Nick Penzenstadler, USA Today, December 30, 2020
In a Zoom session with the camera turned off, Mayowa describes how he scoops up U.S. unemployment benefits fattened by COVID-19 relief, an international imposter attack that has contributed to at least $36 billion being siphoned away from out-of-work Americans.
Mayowa is an engineering student in Nigeria who estimates he’s made about $50,000 since the pandemic began. After compiling a list of real people, he turns to databases of hacked information that charge $2 in cryptocurrency to link that name to a date of birth and Social Security number.
In most states that information is all it takes to file for unemployment. Even when state applications require additional verification, a little more money spent on sites such as FamilyTreeNow and TruthFinder provides answers – your mother’s maiden name, where you were born, your high school mascot. Mayowa said he is successful about one in six times he files a claim.
“Once we have that information, it’s over,” Mayowa said. “It’s easy money.”
Coronavirus-era unemployment fraud was first identified in the state of Washington in May and since has spread to all 50 states, skipping to new targets as government agencies plug holes exposed by the massive scams. Mayowa and his crew of foreign scammers focused in November on Hawaii, Florida and Pennsylvania.
In addition to the crushing volume of legitimate claims during COVID-19 and public pressure to speed up payments, mobile banking apps and prepaid debit cards issued by some state unemployment offices paved the way for fraud this year, security experts said.
Asked whether he feels bad about stealing from unemployed Americans, Mayowa pointed out that 70% of his peers in school are working the scams as side hustles, too.
“No, no remorse,” Mayowa said. “We don’t know them. We don’t know who they are; it’s nobody.”
States for years had prepared for low-level fraud, focusing on whether actual state residents filing for unemployment were telling the truth. The recent wave of imposter fraud – including from overseas – caught them off guard.
In Washington, alarms began flashing red for Suzi LeVine on May 12. It was 10 p.m. and the message was clear: We are under attack.
The commissioner of the state’s unemployment system knew claims were increasing as the pandemic and its economic devastation spread. But suddenly claims were 10-fold what LeVine expected.
Things got crazy quickly. Within two weeks of CARES Act funding enriching weekly benefits, $600 million had been bled from the state system – roughly 8% of the $8.6 billion paid over the summer. The state pulled the plug on all payments for two days while it struggled to figure out what was happening.
Eventually, the state’s computers started to flag anomalies: out-of-state banks, duplicate email addresses and multiple names using the same bank accounts. But there and elsewhere, antiquated state computer systems failed to flag foreign IP addresses, repeated computer serial numbers and techniques to mask that number.
Washington generally sees a few dozen fraudulent claims from imposters a year. Since March, the state has identified 122,000.
“When you consider the policy factors accelerating benefits and getting them to the neediest people and the expanded $600 available … we had the perfect storm,” said LeVine, who served as ambassador to Switzerland during the Obama administration. “They have been lying in wait for this moment.”
Washington should’ve been a wakeup call for every other state. Instead, it took some states six months or more to introduce new two-factor authentication systems and third-party ID verification tools and to block suspicious addresses. Many also began relying more heavily on a national shared database to detect suspicious actors.
A failure to move quickly combined with the ingenuity of the scammers has allowed the fraud to continue rippling across the country, contributing to delays in payments to out-of-work Americans, according to Michele Evermore, a policy analyst at the National Employment Law Project.
The Department of Labor’s Office of the Inspector General estimated in a November report that these schemes and others targeting pandemic unemployment payments represented about $36 billion in losses through November.
USA TODAY contacted unemployment departments in all 50 states to ask how much fraud had been paid out, and how much had been recovered. Of the half that responded, only eight have released the amount of taxpayer dollars they improperly paid out in fraud – a fraction of the national estimate.
Many states are reticent to discuss the situation, citing security concerns as well as difficulty quantifying what meets the definition of a fraud scheme. Some declined to even estimate loss numbers – or downplayed their significance.
Nevada officials say determining that a claim is fraudulent requires interviews with claimants and a “due process opportunity to present evidence.”
The Arkansas Division of Workforce Services “has chosen not to respond to this request,” wrote Zoë Calkins, spokeswoman for the unemployment insurance agency.
In September, the federal Labor Department gave $100 million to state systems to combat fraud. But state unemployment commissioners say they’re still chronically underfunded, working with decades-old technology that can’t keep up with increasingly complex schemes to bypass identity safeguards.
“One of the consequences of having a system that hasn’t been modernized is that it is extremely challenging to deal with the concerted fraudulent attacks,” said Rosa Mendez, a Nevada spokeswoman.
The Department of Labor, the FBI and the Secret Service say they’re working together to uncover fraud, plug holes in identity verification systems and claw back millions in improper payments.
Prosecutors have tracked down a handful of “threat actors” and “money mules” – U.S. residents who help carry out the schemes. Agari, the security contractor, estimated that Nigerians are responsible for half of all international scams that fall under the umbrella of business email compromise, including unemployment, romance and “get rich quick while you work from home” offers. About a quarter of those reach the U.S.
The goal is to recover as much of the pilfered funds as possible. Washington state, for instance, has recovered $357 million of the $600 million stolen.
Since March, backlogs and political pressure have forced the resignation of two state insurance commissioners in Florida and Oklahoma. Two others, in Kentucky and Wisconsin, have been fired.
California officials drew headlines recently for announcing they suspect as much as $2 billion was paid out in improper payments. Other states have reported lower losses: $242 million in Massachusetts, $200 million in Michigan, $18 million in Rhode Island, $8 million in Arizona and $6 million in Wisconsin.