F5 Networks Inc.

01/21/2021 | News release | Distributed by Public on 01/21/2021 14:41

The Impact of (Skyrocketing) Unemployment Fraud during COVID-19

The COVID-19 pandemic has affected billions of people around the world. Aside from the virus' health ramifications, the corresponding lockdowns, travel restrictions, and closures have brought with them a tremendous economic impact. The unfortunate result of this downturn is that many are hurting financially, having lost their jobs or otherwise suffered a drastic reduction in income.

One might think that these financial hardships and significant disruptions to daily life would be enough to deal with, even as state and local governments enact programs to help shoulder the burden of these challenging times. Fraudsters, however, seem to think otherwise, and have, sadly, looked at the current pandemic as an opportunity to commit unemployment fraud on a massive scale. The pandemic has accelerated the digital shift that was already underway, presenting fraudsters with unprecedented opportunities to do harm while enterprises struggle to keep pace with the speed of the shift.

How widespread is the problem? According to a December 31, 2020 USA Today piece, COVID-19 related unemployment fraud losses totaled $36 Billion in 2020. Put another way, unemployment fraud has been rampant since the beginning of the pandemic, with virtually every U.S. state affected.

So, what exactly is unemployment fraud? While there are different types, the version seen during the COVID-19 pandemic involves filing fraudulent unemployment claims. At a high level, fraudsters use the following tactics to do so:

  • Buy stolen identities from the underground via dark web websites
  • Fill out unemployment claims using that information
  • Receive unemployment benefits to a drop account

One might ask how fraudsters are able to take these steps so easily at scale? The answer lies in the perfect storm of circumstances that facilitates this.

According to an F5 Labs blog post from May 22, 2020, unemployment fraud 'stands out from others because it requires attackers to have a legitimate social security number. Unfortunately, that's not a problem for attackers. Massive data breaches in 2015, 2017, and 2019 at healthcare providers, credit bureaus, credit card companies, and retailers (among others) compromised virtually every American's social security number.' In other words, there are a plethora of stolen identities available on the underground, and it is quite easy to purchase them.

Once the fraudster has obtained one or more stolen identities, they need to fill out a fraudulent unemployment claim. Fortunately for the fraudsters, online tutorials are available to help with this for anywhere from $5-$100. Further, fraudsters seem to be able to get away with using nearly any physical address when they file a fraudulent claim. For example, CBS Los Angeles found that uninhabited mansions that were for sale had hundreds or even thousands of fraudulent unemployment claims with those properties as the physical address on file.

Add to the mix that states are overwhelmed and under-resourced to handle the uptick in unemployment claims, never mind identify inconsistencies that would be indicative of fraud, and we see that COVID-19 has created a unique opportunity for unemployment fraud. Most states do not have controls in place that would prevent fraud, have little to no fraud detection capability, and are under intense pressure to pay first and ask questions later.

In our research, we have found that the following behaviors across the following categories are indicative of unemployment fraud:

o Recognizing devices and digital users online

o Unusual time zones

o Multiple users logging in from the same device

o Unusual countries

o ASNs located in hosting environments

o Unusual time zones associated with US ASNs

o Transactions via VPN, anonymizing proxies, or other technologies designed to hide or spoof environments

o Multiple transactions of the same type from the same device

o Previously unseen, unique browser fingerprints

o Minute changes in the device's integrity, identity, and legitimacy detected through browser interrogation

o Typing patterns, such as the keys pressed, typing speed, and suspiciously large amounts of copy and paste, including into first name and last name fields

o Browser window occupying only a part of screen real estate (likely indicating that a text file-the source for copying and pasting-is open beside it)

o Mouse movement from text input fields to outside of the browser (likely indicating copying and pasting from a text file open beside the browser window)