Fraudsters Are Targeting Executives to Perpetrate Unemployment Fraud – Why Companies Need to Worry
Unemployment fraud is big business and it’s on the rise. Spurred by pandemic relief payments, some states are reporting a 150% increase in fraudulent claims by hundreds of thousands, costing states and the U.S. Department of Labor more than $25 billion in losses to cyber criminals scooping money out of the system that would have gone to out-of-work Americans.
A worrying fact for companies is that these fraudsters are increasingly setting their sights on bigger targets – corporate executives.
Corporate executives – a lucrative and low hanging fruit for fraudsters
Because of their high-profile positions and the potential payouts, corporate executives are a profitable target for scammers seeking to siphon billions of dollars in unemployment payments. But perhaps most significantly, there is so much personal information about executives in the public domain that it’s easy for a scammer to steal their identity and perpetrate fraud in their name.
Consider how unemployment benefit fraud works: In most states all that is needed to file for unemployment benefits is a name, date of birth, address, and Social Security number. A savvy cybercriminal can source this data with surprising ease – and it starts on the corporate website.
Executive bios on the “About Us” page have long been a known exposure. Sprinkled with personal information such as an executive’s hometown or spouse’s name they are the perfect starting point for any scam. Armed with these particulars, a fraudster might then search public data broker sites like 411.com, PeopleFinders, or Spokeo to glean more detail such as the target’s home address. A database on the Dark Web will then link that name to a date of birth and Social Security number.
That’s it, a cyber criminal has all the information they need to set up an unemployment account and file a claim.
A lack of checks and balances make unemployment fraud easy
Worryingly, there are no sophisticated checks and balances to this form of fraud. Overwhelmed by hundreds of thousands of new claims, state unemployment agencies simply don’t have the time to properly verify the accuracy of the claims.
And, unlike other forms of identity theft, credit reporting agencies or identity protection services won’t alert individuals of unemployment fraud. Once rubber stamped, the funds and contact are diverted to the fraudster or a crime ring who picks up the payment card from the mailbox, and the victim never knows what is happening.
This inability to detect suspicious actors has allowed fraud to ripple across state unemployment agencies.
It’s all very worrying for the individual, but why should companies care?
Unemployment fraud is a burden on the business – not just the victim
The only reason executives are on a fraudster’s radar is because of their status and affiliation with a particular company – and it’s therefore contingent on that company to clean up the mess.
This creates a huge diversion and liability for all facets of the business. HR and legal counsel must get involved. CISOs must determine how the fraud happened and implement mitigation strategies to ensure it’s not repeated. Reputational risk must also be managed. It’s a huge waste of time and energy, not to mention a cost burden – all those legal bills add up.
It’s an exposure that can’t be ignored. With one success under their belt, fraudsters can and are defrauding entire C-suites. In one case, the entire 20-person executive team at a life sciences company were targeted in an unemployment claim sting. Another scammer set their sights on the executives of a Fortune 500 retail store leading to time-consuming and costly intervention by legal, HR, and security teams to reverse the damage caused by the fraud operation.
One fraud leads to another
And it doesn’t stop there. Once personally identifiable information (PII) is exposed it opens executives and companies to further cybersecurity risk such as credit card fraud and even compromise of the business’ IT systems. In just six weeks, one executive became the victim of unemployment fraud, quickly followed by credit card fraud, and finally his business email account was compromised and confidential communications intercepted by hackers.
It’s a CISO’s nightmare.
For peace of mind, protection must be holistic
While there are many steps that individuals can take to clean up the mess caused by someone filing unemployment under their name. In the case of executives – whose public and personal profile is inextricably linked to the company they work for – the burden for preventing and mitigating this fraud falls squarely on the shoulders of the employer.
To protect executives and, by extension the business, companies must find ways to ensure that high-profile individuals are protected – at home and at work. This means extending cybersecurity and identity monitoring and protection for executives beyond the four walls of the office to their personal lives so that all devices are protected and the home is locked down digitally. To break the chain of fraud, they must also remove all executive PII from data broker records and monitor the Dark Web for stolen data.
Opportunistic cyber criminals are constantly evolving their tactics and techniques – making enterprises and executives more vulnerable than ever. Unemployment fraud is a significant threat that can’t be ignored.