Government agencies are grappling with the theft of millions of taxpayer dollars through unique fraud schemes directed at state unemployment programs. Employers often are the first to discover these schemes when they learn that current employees have somehow been receiving unemployment benefits for weeks while working. What can employers do?
In Washington, officials announced a theft of $550 million to $650 million from the state’s unemployment system, of which about $300 million was recovered. Cybercriminals in Colorado were so aggressive that 75 percent of applications during a single month were ruled fraudulent. Before they were caught, thousands of inmates in Pennsylvania applied and qualified for unemployment benefits. In North Carolina, federal authorities seized more than $80,000 in funds held in local bank accounts allegedly associated with COVID-19 unemployment fraud. The account holders who aided the fraudsters appear to have been victims as well because they were led to believe they were in online romantic relationships.
These are just some of the examples of the fraud schemes. There is a multiagency effort to protect taxpayer dollars from this type of fraud. The Department of Justice (DOJ), the Department of Labor (DOL), the Federal Bureau of Investigation and the U.S. Secret Service, along with state investigative bodies, are working to catch the criminals perpetrating these acts. The DOJ is prosecuting three individuals in Iowa and seeking maximum sentences of up to 20 years in prison. These agencies are calling for everyone to report suspected fraud as soon as it is discovered.
Unemployment Compensation Systems
Each state administers its own unemployment compensation system and provides benefits to unemployed individuals. Most states impose a one-week waiting period and require that the individual demonstrate that he or she is ready and able to work, actively searching for work, and is not unemployed due to misconduct. The most common form of unemployment fraud in the past has involved applicants receiving benefits while working.
The New Form of Unemployment Fraud
However, since the enactment of the Coronavirus Aid, Relief, and Economic Security (CARES) Act, there has been a new type of unemployment fraud plaguing the state systems involving cyber scams and identify theft. The CARES Act made lucrative federal funds available ($600 per week) to individuals unemployed due to the pandemic in addition to the standard state funds. Many states also lifted some or all of the standard qualifications, such as the job-search requirement and the one-week waiting period. With a substantial increase in funds available and the usual checks and balances lifted, unemployment programs became prime targets for scams and fraud.
These scams are being perpetrated by unknown fraudsters who obtain personally identifying information (PII) of an individual and use the individual’s PII to apply for unemployment through the state agency. Criminals are using various techniques to obtain this PII:
- E-mail phishing schemes.
- Purchasing stolen PII.
- Use of PII obtained during prior data breaches.
- Cold-call impersonation scams.
- Physical theft of data (e.g., dumpster diving), among others.
Unemployment benefits claims generally do not show up on credit reports. So, fraud alerts will not necessarily alert the individual to the fact that his or her PII has been stolen and used to apply for unemployment. The individuals are not receiving notice of the unemployment application because either the individuals did not have an address in the system or fraudsters provided another address during the application process. In some cases, the fraudsters are physically stealing the notice postcard out of the individual’s mailbox. As a result, a fraudster may continue to receive benefits for weeks under the individual’s stolen identity before the fraudster is discovered.
What Can Employers Do?
Employers should be hypervigilant.
- Notify the workforce. Inform employees about the prevalence of these types of scams; inform them of the fact that individuals who have previously been subject to identity theft are more susceptible; and educate them on steps to protect their PII.
- Be prepared. HR professionals should be on alert and should review any notices from the state unemployment administrator with heightened scrutiny.
Employers tend to be the first to learn of these scams when an unemployment notice is received regarding an existing employee. In some instances, CEOs and upper management have shown up on unemployment notices received by employers. If you encounter such an issue:
- Notify the appropriate state unemployment administrator. Many states now have forms for reporting this type of fraud and most have a hotline to call. The DOL has compiled a list of those hotline numbers.
- Notify the DOL. You can use this form.
- Notify the employee. Inform the affected employee that his or her PII has likely been compromised.
- Instruct that employee. Have the employee file a police report and report the issue to the state unemployment administrator and to the DOL.
- Assist the employee. You can also provide information regarding resources for addressing identity theft. The Federal Trade Commission has a helpful website.
Notably, if you have multiple employees experiencing this issue, you should evaluate the possibility of a data incident or other unauthorized access to your systems containing employee-related PII. If you discover an incident or even a potential incident, it needs to be reported to your insurance carrier. Involve outside cyber legal counsel.
In the meantime, to guard against such incidents, employers should weigh and consider the following:
- Conduct a risk assessment and review it. A good starting point is to identify and understand where employee-related PII is collected, stored and utilized within the company. From there, you can identify corresponding security protocols—or perhaps a lack thereof—and adjust those protocols accordingly. Become aware of potential weaknesses and correct them before they are exploited.
- Ensure written policies address employee-related PII. As with any employee-related issue, sufficient written policies are key. Too often a company’s policies adequately address the security and appropriate use of customer- or client-related PII but fail to address employee-related PII. Written policies must include employee-related PII, which is often the largest source of PII maintained and used by a company.
- Remote work and personal devices. Now more than ever, employees are working remotely and accessing company documents and information through personal or quasi-personal devices. Even company-provided devices, when used remotely, are most often connected through personal networks. Companies, in turn, must ensure sufficient protocols for securing remote access to company networks. Where possible, such connections should be through a virtual private network (VPN). VPNs should be configured with multifactor authentication (MFA) as an added security layer. With MFA enabled, even if an employee’s VPN credentials are compromised, an unauthorized actor will be unable to connect through the VPN without a second factor (e.g., a code sent to an individual’s smartphone or biometric verification).
- Training and enforcement. Many employees have experienced “Zoom fatigue” at one point or another during the COVID-19 pandemic. But, with remote work becoming part of the new normal, companies need to adjust accordingly. Online training videos or sessions must reinforce security and remote-access protocols such as protecting passwords and not leaving laptops unattended. These policies and best practices should also be enforced in the same manner other company policies are enforced. If an employee would be disciplined for leaving open a door or secure file room at the office, he or she should also be disciplined for failing to secure access to the company’s electronic information, including employee-related PII.
Elizabeth Liner is an attorney with Baker Donelson in Baton Rouge, La. Zachary B. Busey is an attorney with Baker Donelson in Memphis, Tenn.