an invalid tax form, Chase said.
“As we work through those reports on our website, our plan is to send you a corrected and zeroed-out 1099-G, which will also notify the IRS that you actually don’t owe us anything,” he said.
Guard personal data
A few years ago, the state legislature passed a law to better protect consumers and their data.
Companies must report data breaches to the AG if it impacts more than 500 Coloradans. They also must notify affected customers within 30 days if personal data was exposed. Last year, there were 119 data breaches reported that affected “a million or more” Coloradans, said Natalie Hanlon Leh, chief deputy attorney general.
But as part of the state law, companies must destroy a customer’s personal data when it’s no longer needed. And that should go a long way to preventing personal data from leaking out when data breaches happen, said Dornbusch, with American Cyber Security Management.
Businesses need to be retrained about what data is necessary and consumers should be wary when any company asks for personal information, he added.
“This is our data and we should be asking these businesses how are they using our data? Who will have access to our information?” he said. “It’s in our capability and rights to be pushing back on the businesses. We should be sharing as little of our information as possible so when you sign up, if the form doesn’t require you to fill out a field of, say, your birthdate and so forth, then maybe consider not filling that out.”
Don’t be a victim
- If you received a U.S. Bank ReliaCard or 1099-G tax form for unemployment benefits you didn’t claim, submit a fraud report or file an invalid 1099-G tax document with the state labor department. A corrected 1099 should be sent to you and the IRS by March.
- File a fraud report with U.S. Bank or call 1-855-282-6161 to deactivate the card
- Contact the three consumer credit bureaus and put a fraud and identity theft alert on your name and Social Security number: Equifax: 1-800-525-6285; Experian: 1-888-397-3742; TransUnion: 1-800-680-7289 or annualcreditreport.com
- Report identity theft to the Federal Trade Commission at identitytheft.gov.
- Check HaveIBeenPwned.com to see if your email was exposed in a data breach
- Test your password to see if it’s been exposed in a data breach
- Use a password manager like 1Password or LastPass to create complex passwords
- Use a separate email for junk mail, ads or when one-time emails
- Don’t click on links in strange emails
- More tips at Colorado Attorney General’s office Stop Fraud Colorado.