Criminals exploited weak checks and old tech to pull off vast COVID benefit fraud
In life, when you encounter something momentuous—a sudden job loss, a routine check-up that revealed an illness you can’t afford the medical bills for—you can be assured that the federal or state government has benefits you can apply for it. And where there are benefits, you can also be assured that there will be individual scam artists and national (if not international) cybercrime gangs attempting to get those benefits by fraudulent means.
It was no different when the COVID pandemic hit.
And while there are domestic fraudsters in the US, the biggest agents of pandemic-related scams and fraud, according to law enforcement officials and private experts, are outside the country and read like a who’s who of cybercrime stereotypes: Nigerian scammers, Chinese hackers, and Russian mobsters.
The fraudulent filing of claims related to the COVID pandemic has been an on-and-off topic of discussion in news sites. And American nationals and legal residents in the US, in particular, who have lost their jobs due to the pandemic recession are the ones at the losing end of every fraud story out there.
According to the same law enforcement officials speaking to NBC News, the federal government “cannot say for sure how much of the more than $900 billion in pandemic-related unemployment relief has been stolen, but credible estimates range from $87 million to $400 billion—at least half of which went to foreign criminals”.
NBC News has pointed out that if you compare the amount being stolen via pandemic-related unemployment relief fraud, it dwarfs the annual budget the federal government allots on intelligence gathering or K-12 education. It even far outweighs the annual economic cost of ransomware attacks, which some put at around $20 billion USD.
“This is perhaps the single biggest organized fraud heist we’ve ever seen,” RSA’s Armen Najarian was quoted saying. Najarian had tracked down a Nigerian ring that was able to plunder millions of US dollars from many US states.
Exploiting weak ID checks
Criminals have been taking advantage of the Pandemic Unemployment Assistance (PUA) program, using stolen identities to land individual payouts of up to $20,000 USD.
When you file for unemployment relief, you have to prove that you were employed, before the pandemic affected your status. Some states have sought out the use of ID.me, which supplied NBC with a rogue’s gallery of pictures showing fraudsters trying to pull the wool over the eyes of the verification process with an assortment of silicon masks, barbie doll heads, and deepfake videos.
NBC reports that federal watchdogs have been flagging the weakness of some state’s verification methods for years—and the criminals know they can game the system.
In fact, the unemployment verification process in some states is so bad that prison and jail inmates were able to successfully apply for COVID-19 unemployment compensation.
Because of the rampant fraud of this nature, the Office of Inspector General (OIG) issued an alert to the US Department of Labor (DOL) that it should “take immediate action and increase its efforts to ensure SWAs,” or State Workers Agencies, “implement effective controls to mitigate fraud in these high risk areas.” The memo also identified potential fraud benefits paid in the following four areas:
- Multi-State Claimants — totalling $3.5 billion in UI benefits paid;
- Social Security Numbers of Deceased Individuals — totalling $58.7 million in UI benefits paid;
- Federal Prisons — totalling $98.3 million in UI benefits paid; and
- Suspicious Email Accounts — totalling $2 billion in UI benefits paid.
Since many states have already opted out (or will be opting out) of some or all of the unemployment relief stimulus as early as July 2021, it is expected that fraudsters will be moving on to other opportunities to make a COVID buck.
Outdated technology
Criminals are also exploiting a lack of data sharing between states. Almost half of states in the US have yet to join a national data exchange to check Social Security Numbers (SSNs), which can make it possible to use one SSN to file a claim in multiple states. Also, some states have not been sharing fraud data even though it’s required by federal law. On top of that, the IOG also released a report in May 2021 revealing that 40 percent of states did not perform the required Benefit Payment Control (BPC) activities (database identity checks), and 88 percent did not do the recommended BPC cross-matches.
Regardless of how fraudsters were able to get their hands on COVID government benefits, they are quick to move the money. Foreign organized criminals, for example, use mobile payment services—Cash App, in particular—to either move money or covert the stolen money to bitcoins, before moving it overseas. Sometimes, they also sought the aid of money mules to move cash.
Reporting fraud
If you think you might be a victim of pandemic-related relief fraud you should report it to:
- Your employer,
- Your state unemployment benefits agency, and
- the Federal Trade Commission (FTC) via IdentityTheft.gov.
The FTC will also help you with what to do next to recover from the incident of stolen identity. You might also reach out to the Identity Theft Resource Center (ITRC), a not-for-profit organization that has helpful resources you can use to resolve ID theft and fraud problems.
It’s also a good idea to freeze your credit, which in turn makes it a lot more challenging for the fraudster to use your identity to open a new account.
Lastly, it’s a good idea to review your credit reports every now and then.
Stay safe!
The post Criminals exploited weak checks and old tech to pull off vast COVID benefit fraud appeared first on Malwarebytes Labs.
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.