En español | Kayla Cheatwood, 74, was stunned by the letter that arrived July 6. It said the Arkansas woman had applied for unemployment benefits—though she had not. The letter listed a trove of her personal information, including name, earnings, date of birth and Social Security number.
In a heartbeat, Cheatwood called the Arkansas Division of Workforce Services, which handles jobless claims, saying: “I'm a little panicky. Something crazy is going on here."
The “crazy” was that the agency's computer system had been hacked, Cheatwood's identity had been stolen, and a sham jobless claim under her name had been filed online.
A business owner, Cheatwood is not alone in becoming a target of the money-hungry thieves going online to make fake jobless claims with victims’ pilfered personal data. Such claims involve hundreds of millions—if not billions—of dollars, according to Maryland Gov. Larry Hogan (R).
Hogan announced Wednesday that state and federal officials had uncovered that a massive, sophisticated criminal enterprise was behind more than 47,500 fraudulent unemployment claims totaling more than $501 million in his state. Those claims were not paid. Hogan said his state's quick action helped federal authorities uncover “related illegal activity in states across the country."
FBI nationwide alert this month
On July 6, the day Cheatwood got the worrisome letter, the FBI alerted the public about a spike in phony claims filed using stolen identities. The bureau urges people on the lookout for suspicious conduct.
People in several states “have been victimized by criminal actors … using the victims’ stolen identities” to submit fraudulent claims, the alert says.
At the FBI, Steven Merrill, chief of its Financial Crimes Section, tells AARP that the threat posed by these criminals is “pervasive” and every state is potentially at risk. He is a 29-year veteran of the bureau.
"There's not a quote-unquote ‘hot spot.’ They're all hot spots,” Merrill says. Noting that multiple states were involved, he declined to identify them.
"We—the FBI—along with our partners are working with the states and trying to get to the bottom of who perpetrated these frauds, and we're trying to stop them,” he adds. Merrill did say that foreign internet protocol (IP) addresses had turned up during the ongoing investigations; these numerical labels are assigned to devices on computer networks.
The FBI's allies include numerous government, law enforcement and financial-sector partners. “I really want the public to understand that we do these things as a team,” says Merrill, who expects down the road there will be criminal charges for illicit conduct including wire fraud, identity theft and computer intrusions. Filing a false unemployment claim in itself is a crime.
These alarming trends come as joblessness has reached heights not seen since the Depression. More than 50 million Americans have filed first-time claims for unemployment benefits during the pandemic, so the crime wave is taxing already heavily burdened state unemployment offices.
In addition to Maryland, Washington state has been a prime target of the identity thieves making bogus jobless claims, and attacks also have occurred in Arizona, Florida, Hawaii, Maine, Massachusetts, Pennsylvania, North Carolina, Ohio, Oklahoma, Rhode Island, Wisconsin and Wyoming, news accounts show.
Meantime, Colorado, Illinois and Kentucky have warned unemployment claimants that their personal data may have been exposed in data breaches.
The outlaws obtain stolen personal identifiable information, or PII, in many ways, the FBI alert says. Some is purchased online; some was disclosed in data breaches, computer hacks, or cold calls in which bad actors impersonate others.
Other techniques: Email phishing schemes; stealing data from people or third parties; and data mining public websites and social media accounts.
Cheatwood was fortunate in that she opened the July 6 letter right away and promptly told state officials, filed a police report, alerted her bank and froze her credit at the three major credit bureaus. Then she took more steps to protect her online accounts. “It was a little scary,” she tells AARP. “I think I've got it all taken care of, the good Lord willing."
Delays in spotting identity theft
Other victims may not immediately learn that they've had data stolen and fake jobless claims have been made in their names. According to the FBI, some people whose identities have been hijacked don't know until they:
- file for unemployment benefits
- hear from their employer that a claim has been filed—even though they're still on the job, or
- receive IRS Form 1099-G, which specifies unemployment compensation received in the calendar year.
Be on the lookout
The FBI says people should be on the lookout for these suspicious activities:
- Communications about unemployment insurance forms when they have not applied for benefits
- Unauthorized transactions, on bank or credit card statements, tied to unemployment benefits
- Requests for the payment of fees to file or qualify for jobless benefits
- Unsolicited inquiries about jobless benefits
- Fictitious websites and social media pages mimicking those of government agencies
Protect Yourself From Identity Thieves
There's a lot to digest, but here's how FBI official Steven Merrill boils it down when speaking to his family: “Don't ever reply to an unsolicited communication whether it be email, social media or phone call and provide any PII under those circumstances."
- Be wary of requests for your personal identifiable information (PII), such as all or part of your Social Security number. Such requests come in phone calls, text messages, letters and emails and via websites.
- Be cautious with emailed attachments and embedded links, especially when the sender is a stranger.
- Monitor your bank accounts regularly and request your credit report to look for fraud.
- Immediately report unauthorized transactions to your financial institution or credit card issuer.
Here’s more on how fraudsters obtain PII—and how to stop them in their tracks:
- Avoiding Social Engineering and Phishing Attacks
- Protecting Against Malicious Code
- Preventing and Responding to Identity Theft
Tell authorities straight away
If you suspect you are a victim, immediately contact the three major credit bureaus to place a fraud alert on your records. Additionally, tell the Internal Revenue Service by filing an Identity Theft Affidavit (IRS Form 14039 on irs.gov) or identitytheft.gov.