Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

With the pandemic as a backdrop, cybercriminals have recognized an unprecedented opportunity to steer billions of dollars in unemployment claims into the own accounts.

Joshua Goldfarb, Global Solutions Architect — Security

February 11, 2021

5 Min Read
Image: Andrii via Adobe Stock

It has been nearly a year since the pandemic began to affect our lives, both personally and professionally. Many of us continue to wonder when we will be able to see our families and friends again, and when we might resume those everyday activities we used to take for granted — you know, like going to work.

That is, if you have a job to go back to. Millions of US workers have lost their jobs due to the pandemic. As to be expected, they have turned to state government unemployment insurance to try and make ends meet.

As if this weren't upsetting enough, cybercriminals have recognized an unprecedented opportunity to commit unemployment fraud on a massive scale. According to the Department of Labor, losses across the country from COVID-19-related unemployment fraud totaled $36 billion in 2020 through November 2020.   

What exactly is unemployment fraud? The pandemic version involves fraudsters:

  • Buying stolen identities from the underground via Dark Web websites.

  • Using that information to fill out unemployment claims.

  • Receiving unemployment benefits to a DROP account.

As cybercriminals execute their malevolence, a handful of trends and tactics are emerging that speak to the bad guys' ability to commit unemployment fraud successfully and on such a large scale.

Trend 1: It's Easier Than Ever
The pressure on state government agencies to provide benefits to displaced workers, along with an increased volume of unemployment claims, has made it easier for fraudsters to get away with unemployment fraud: They simply use the volume of claims – 779,000 new claims were filed in the last week of January alone – to drown out and hide their activities.

Further, many have taken advantage of and targeted states with no income tax because they have no tax records with which to verify identities. In fact, many states only became aware of fraud when notified by legitimate citizens who had their identities stolen and fraudulent claims filed in their names. In response, states have slowed paying claims in order to verify information first. However, this has only hurt the people needing the money and hasn't reduced fraud.

Trend 2: Stolen Identities
The easiest and most predominant means by which unemployment fraud is committed begins with fraudsters stealing identities. This is quite easy: We all know that massive data breaches in recent years have compromised countless Social Security numbers.

Once cybercriminals have amassed a list of stolen identities, they begin the process of opening new accounts and filing unemployment claims with state agencies. To reduce exposure, they often use stolen PII data of people who have died, are just born, are in prison, or who left an organization years ago.

Trend 3: No Address? No Problem
Fraudsters need to provide a physical address during the unemployment claim application process. Using the real addresses of the people whose identities have been stolen would be too risky. So instead they're using the addresses of vacant properties, often submitting hundreds of applications with the same physical addresses. 

They're also using addresses of homes up for sale, with their owners still living there. For example, in October CBS Los Angeles reported that mansions up for sale had hundreds or even thousands of fraudulent unemployment claims using their physical addresses on file.

Often, fraudsters arrange for unemployment benefits to be auto-deposited into a drop account. In some cases, however, fraudsters hire mules to pick up prepaid debit cards loaded with unemployment benefits at the addresses they used.

Trend 4: Copy and Paste
As it turns out, fraudsters paste information into their Web browsers roughly 10 times more frequently than legitimate users. In addition, their browsers only occupy a portion of the screen's available real estate. What is on the rest of the screen? The text file they next to the browser window for copying and pasting ease.

If you’re like me, you don’t usually copy and paste a first name and last name into an online form — unless, perhaps, you’re attempting to open dozens or hundreds of fraudulent unemployment claims in other people’s names.

Trend 5: Hiding in Plain Sight
A key part of the cybercriminal playbook is to hide in plain sight and avoid detection. Fraudsters employ a variety of techniques to accomplish this. Many use VPNs and cloud infrastructure to try and disguise their identities. They also often rotate their IP addresses and user agents. How do we know this? Because the time zones on their devices often don’t match the geolocation of their IP addresses. 

Fraudsters do love a familiar device, though. The same bad devices have been observed accessing a high number of unemployment benefits accounts — more than 20 is not uncommon. In fact, fraudster devices account for one-third of all bad transactions, according to internal F5 research. For comparison's sake, known good devices most often access up to three accounts.

So That's It?
No, the news isn't all bad. There are steps state government agencies can take to protect themselves and their citizens from this surge in unemployment fraud. For example, by implementing controls to catch fraud, state agencies can reduce the amount of unemployment fraud that happens under their auspices. In doing so, they can protect both themselves and their citizens from unemployment fraud.

Putting in place proper processes and procedures to govern the unemployment benefit application process is also a great start. That, combined that with fraud detection and prevention capabilities that monitor for abuse of unemployment benefits, empower state agencies to combat unemployment fraud head-on, reducing losses and saving taxpayers money.

The COVID-19 pandemic has introduced complexity and chaos into many areas of our lives. The associated surge in unemployment fraud merely adds to it. Rather than giving up and opting to live with billions of dollars in fraud losses each year, the time has come to take action.

Read more about:

Black Hat News

About the Author(s)

Joshua Goldfarb

Global Solutions Architect — Security, F5

Josh Goldfarb is currently Global Solutions Architect — Security at F5. Previously, Josh served as VP and CTO of Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team, where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT. In addition to Josh's blogging and public speaking appearances, he is also a regular contributor to Dark Reading and SecurityWeek.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights