Congress is poised to approve another quarter-trillion dollars in COVID-19-related unemployment benefits even though the nation’s patchwork, state-based system remains vulnerable to the same rampant fraud that allowed scammers last year to siphon off more than $40 billion in pandemic relief intended for needy Americans.
That means the $1.9-trillion stimulus package headed for approval in Congress this month — including another $260 billion in unemployment insurance — is likely to bring another windfall for cyber criminals, including many foreigners impersonating laid-off workers and exploiting loopholes created by last year’s CARES Act relief bill.
“It’s like Christmas for the fraudsters,” said Haywood Talcove, chief executive of information firm LexisNexis Risk Solutions, Government Group who says the government should adopt tougher anti-fraud safeguards to verify the identity, work history and location of applicants. “I wouldn’t let another penny go out until the government puts some of these tools in place to prevent it.”
Cybercrime experts, including some who once made their living exploiting weak online systems, warn that as Congress prepares to pass another mass infusion of cash, criminals have gotten smarter, but the federal government hasn’t.
At least 10% of the $450 billion allocated last year in expanded unemployment benefits was pocketed by criminals, federal officials estimate. California says it lost at least $11 billion and perhaps as much as $30 billion, or a third of what it received from the federal government.
“There are tutorials on how to do it. There are YouTube videos,” said Brett Johnson, who now advises federal law enforcement on cybercrime after being one of the FBI’s most wanted criminals. “They’ve left everything wide open. It is a complete nightmare scenario.”
The economic aid bill that passed the House on Friday and is now being considered by the Senate lacks targeted safeguards to address the problem.
The House version includes $2 billion for improvements to state and federal unemployment systems, but the money isn’t just to help states prevent fraud. The Labor Department will have discretion to spend the money on federal administrative costs, improving systemwide infrastructure, accelerating claim processing and prosecuting fraud.
Some lawmakers and fraud experts are pushing for Congress to consider tougher anti-fraud measures.
Senate Finance Committee Chairman Ron Wyden (D-Ore.) proposed putting the 53 separate state and territory unemployment systems under the technological umbrella of the federal government, much like the healthcare.gov marketplace.
Such a step might help identify fraudulent actors who float from state to state, robbing one system and then moving to another once that state catches on. States would still run their own programs governed largely by state laws, but the federal government would manage the technology side. His $500-million overhaul would take two years to implement.
Talcove said even some basic steps would eliminate much of the fraud, such as requiring states to use third-party information companies like his to do the same background identity checks that online retailers and banks do with nearly every transaction online: check if the IP address being used to file the claim is in the same state or country, or if it was used to file multiple claims in a short period of time; use public-record databases to confirm details; and check how long an applicant’s email has existed.
California, which estimates 95% of the fraud it saw last year involved claims under the expanded pool of workers, hired three outside cybersecurity firms to help verify applicants’ identities, though the practice has alarmed civil liberties and privacy groups concerned about government access to such databases
“It’s not hard to fix,” Talcove said. “This is not a complicated fraud.”
Cyber experts estimate it would cost a few million dollars per state to access the technology itself or at least $30,000 a month if a state contracted the job to an outside firm.
Most of the new bogus claims stem from Congress’ expansion in March 2020 of unemployment insurance to include gig workers, contractors and the self-employed.
Each state and territory runs its own unemployment system, and they rely heavily on employers to verify that a worker has lost their job. But those checks are not possible with gig workers and others with no separate employer.
Sophisticated international crime rings quickly found they could file fraudulent claims across the country with as little as a name, date of birth, address, social security number and bank account. A social security number and personal information costs at most $4 on the dark web, Johnson said. A copy of a driver’s license, what many states now use to verify identity, costs perhaps another $25, he said.
Criminals targeted states like California, where benefits are among the highest in the nation. They sometimes used American “mules” to collect the money at local addresses and send it overseas, or made up fake companies to list as employers.
“Once it goes out, like 99% of it never comes back,” said John Thomas Flynn, California’s former chief information officer, who is now a Sacramento-based IT consultant.
Often those whose identities were stolen have no idea until they seek unemployment aid themselves and discover the benefits have been exhausted, or receive a notice from the government that they owe taxes on unemployment benefits they never received.
The Labor Department under President Trump was widely criticized for waiting months to provide guidance to states about how to handle this new pool of workers, and what information to use to verify unemployment claims.
In December, Congress intervened to order states to verify applicants’ identities and specify what information to collect to prove work history. That measure only took effect at the end of January.
“We currently do not have enough resources to fight this unbelievable attack that we’re experiencing across the nation,’ said Suzi Levine, a deputy assistant secretary of Labor who oversees unemployment. “What we’ve seen is that these criminals are going after state by state. They’re testing the fences. They’re identifying where they can get in through the cracks.”
While there is broad, bipartisan agreement that protections and identification procedures are vital, the pending legislation lacks meaningful new anti-fraud safeguards.
That’s partly because Congress is rushing to get a bill to President Biden’s desk before extended unemployment benefits run out March 14, causing 10 million Americans to lose benefits. And there is little time at this point to make changes.
Some lawmakers are also waiting to see how the standards passed in December work, according to aides involved with negotiating the legislation. Onerous requirements and documentation could delay or deny payments to eligible people who desperately need the money. States already face massive backlogs in paying unemployment claims.
“Are these controls that we’re going to put in place worth the pain and suffering we’re going to cause individuals that need that money?” said Allyn Lynd, a cybersecurity expert who helped the FBI create its cybercrimes team.
Democratic lawmakers say they hope to address fraud more fully with follow-up legislation, if needed, and predict that Biden’s Labor Department will exert its existing authority to draft better guidelines for the states.
At least part of the reason the pending bill lacks tighter safeguards is political, however.
Because Republicans oppose the relief measure, Democrats are using a special Senate process to pass the bill and avoid a GOP filibuster.
But the so-called reconciliation process can only be used for spending and budget purposes, not for setting new policies. And that includes new rules to require states conduct front-end checks of an applicant’s identity.