Identity Theft Attacks Channeled Millions in Jobless Claims to Inmates

• The U.S. Department of Labor rings the fraud alarm, claiming that billions ended up in the wrong hands.
• Even federal inmates received almost a hundred million USD from the state, presenting themselves as jobless individuals.
• The states are trying to put more layers of ID-verification steps, and crooks are DDoSing the IDing platforms as a response.

Significant portions of the financial reliefs distributed to the society as part of the government response to the economic stagnation caused by the COVID-19 pandemic have ended up in the pockets of crooks. Apparently, a large number of scammers engaged in identity theft and unemployment fraud, asking (and in many cases receiving) payments that they aren’t eligible for.

The U.S. Department of Labor has issued a grave warning, mentioning that 13,446 prisoners applied for jobless benefits and actually managed to receive $98.3 million from the state. The problem lies in the absence of identity confirmation systems and a strong linkage between stage agencies that would enable them to cross-check the validity of the submitted claims.

The Office of Inspector General admits that the potentially fraudulent UI benefits paid to individuals across multiple U.S. states could surpass $5.4 billion. This concerns payments made between March 2020 and October 2020 alone. For data corresponding to January 2021, the fraudulent payments are estimated to be between $11 billion and $29 billion in California, $1 billion in New York, and $600 million in Washington.

The memorandum includes details about multi-state claimants ($3.5 billion), Social Security Numbers of deceased individuals ($58.7 million), federal prisoners ($98.3 million), suspicious email accounts ($2 billion). The inmates' category is the case that highlights the incompetence of the authorities at the most embarrassing level. Also, it is easily understandable that this money has gone into the funding of further criminal conduct.

Brian Krebs has dived deeper into the problem and found that 15 states are now using ID.me, ID-verification platform. This service receives 77,000 new applications each day, so sorting out the fraudulent claims isn’t a walk in the park. The platform is asking for several proving documents now, which has infuriated the crooks. As a response to that, they are launching DDoS attacks against ID.me, which is another indication of the situation.

We have scoured the dark web with the help of KELA’s cyber-intelligence tools and found tutorials made to help crooks create a seemingly valid profile that will ensure they get their claim approved on their state.

Of course, this is evolving into a cat and mouse game, as states add more anti-fraud filters, and identity theft actors are turning to more sophisticated approaches. As the OIG concludes, the collaboration between state agencies and the use of a central system compliant with the NIST guidelines is key in tackling the problem. The taxpayer money that ended up in the wrong hands, depriving eligible people of help, is just dizzying.