Fleecing the States: Fraud in State-Administered Pandemic Programs

Over the past year, cyber criminals have stolen billions of dollars from U.S. pandemic recovery efforts. And these crimes are far more organized and occurring on a larger scale than anything our federal, state or local government officials ever expected. But the greatest theft is the billions being stolen from state unemployment benefit systems—systems that weren’t designed to identify or to stop this type of cybercrime. 

A Perfect Storm

A number of conditions created a perfect storm of opportunity for cyber criminals: rapidly deployed systems without proper identity verification controls; outdated state information technology systems; limited information sharing between the states; hundreds of millions of stolen identities up for sale; a brand new program for workers in the gig economy (the Pandemic Unemployment Assistance Program) that lacks the traditional adversarial safeguards of the employer-based benefit systems; and an overwhelming public demand for immediate relief that has swamped the remote-work capacities of state unemployment offices.

In one illustrative example, a Nigerian citizen used stolen identities to file fake unemployment benefits in 11 states. State auditors have, so far, tallied a total of $1.1 billion in possible imposter fraud from nearly 250,000 potentially bogus claims. What can we do to stop the bleeding and keep it from happening again?

Identify Theft is Leading Culprit

In the state and local administration of federal benefits, fraud typically occurs three ways: 1) applicants intentionally provide false eligibility information to qualify for benefits; 2) applicants provides false information to receive more benefits; and 3) identity thieves apply for benefits using stolen identities.

In a resource-constrained, remote-work, post-disaster environment (like a pandemic), these scenarios of fraudulent activity are much more likely to succeed.  In the current pandemic disaster, the largest sums of taxpayer dollars are being stolen via identity theft.

Massive quantities of stolen data are now available to cyber criminals on the dark web following a decade of large-scale data breaches. This trove of false identities now allows organized fraud rings to commit identity theft-based fraud on a breathtaking scale.

In 2020, The Federal Trade Commission received more than 394,000 complaints from consumers who said their identities had been “misused” to apply for government benefits. By comparison, the FTC received only 13,000 such complaints the prior year—that’s a jump of nearly 3,000% in just one year. And most of those stolen identities were used —you guessed it—to file for fraudulent unemployment benefits from unprepared and unprotected states.

Learning from the Past, Preparing for the Future 

Disasters often shine a light on systems and processes that were already broken. Once identified, the next critical step is repairing these weak or malfunctioning areas before the next disaster. 

No governor likes to spend taxpayer dollars on large IT modernization projects.  But neglecting these vital upgrades in the current threat environment is irresponsible.  Fraud is now being perpetrated on a larger scale by more sophisticated actors, armed with tools and a cache of stolen identities they didn’t have a few years ago. Now is the time to update the infrastructure, to leverage strong identity-management tools, to implement basic analytics tools, and to begin real-time monitoring of payments so that bad actors can be quickly identified and stopped.

Data Collection and Sharing

In the aftermath of the terrorist attacks of 9/11, many stories emerged about the missed opportunities we had to stop the terrorists before they struck — minor traffic stops, expired visas, flight school enrollments. In each case, the tragic pity was a lack of information sharing. As one NSA official lamented, “if we only knew what we already knew… so we could have done something about it.”

To stop the fraudulent or improper payment before it is made, states need to enhance the digital collection and sharing of data. The online use of a false identity is like a mask.  But there are important actions states can take to get behind that mask. Digitizing data—such as marriage records—and improving the completeness of existing electronic records at the state level are critical first steps.  Sharing that data across and among states will also greatly limit the damage that fraudsters can do. Unmasking fraudsters and sharing the perpetrators’ identity and mode of operating with other states would then prevent the sort of multi-state victimization like the one perpetrated by the Nigerian cyber criminal mentioned above. 

Going forward, sharing data like IP addresses and matching applicants with databases of known fraudsters or suspicious actors will allow states to unmask the thieves before they make a payment to them. If online retailers and financial institutions can protect us from cyber thieves, our governments should be able to do the same.