Unemployment benefits identity theft, contact-tracing scams and more

On March 22, Bob’s Discount Furniture in Bridgewater, New Jersey, furloughed one of its employees, Myra Walker, because of the pandemic. When she tried to file for unemployment benefits, she discovered that someone had already created one in her name. Walker then found that a fraudster had used her stolen Social Security number (SSN) and date of birth to file a claim on Feb. 9 and then received a payment of $464 on Feb. 15. (See Woman tries to file for unemployment but can’t. Someone else is getting benefits in her name, by Karin Price Mueller, NJ Advance Media for NJ.com, May 2.)

This case represents a serious identity theft trend stemming from COVID-19. We’ll cover it here with two additional COVID-19 related threats.

Two strikes: terminated and ripped off

COVID-19 has caused millions of layoffs throughout the world. Fortunately, many have some unemployment benefits to help keep them afloat. But this has created another opportunity for fraudsters to emerge with a scam to use stolen personally identifiable information (PII), such as SSNs, to fraudulently file for employment benefits of individuals and rob victims of expected funds.

Unemployment benefits fraud is a regular problem in the best of times. The Consumer Sentinel Network Data Book 2019 reported that government documents or benefits fraud claims totaled about 46,000 last year. No doubt, this figure will increase greatly in 2020. The U.S. Federal Trade Commission (FTC) received more than 3.2 million consumer reports in 2019 that were related to fraud, identity theft and other consumer protection topics that were sorted into 29 categories.

The problem emerges when a citizen files for unemployment benefits, and the agency tells them it denied their claim because it already received an application with their name. Even if the problem is resolved, it will create a delay in receiving approved funds.

The Identity Theft Resource Center (ITRC) provides advice for victims of this scam:

• Immediately contact your local unemployment agency to report the problem.
• Place a freeze on your credit report to prevent thieves from using your PII for other purposes.
• Monitor accounts carefully and change any online passwords.
• An identity thief might also fraudulently apply for nutrition assistance; programs for women, infants and children; medical coverage; or other benefits.

Victims should report this problem and other fraudulent scams to their local media outlets and law enforcement agencies, and submit a consumer complaint to the FTC. Victims must file complaints with the FTC because the statistics are severely understated each year.

Contact-tracing text message scams

FTC issued an alert about fraudsters generating a string of scams to steal PII from those throughout the world affected by COVID-19. (See the FTC alert, COVID-19 contact tracing text message scams, by Colleen Tressler, May 19.)

Many public health departments are hiring contact tracers to help reduce the spread of the virus. These tracers are asking those who’ve tested positive for COVID-19 to supply names and telephone numbers of those they’ve recently contacted. The tracers then text or email these individuals to instruct them to quarantine for 14 days and monitor their symptoms daily. Some governmental entities also offer texts of daily health and safety reminders to those who were exposed.

Fraudsters, of course, have found ways to masquerade as contact tracers. They send out fake text messages that ask individuals to click on links that download malware on their phones, which give the fraudsters access to PII including bank routing numbers.

FTC provides advice:

• Your phone might have an option to filter and block messages from unknown senders or spam.
• Your wireless provider might have a tool or service that lets you block text messages.
• Some call-blocking apps also let you block unwanted text messages.
• Protect your online accounts by using multi-factor authentication.
• Enable auto updates for the operating systems on your electronic devices. Make sure your apps also automatically update so you get the latest security patches that can block malware.
• Back up data on your devices regularly so you won’t lose information if a device contracts malware or ransomware.

Reduce risk of data loss and theft after layoffs, furloughs

The COVID-19 outbreak is creating risks for organizations, especially when many employees are working at home. Many at-home employees must download important business data on their personal computers and/or use laptops, notebooks and other devices owned by their employers. This increases risks of accidental or intentional data breaches — particularly when employees are laid off or furloughed. And inherent risks are accelerated if external hackers gain access to home computers.

Organizations should fine tune their risk management programs before layoffs and furloughs and implement plans to limit risks.

Mary Pratt, contributing writer for csoonline.com, provides 10 best practices from leading experts to limit risks:

1. Communication between your human resources and security staffs need to be timely and coordinated so your chief information security officer (CISO) can be sure they’re safeguarding the organization when employees leave.
2. Review your organization’s access, authorization and authentication programs in advance of terminations and ensure they have adequate controls to monitor activity and detect anomalies that could indicate data leaks, breaches or threats related to layoffs.
3. Potential layoffs should prompt your CISO to document and audit the environment to confirm they have security technologies in place to flag, report and address suspicious actions.
4. Make those security technologies work overtime by using tools to monitor activity to detect unusual attempts to view, copy or move data plus flag any attempts to access or modify systems.
5. Your security team, orchestrated with your human resources team and supervisors, needs to be ready and able to terminate former employees’ access to all systems and devices as soon as a layoff occurs. That includes shutting off log-in access and disabling key cards.
6. Work with managers and human resources to develop a strategy to ensure employees return any off-site devices to the organization, such as withholding severance pay.
7. Managers and their legal department counterparts must work together to reinforce messaging that they’ll share with departing workers, which would include a reminder about the rules the workers agreed to follow when they first joined the organization.
8. Your organization, which might have to lay off security people on your CISO’s team, must still treat them as they would others by immediately terminating their access to data and systems, and shutting down back doors they might have created as part of their duties.
9. Terminated employees shouldn’t be allowed to touch any organizational systems.
10. Managers need to consider the personal impact that layoffs take on employees, including remaining staff members who likely will be stressed and possibly angered.

Contact me

Include these scams and important information to protect your data and online identity in your outreach programs, and tell your family, friends and business associates.

As part of my outreach program, please contact me if you have any questions on identity theft or cyber-related issues that you need help on or you’d like me to research and possibly include in future columns or as feature articles. I do not have all the answers, but I will do my best to help. I might not get back to you immediately, but I will reply. Stay tuned.

Robert E. Holtfreter, Ph.D., CFE, is distinguished professor of accounting and research at a university in the U.S. Northwest. He’s a member of the Accounting Council for the Gerson Lehrman Group, a research consulting organization, and is a member of the White-Collar Crime Research Consortium Advisory Council. He’s also on the ACFE’s Advisory Council and the Editorial Advisory Committee. Holtfreter was the recipient of the Hubbard Award for the best Fraud Magazine feature article in 2016. Contact him at doctorh007@gmail.com.