Like many victims of unemployment fraud, Duane Thomas only learned that someone had used his identity to file for jobless benefits when a strange 1099-G tax document arrived in his mailbox last month.
He reported the mistake in an online form provided by the state Department of Labor and Employment. Within about three weeks, the state sent him a corrected 1099-G form to let him and the IRS know he wasn’t on the hook for taxes on $12,000 of benefits he never received. He also got an email from the agency acknowledging receipt.
But he’s clueless about how it could have even happened.
“I have no idea,” Thomas said.
Officials from the state Department of Labor and the Colorado Attorney General’s office, plus cybersecurity professionals shared what likely happened during an online broadcast this week.
Thomas’ personal data and millions of others — from home addresses, birthdates and Social Security numbers — were compromised in recent and long-ago data breaches of well-known companies. That includes the 500,000 guest accounts pilfered during the Marriott International data breach in 2018 to the Equifax breach of 2017, when data on nearly every American with credit was exposed.
“Now today, if you all have been paying attention to the news, we’ve had SolarWinds and Sonicwall have (data breach) issues,” said Carlin Dornbusch, president of American Cyber Security Management in Superior. “We’re still calculating the numbers in potentially the tens of thousands of businesses that have been impacted by just these two breaches alone.”
But while one can cancel a credit card and get a new one, it’s not the same for birthdates, Social Security numbers and other personal identifiable information (PII) that rarely change.
“That PII, like gender, hair color, birthdate, those are long-lived data elements,” Dornbusch said. “That’s the metadata of the human race, so when that information is compromised, it can lead to disastrous returns as that data can be assimilated to help build profiles and then those individuals can be targeted.”
That’s why thousands of Coloradans have become victims of unemployment fraud, discovering the issue only after getting a debit card or 1099-G form in the mail, learning from their employer or even when filing for unemployment and finding someone else has used their identity.
“This is a new type of fraud. Our systems are based on the idea that a Social Security number is truly sacrosanct. It’s not known by everyone,” said Daniel Chase, chief of staff for the Colorado Department of Labor. “These Social Security numbers are no longer private data points for people. They are known to criminals, they’re known on the dark web and they’re easily accessible for people to use them for these kinds of things.”
How fraud happenedMoney motivates fraudsters, said Shameka Walker, a senior attorney in ID theft program management at the Federal Trade Commission. The federal CARES Act provided unemployment benefits to a type of worker for the first time: gig workers, contractors and the self-employed, who normally aren’t covered by unemployment insurance. The CARES Act also paid a $600 per week bonus, which made backdating claims to February 2020 more lucrative. Scammers could get tens of thousands of dollars in the first payment.
“This kind of identity theft has been around for years, but because of the pandemic it’s really increased,” Walker said. “And that’s because people lost jobs, and then they got enhanced benefits, which makes it very attractive to identity thieves. Also, some states relaxed the verification process so it made it easier for identity thieves to get access to this kind of information to begin with.”
Colorado’s Department of Labor began noticing the increase in suspicious claims in June when an excessive number of Pandemic Unemployment Assistance claims were filed. While some were paid, about half were stopped, preventing $34 million in payments that month. Anti-fraud measures the state put in place prevented 30% to 50% of the false claims from being paid in July.
But there were so many suspicious claims. By January, the state said 1 million claims had been flagged for fraud during the pandemic. While $7 billion was prevented from being paid out, the labor agency said about $10 million was paid to accounts deemed fraudulent. The state is trying to recover the money.
Colorado isn’t alone.
Read more at The Colorado SunThe Colorado Sun is a reader-supported, journalist-owned news outlet exploring issues of statewide interest. Sign up for a newsletter and read more at coloradosun.com.