As we have noted in prior alerts, cybercrimes and identity-theft scams have significantly increased during COVID-19. One scam that has seen a particularly strong uptick recently involves the filing of false unemployment claims. Specifically, criminals utilize stolen private information to file unemployment claims on behalf of employees, including, in most cases, employees who are still actively working, and then redirect payment to the criminal’s accounts.
This is a very prominent scam right now across the country due to the exponential increase in unemployment claims resulting from the pandemic. The associated strains on employees, employers’ administrative and human resources personnel, and government agencies that administer unemployment benefits has made this another opportunity for cybercriminals to exploit during the pandemic.
For employers and employees who become aware that they have been the target of this scam, there are important steps to take to make sure the scam does not have long-term effects on the employer or employee.
First, if you become aware of this, or any, scam involving any of your employees, work with your IT department, IT service provider, or information security specialist to check your systems to ensure there is no unusual activity on your systems. For the most part, this scam is the result of employees’ personal information being available to criminals as a result of numerous data breaches (for example, the Equifax data breach that occurred in 2017 and exposed the personal information of 147 million people).
Nonetheless, it is best to assess the security of your systems to ensure criminals are not somehow “lurking” on the system. In this regard, a 2019 study of data breaches conducted by IBM and the Ponemon Institute found that the average time to identify a data breach is 206 days. In other words, for the average data breach, cybercriminals have access to the victim’s computer systems for over six months before they are detected. Accordingly, if there is even a hint that your system could be compromised in some way—including if a number of your employees have these false unemployment claims filed—it is important to make sure your systems are not compromised.
Other important steps and suggestions for responding to this scam include:
1. The employer and employee should contact the Department of Labor to challenge the unemployment claim and report it was a fraud claim. The Departments of Labor in New York, Connecticut, and Massachusetts all have webpages for reporting fraud. For employers, filing these fraudulent claims can impact your unemployment rating and lead to increased future costs. For employees, unemployment benefits paid in their names could impact income tax obligations.
2. The employer or employee should also submit a fraud report to the FBI or Secret Service. Note, law enforcement members are very aware of this scam and there’s nothing extra they will likely be able to do for your specific case, but the reporting is still important for law enforcement tracking purposes and could be important to both the employer and employee down the road.
3. Affected employees should check their credit reports and either put a fraud alert or credit freeze in place to prevent identify theft. A fraud alert conveys a special message to anyone requesting your credit report that you suspect you were a victim of fraud. When you or someone else attempts to open a credit account in your name, the lender should take measures to verify you’ve authorized the request. A fraud alert shouldn’t stop you from using your existing credit cards or other accounts, but it may slow down your ability to get new credit. An initial fraud alert is valid for 90 days, but can be extended. A credit freeze completely restricts access to a credit report in certain situations. After receiving your freeze request, each credit bureau will provide you with a unique PIN or password that will be required to “unfreeze” your credit if you wanted to open a new account or obtain a new loan. A credit freeze can remain in place indefinitely.
The Federal Trade Commission published some FAQs regarding fraud alerts and credit freezes, and you can contact Equifax, Experian, or TransUnion to place a fraud alert or credit freeze on your credit reports. The agency you contact will notify the other two on your behalf.
4. For employers that may want to be more proactive, you can convey a message to all employees to be wary of the scam, emphasizing (once it is confirmed) that the scam is not related to the employer’s systems and encouraging all employees to check their credit reports for unusual activity—which is a good idea for everyone given the proliferation of cyber scams during the pandemic.
Lastly, as always, it is good to remind everyone to practice good “cyber hygiene,” including:
- Ensuring your company has appropriate information security policies and a data breach response plan, and that all employees are aware of the requirements of those policies or plan
- Not clicking on links in emails that look suspicious, that are not expected, or that purport to require urgent responses
- Never entering credentials or personal information through email links; rather, go directly to the official site and logging in to any accounts or systems through the site
- Being extra careful in responding to emails that are related to financial transactions, request details concerning financial transactions, or request any sort of payment on an urgent basis—especially where payment instructions are changed at the last second
- Ensuring employees are using strong passwords, secure networks, and, whenever possible, VPN connections, encryption, and dual-factor authentication
- Avoiding linking any personal accounts—Amazon, Netflix, Apple, etc.—to work email accounts. Instead, any personal services should be linked to a private email account. This way, if you receive an email on a work email account claiming to be from some service due to an issue with your account, you’ll know right away that it’s a scam and won’t jeopardize the company’s systems. Of course, as noted above, any emails going to a personal account should always be viewed with suspicion, and the best practice is to log in through the official site to determine if there is, in fact, any issue with an account.
If your company is exposed to this or any other cyber scam or cyber incident, Barclay Damon’s Cybersecurity Team is available to assist you.
If you have any questions regarding the content of this alert, please contact Nick DiCesare, Cybersecurity Team leader, at ndicesare@barclaydamon.com or another member of the firm’s Cybersecurity Team.