Recently, there has been a widespread increase of fraudulent unemployment applications across the state and country. Unemployment benefits have become a top target for fraudulent actors and cyber criminals due to the large amount of money at stake. Unemployment programs have delivered billions of dollars in payments and with many states rushing to pay claims, payments have gone straight to direct deposit accounts.
Distinguishing between legitimate and fraudulent claims can be difficult when imposters provided the proper information. States may be particularly vulnerable as they work to rush payments to people who have lost their jobs. Many states have long built in lengthy reviews to help weed out fraudulent claims but as more people become eligible and the need for speedy payments becomes urgent, some states have had to eliminate those delays. Some workplaces have been hit particularly hard. According to The New York Times, more than 400 out of about 2,500 total employees at Western Washington University in Bellingham, Washington have been targeted with fraudulent claims. Around the country, the numbers have reached more than 36 million in the past two months.
Organizations should be paying attention to many of the same attack vectors as general identity fraud, namely open source intelligence (OSINT) gathering, phishing, and password/credential abuse. Much of the information required to perform identity fraud, guess passwords, or answer security questions is already available via public sources such as social media or organizational websites. Phishing remains a prevalent and effective way to gain sensitive information or compromise accounts, especially when time is taken to craft and tailor messages to a particular target. Additionally, weak and/or reused passwords provide an easy way for attackers to gain access to accounts containing personal information.
Below are some helpful tips to help protect against these threats. Note that none of these protections will ever be 100% effective but they do raise the bar for successful compromise and reduce the likelihood that your organization will be targeted.
Adjust privacy settings. Most popular applications and websites offer privacy settings to control what others can see. Use these to reduce personal information that is available publicly. Consider limiting information that is posted on organizational websites as well.
Use strong passwords. Long pass-phrases are often the easiest to remember and adequately safe. Make them at least 15 characters. Use numbers, special characters and spaces (when permitted). For example, the following pass-phrases would be very difficult to track but are fairly memorable: “workplace security-CRITICAL.” or “cat f00d is _awesome_”.
Use a password manager. Password managers are applications that securely store your passwords in a central location. When using a password manager, you no longer need to remember your other passwords, just the password to get into the manager. Your other passwords can be very long, completely random, and unique for every site or application you use. Password managers typically provide a way to automatically generate random, secure passwords for you so you don’t even have to come up with them yourself. Some do require subscriptions and it is important to choose a trusted provider. Below are some common choices:
- LastPass https://www.lastpass.com/
- 1Password https://1password.com/
- KeePass https://keepass.info/
Don’t use the same passwords on multiple sites. Use a password manager to help facilitate this. It limits the damage should an account be compromised.
Use Multifactor Authentication. This is no longer optional. MFA needs to be enforced on all accounts with access to personal information. It only takes a few extra seconds.
Consider an Identity Theft Protection and Monitoring Service. These services proactively monitor and notify you of suspicious activity. Some plans include insurance. There are many solutions available but below are some popular options:
- LifeLock https://www.lifelock.com
- IdentityForce https://secure.identityforce.com
- Identity Guard https://shop.identityguard.com
Resource: https://www.nytimes.com/2020/05/16/us/coronavirus-unemployment-fraud-secret-service-washington.html