Proactive Measures to Thwart Unemployment Fraud
In the past few months, the TrustedSec Incident Response team has responded to several incidents of unemployment benefit fraud. Due to the pandemic and nationwide lockdowns, there has been an extremely high volume of unemployment claims submitted across the United States, and with greater instances of fraud making it difficult for states to investigate, there is high confidence that the fraudulent unemployment claims are due to increased crime group activity. Issues that stem from this form of fraud can include employee information being leaked, stolen, or bought and sold within darknet marketplaces and forums.
Bank of America estimated that fraud in California’s unemployment benefits system alone could now total $2 billion in losses. Bank of America identified 640,000 accounts with suspicious activity that need to be investigated. Making matters potentially worse, multiple reports indicate that more than 533 million Facebook users were recently hacked, and their private data was released to a hacking forum. According to Business Insider, the hack affects users from 106 countries, including more than 32 million people in the U.S.
Information Gathering Methods for Unemployment Fraud
Generally, traditional forms of social engineering, such as phishing emails targeted at senior leadership, had been the main avenues of reconnaissance and attack. However, a new method has emerged. Cybercriminals have evolved into selling tutorials on filing a fraudulent claim or obtaining access to taxpayers’ unemployment relief accounts via darknet or criminal forums.
This transfer of knowledge occurs via applications such as Telegram that provide cloud-based anonymous messaging and a repository of tips and advice. Currently, there is a step-by-step playbook that scammers can follow. Tutorials and methods related to conducting unemployment fraud are selling for anywhere between $5 to $100, depending on the targeted state. Databases of hacked information will typically charge $2 in cryptocurrency for the date of birth and Social Security number of their targets, making the overall investment very low.
Scammers rely on people who have not already filed on their own to follow these methods to file their fictitious claims. In some cases, it’s as simple as filing a claim. In others where the state requires additional information, they will simply use public aggregation websites such as Verified or Truthfinder to get the information they need. This can include vehicles driven, familial maiden names, locations lived, and even dating profiles. Money will then be laundered through online accounts and people with legitimate U.S. bank accounts. Because of the easy success of the fraud at scale, this method will continue to gain traction.
What Role do Employers Play?
Fortunately, of the incidents TrustedSec has investigated, all have resulted in the same findings: There was no internal compromise or compromise from an associated (cloud) service (such as ADP, Paychex, etc.) that manages employee PII. Peers at other firms have had similar findings. The core issue has resided outside of the organization’s borders, which unfortunately is something that many organizations have minimal control over. At most, the individual victims may be targeted through spear-phishing attack, which can lead to personal information compromise.
A few actions that TrustedSec recommends to ensure your organization is on top unemployment fraud are:
- Quickly search breaches of corporate email
It is easy to gain insight on whether employee information was leaked and where a corporate email may be in use by performing a domain-level search using the following resources:
- Work with HR on potential process improvements
Security teams should coordinate with Human Resources (HR) and Legal teams for guidance and any actions they may take. The HR team should work with and stay up to date with state unemployment offices and payroll processing firms for additional security notification or protective measures that can be implemented. Just recently, New York implemented a new tool to verify identification, for example. Many states have introduced new multi-factor authentication (MFA) systems and third-party ID verification tools to improve the integrity of the process.
- Integrate Threat Intelligence Gathering for Proactive Threat Awareness
It is recommended that organizations increase coordination with industry threat intelligence providers and various other threat-sharing groups. These resources will provide the organization with vital threat intelligence that is vetted and actionable. Leverage a third-party ‘Threat Intel as a Service’ (TIaaS) to perform the following services:
- Darknet monitoring
- Third-party data breach monitoring
- Supply chain monitoring
- VIP Executive monitoring
Establishing a robust, proactive threat awareness, monitoring, and detection capability can enable an advanced warning of leaked data or compromised PII.
What Employees Should Do
As a step to further protect the organization’s employees against unemployment fraud, TrustedSec recommends each employee create an account for themselves in their respective state’s Office of Unemployment website. Creating an account is not the same as filing for benefits, but creating an account prevents other people (ID thieves) from making a fraudulent account for the employee. If an employee attempts to create an account and the website indicates that an account already exists (that the user did not create), report this immediately to the state.
- Immediately report the issue to the state organization
- Place a credit freeze through each of the three (3) major credit bureaus
- Contact Social Security to identify protected actions
- Report to the Department of Justice
How TrustedSec Can Help
Inevitably the question becomes, what can be done and what can TrustedSec[BS1] do to help provide evidence one way or the other? Some clients use TrustedSec to perform a Threat Hunt exercise of the systems that store the personal information to find any evidence of compromise. Threat Hunting is the process of proactively searching an organization for malicious activity that evades the detection of existing security solutions. This service includes any online services the client may use.
Where necessary, TrustedSec will also look over email activity to see if there is any evidence of a phishing attack. Even though attackers are skilled at bypassing detection devices, we find their tactics, techniques, and procedures (TTPs), helping organizations proactively stop potential incidents, including those that may assist hackers in attacking employees.