Pandemic Unemployment Scams Made Easy

In recent months, there have been many different economic effects of the COVID-19 pandemic. In the cybersecurity world, we have seen an increase in attacks against collaboration tools, more ransomware attacks, healthcare data privacy and compliance issues and more.

Cybercriminals constantly seek innovative ways to profit off of global events, and the ongoing pandemic significantly increases the scope of an already large attack surface: unemployment scams. In this blog, we will take a look at how cybercriminals use OSINT (Open Source Intelligence) as well as multiple underground offerings to target unemployment benefits.

The current unemployment numbers in the US are staggering, creating a major burden on the supporting systems, the personnel and the processes that go along with identifying and validating each claim. This “opportunity” did not go unnoticed by different threat actors, who were quick to identify the potential.

Cybercrime forums are known for their collaboration and discussions. IntSights researcher Yoav Harpaz Cohen has witnessed multiple discussions surrounding unemployment benefits, the regulations that each state has in place, and how to go about successfully claiming the benefits.

The thread pictured below on the left elaborates on the different pandemic unemployment assistance (PUA) benefits provided, listing state-by-state minimum and maximum payouts as well as providing links for filing the claims. On the right, we see some participants looking to collaborate on scamming the system by using different drops (mules) to assist in the process.

These types of scams are made possible due to the vast amount of OSINT data available for attackers (more on that in a bit). Different types of scams may require different types of operatives, and the cybercriminals are recruiting due to demand.

Once the cybercriminal has a target, they must collect the data needed to complete the PUA request form. In most cases, the attacker will use a combination of OSINT and data which is up for sale in underground forums to conduct Synthetic ID Fraud (SIF).

SIF involves the attackers using data such as SSN, addresses, and names (real or fake) to create a new (synthetic) ID. Using this new ID attackers can perpetuate different fraud schemes including unemployment and benefits collection from the government. The US Government Accountability Office quotes a panel on the topic in which one participant estimates that a single state lost more than $200M in SIF.

In other cases, the attacker can buy a complete FULLZ database from different cybercrime vendors. These are not just offered on English speaking sites, several detailed databases are offered in closed underground Russian speaking forums.

Additional vendors from the dark web also provide forged identities, physical and/or scanned.

IntSights researchers have seen this type of data being used to file claims for PUA, using real people’s data including cases of C-level executives (who have not filed for such a claim). Once the claim is filed the attacker needs to opt for a payment method. In California, for example, there are two options: EDD debit card or direct payment to a financial institution of choice. The threat actor will likely choose the second option and set up a fake bank account for the scam.

While the state of California does employ an anti-fraud measure (a notice of unemployment insurance form to verify an unemployment claim with the past employer), there are several flaws with this approach:

  1. It requires the employer to reply within 10 days, but even if they do not, the claim proceeds.
  2. It is possible that the state is not keeping up with this practice due to the pressure from the sheer volume of requests and thus, no verification is being done.
  3. Employers may be short-staffed and cannot respond to the unemployment agency on time or at all. There is no set policy in the workplace regarding the treatment of this claim.As the fraud does not hurt the employer directly (the state and the employee get hurt the most), there is no incentive for them to respond on time.

The COVID-19 pandemic is far from over. Threat actors are collecting, buying, and selling data and are educating and collaborating with each other to profit off this worldwide crisis. With current government systems stressed to their limits, this type of fraud is becoming easier and more profitable for cybercriminals.

To learn more about the cyber threat landscape pertaining to COVID-19, read our research report.

Download Your Copy

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.