Security Experts:

Unemployment Fraud - Preying on Those Most in Need

The Covid-19 pandemic has been raging for nearly a year now.  With the pandemic has come a tremendous amount of uncertainty.  Many of us wonder when we will be able to return to normal life, when we will be able to see family and friends, and when we might resume those everyday activities we used to take for granted.

Perhaps no group has experienced more uncertainty than those that have lost their livelihood due to the pandemic and the corresponding lockdowns, travel restrictions, and closures that have come with it.  These people have, unfortunately, had to turn to state government unemployment insurance to make ends meet.  As if this weren’t disruptive and troubling enough, fraudsters have looked at the current pandemic as an opportunity to commit unemployment fraud on a massive scale.

How widespread is the problem? According to a December 31, 2020 USA Today piece, COVID-19 related unemployment fraud losses totaled $36 Billion in 2020. Put another way, unemployment fraud has been rampant since the beginning of the pandemic, with virtually every US state affected.

So, what exactly is unemployment fraud? While there are different types, the version seen during the COVID-19 pandemic involves filing fraudulent unemployment claims. At a high level, fraudsters use the following tactics to do so:

● Buy stolen identities from the underground via dark web websites

● Fill out unemployment claims using that information

● Receive unemployment benefits to a drop account

One might ask how fraudsters are able to take these steps so easily at scale? The answer lies in the perfect storm of circumstances that facilitates this.

According to an F5 Labs blog post from May 22, 2020, unemployment fraud “stands out from others because it requires attackers to have a legitimate social security number. Unfortunately, that’s not a problem for attackers. Massive data breaches in 2015, 2017, and 2019 at healthcare providers, credit bureaus, credit card companies, and retailers (among others) compromised virtually every American's social security number.” In other words, there are a plethora of stolen identities available on the underground, and it is quite easy to purchase them.

Once the fraudster has obtained one or more stolen identities, they need to fill out a fraudulent unemployment claim. Fortunately for the fraudsters, online tutorials are available to help with this for anywhere from $5-$100. Further, fraudsters seem to be able to get away with using nearly any physical address when they file a fraudulent claim. For example, CBS Los Angeles found that uninhabited mansions that were for sale had hundreds or even thousands of fraudulent unemployment claims with those properties as the physical address on file.

Add to the mix that states are overwhelmed and under-resourced to handle the uptick in unemployment claims, never mind identify inconsistencies that would be indicative of fraud, and we see that COVID-19 has created a unique opportunity for unemployment fraud. Most states do not have controls in place that would prevent fraud, have little to no fraud detection capability, and are under intense pressure to pay first and ask questions later.

While the situation sounds dire, there are straightforward steps that can be taken by states to detect and prevent unemployment fraud. By implementing controls to prevent fraud and implementing fraud monitoring capabilities, state agencies can greatly reduce the amount of unemployment fraud that happens under their auspices. Implementing processes and procedures to govern the unemployment benefit application process is a great start for states. Combining that with technology to detect and prevent fraud and to monitor for abuse of unemployment benefits empowers state agencies to combat unemployment fraud head-on, reducing losses and saving taxpayers money.

What are some anomalous behaviors state governments can monitor for in order to detect and prevent unemployment fraud?  While there are many, here are a few notable ones:

● Numerous unemployment applications from the same device and/or email address

● Suspicious user behavior patterns when interacting with the site, such as:

- Copying and pasting PII

- Submitting unemployment applications very quickly

- Navigating the site quickly and showing a high degree of familiarity with the site

- Referencing another window continuously

- Attempting to evade detection (e.g., connecting from a VPN or the cloud)

- Submitting multiple applications with no subsequent login

- Completing the same form repeatedly from the same device

● Suspicious environmental indicators, such as applying for unemployment benefits in California from a device located outside of the U.S.

● Multiple unemployment benefits heading to the same drop account

● Multiple unemployment claims with the same physical address

● Suspicious combinations that come from connecting the dots between the above points and others

Rampant unemployment fraud is just about the last thing that we want to be dealing with during this pandemic. Unfortunately, the fraudsters haven’t given us much choice in the matter. The good news is that there are straightforward steps that state governments can take to combat this issue head-on.

view counter
Joshua Goldfarb (Twitter: @ananalytical) is currently Director of Product Management at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.