Identity theft is a growing problem and has exploded with the onset of the COVID-19 pandemic. The Federal Trade Commission recently reported that identity theft reports totaled almost 1.4 million in 2020, an increase of more than 100% from 2019.1
Much has been written about identity theft involving credit card and other personal financial information.
However, as a result of the pandemic, in 2020 cyber criminals stepped up with a wider variety of activities preying on individuals and businesses. Ransomware attacks on businesses and a variety of methods to access personally identifiable information are on the rise. These activities are monetized through collection of untraceable ransomware payments using digital currency, and sales of confidential data on the dark web.
A newer and rapidly growing cybercrime problem has been unemployment insurance fraud. Unemployment insurance claims are submitted to state departments of labor. A February alert memorandum issued by the Office of Inspector General (OIG) for the Department of Labor (DOL) shared some alarming statistics about the expansion of fraudulent unemployment insurance claims filed since passage of the CARES Act. The OIG investigation identified at least $5.4 billion in fraudulent claims, and the memorandum states that total fraudulent claims are likely much higher. California alone reported that at least 10% of all claims since the pandemic began were fraudulent, totaling $11 billion.2
The American Rescue Plan Act of 2021, recently signed into law, will further extend and increase some unemployment insurance benefits.
Criminals exploit design weaknesses in the online processes used by states to allow individuals to apply for unemployment benefits. While the information needed to apply for benefits in each state varies, in general the only information required is an employer name and a match of the applicant’s name and social security number, and in some states, their driver’s license number. Criminals likely cannot determine with certainty the past employers of the individual whose name they are using in the application. However, this type of data is available for purchase on the dark web.
The fraudsters also use combinations of data to file many applications in the hope that some of them will contain matching data, thus allowing unemployment benefits to be collected in the name of the applicant. Once the state initiates claim processing, a notice is submitted on behalf of the applicant to the employer named in the application. Unless the employer responds to the state and advises that the claim is fraudulent, such claims are processed, resulting in payments to the accounts of the individuals submitting the claims – in this case, the fraudsters.
Individuals who are victims of this type of fraud typically first learn of the fraudulent claims upon receipt of correspondence from a state workforce agency regarding unemployment, or when their employer informs them that they received an unemployment claim filed under their name and social security number. In some cases, first notice comes in the form of IRS Form 1099-G, listing unemployment compensation received by them in the prior tax year. That’s when the headaches and worries begin.
The process for addressing identity theft and reclaiming personal identity can be daunting. While the IRS web page discussing this problem includes recommended steps for follow up3
, the actual execution can be complicated and time consuming, as each state has a different process for reporting these matters. Further steps must be taken to both determine if other identity theft activities have occurred, and to protect the credit and identity of the individual.
As such, some victims of identity theft engage the services of remediation specialists to assist them in responding to these situations. Companies that specialize in investigating and remediating identity theft employ case managers to perform these services. Before engaging such services conduct your own due diligence. Case managers should have extensive related training and have completed the Fair Credit Reporting Act (FCRA) Basic Certificate Program offered by the Professional Background Screening Association (PBSA), a non-profit trade association serving the background screening service industry4
. This training covers the accuracy, fairness, and privacy obligations of credit reporting agencies under the FCRA.
Responding to a personal identity privacy breach can be stressful, time consuming and may require specialized knowledge and expertise. Many CPAs feeling the crunch of imminent and changing tax deadlines as well as demanding clients and personal issues will simply not have sufficient time to remediate a privacy breach, whether arising from unemployment fraud or another type of identity theft. Further actions are required to ensure that fraudsters won’t use the personal information they gathered to commit additional frauds. If you are considering engaging a privacy services provider to assist you in this process, investigate their qualifications and resources. The provider should be able to help you manage the entire remediation process, providing you with the peace of mind to focus on managing your practice.
This information is provided for general informational purposes only and is not intended to provide individualized business or legal advice. You should discuss your individual circumstances thoroughly with your legal and other advisors before taking any action with regard to the subject matter of this article.
Aon Insurance Services is the brand name for the brokerage and program administration operations of Affinity Insurance Services, Inc., a licensed producer in all states (TX 13695); (AR 100106022); in CA & MN, AIS Affinity Insurance Agency, Inc. (CA 0795465); in OK, AIS Affinity Insurance Services Inc.; in CA, Aon Affinity Insurance Services, Inc., (CA 0G94493), Aon Direct Insurance Administrators and Berkely Insurance Agency and in NY, AIS Affinity Insurance Agency.