With US unemployment threatening to reach its highest level since the Great Depression, hackers around the globe are using stolen personal information to file fraudulent benefits claims and steal millions of dollars destined for jobless Americans.
The Secret Service confirmed to The Register it has received reports of criminal gangs outside the States obtaining personal records and login credentials harvested from other hacked or leaky databases, and using that info to make unemployment claims on behalf of Americans, then pocketing the payouts via money mules.
It has not been reported where the pilfered personal data enabling this came from, though stolen credentials are not particularly hard to find online, and the personal info needed to file a claim would be virtually identical to that of a fraudulent tax return – another common form of online government fraud.
"The United States Secret Service Global Investigative Operations Center along with our Electronic Crimes Task Force partners have identified criminal actors targeting state unemployment insurance program funds," the agency told The Register.
"Criminals will use stolen personally identifiable information to file fraudulent state unemployment claims. Crooks will then use social engineering techniques to recruit unsuspecting individuals to launder illicitly obtained funds in order to conceal the identity, source and destination."
Think before filling in that convenient flight refund form with all your delicious details – there's a scam going aboutREAD MORE
This comes after a report by the New York Times that a Nigerian fraud group was behind one of the largest such efforts. The fake claims are estimated to have easily reached into the millions of dollars and, we're told, could end up being in the hundreds of millions.
The crooks are focusing on the unemployment departments for a number of US states, mainly Washington state which has been hit particularly hard by the COVID-19 virus outbreak. Also targeted were Florida, Massachusetts, North Carolina, Oklahoma, Rhode Island, and Wyoming.
The Secret Service does not comment on active cases, but did say in general it was looking at coronavirus-related financial scams.
"The Secret Service and our law enforcement partners will continue to work with the financial institutions and the state unemployment offices to pursue investigative leads associated with state unemployment identity theft," the agency said.
"The Secret Service’s primary investigative priorities are to mitigate any attempts by criminals that target citizens for identity theft and cyber-enabled crimes as it relates to COVID-19."
That such attacks are successful shows just how bad unemployment has become amid the pandemic.
While credential-stuffing attacks are nothing new, these sort of tactics would have had a low chance of succeeding during normal circumstances. The fraudster would have to hope their victim was eligible for unemployment payments to claim any money, and the US's unemployment rate was less than four per cent pre-pandemic.
However, with tens of millions of adults suddenly out of work – and perhaps soon as many as one in four jobless – and looking to file for unemployment benefits, lists of stolen credentials and personal info that previously may have had little to no matches could turn out to be far more lucrative for the bad guys. ®