What I Learned from My Own Unemployment Scam

After a scammer filed for unemployment in my name, I did some detective work to take back my account. Here’s what I learned from my own unemployment scam.

The letter from the state Unemployment Security Department (ESD) told me I was unemployed.

I should keep looking for work, the letter reminded me, if I wanted to remain eligible for unemployment benefits.

Look for work?

Unemployment benefits?

Wait a minute: I count myself as one of the lucky ones who still has a job during the biggest employment crisis in my lifetime.

While I felt lucky to still have a job, it quickly became clear to me that I was among the millions of people whose personal information—likely name, birthdate, and Social Security number—had been used to submit an unemployment claim. I was part of the biggest unemployment scam in history.

One of Many Pandemic Scams

The scam was the work of “Scattered Canary,” an international cybercrime gang tracked and named by security firm Agari. Reported widely in state and national newspapers, this scam is just one of many attempting to take advantage of people’s vulnerability and distraction to bilk them or the taxpayers out of their money.

Other scams use COVID-19 scare tactics to get people to click phishing emails or send text messages warning that a person has been exposed to someone infected, preying on the lack of certainty around contact tracing apps.

FREE KIT

Coronavirus Phishing Awareness Kit

Download a free bundle of resources to help communicate the threat of coronavirus scams to your employees.

Access Kit

How the Unemployment Scam Works

But the unemployment scam is particularly hard to avoid, since it starts largely out of a person’s view and takes active intervention to arrest.

Here’s how it works: using personal information leaked in an earlier breach (easily accessible on the dark web), scammers create an account at the state unemployment office in your name and communicate using a fake email address. In just a few minutes, they submit a claim for your unemployment check and the fat federal CARES Act payments available right now.

According to Washington ESD Commissioner Suzi LeVine, scammers had made off with “hundreds of millions of dollars.” Legitimate claimants were left waiting for their checks due to the enhanced verification measures put in place once the scams were discovered.

I've Been Pwned

Scams like this piss me off. They waste taxpayer dollars in countless ways and cause the impacted people tons of stress.

But this one pissed me off even more because it felt personal.

I knew my personal details were out there, thanks to past searches on https://haveibeenpwned.com/. But I don’t generally worry about getting my identity stolen. I figure I’ve got safeguards in place: my credit is frozen, and I use my password manager as regularly as I brush my teeth. I figured I was protected—and it made me angry to find out I wasn’t.

The first thing I did was file a fraud claim at the ESD site. This would lock my account and keep claims from being paid in my name. That was a good start—but I dug deeper.

I went to the state ESD site to see if I could create my own account. No surprise, an account had already been created using my Social Security number. What was a surprise was the email address associated with “my” account.

Here’s what the ESD website told me:

I don’t have a “Yopmail” account, of course. And what the hell is yopmail anyway?

My next stop was Yopmail.com, where I learned it was a site where you could create disposable and free email addresses. I also learned you could simply enter your username to see the email you received—no password required. And when I entered my name before yopmail.com, there it was: a whole string of communication documenting the claims filed in my name.

Taking Back My Account … Eventually

It quickly dawned on me: with access to this email address, all I needed to recover my account was to get the password, which was as close as the “Recover Account” button on the notification.

I went through the steps easily—after all, the details they asked about were all about me—and soon I had a password recovery email in my yopmail inbox. Victory!

Sort of.

In truth, I’m not sure yet whether I’ve done more harm than good. I probably disrupted this hacker’s attempt to get money in my name. But this suspicious activity on my account—some of it my suspicious activity—meant that my account was now locked, so in truth I wasn’t in control of it at all.

A few days later, I received the first response to my fraud report. They had received my claim, they said, but processing it would “take time.” Here’s hoping that I wouldn’t need to file a real unemployment claim in the meantime!

Lessons Learned

Though the saga of my unemployment claim fraud isn’t yet over—we’ll see how the fraud resolution process works out—it’s not too soon for me to reflect on a couple lessons learned.

Own Your Accounts

One sure way I could have avoided being scammed (or rather, letting scammers claim money on your behalf) is to have owned my account in the first place.

I’d suggest to anyone that they establish an account with their state agency now. If I had done that, it would have been the scammer getting refused access, not me. The state employment in your state will have information on how to establish an account, and you can do something similar at the federal level.

Take Quick Action

The moment you suspect fraud, act as quickly as you can to report it.

Many major government agencies and financial institutions have dedicated fraud hotlines or online services, and they may also suggest that you make a report to your local law enforcement agency. If you take quick action, you might be able to avoid the nightmare of full-blown identity theft.

Protect Your Credit

Freezing your credit at all three credit agencies is a simple (and free) act that can prevent anyone with access to your personal information from opening up an account in your name. You’ll need to learn a few tricks to unfreeze your account when needed, but it’s well worth your time.

Protect Your Credentials

Protecting your credentials is one of the basic things you can do to stay safe from hackers. Using unique passwords everywhere is easy when you use a password manager, and adding multi-factor authentication is advisable whenever possible.

Don’t Be Afraid to Hack Back

Detective work is not just for Sherlock Holmes. With just a little internet sleuthing based on scant clues, I was able to take back the keys to my ESD account. Granted, the scammer’s work here was pretty sloppy.  But my little bit of sleuthing may have kept the scammer from being paid and it sure made me feel more in control.

This last one—hacking back—may not be for everyone, but there’s no reason you can’t use a little critical thinking and awareness to protect yourself (and your fellow taxpayers) from unemployment scams.

CONFESSIONS OF AN AWARENESS NERD

Like What You Read?

Check out more content from Tom Pendergast on his blog Confessions of an Awareness Nerd.

Explore the Blog

Share this Post

;