As the nation continues to grapple with the COVID-19 pandemic, including an 11.1 percent unemployment rate in June, a new threat has emerged — unemployment insurance scams.
The U.S. Department of Labor (DOL) Office of the Inspector General (OIG) is warning people of a phishing scam in which the email may appear to be from a state workforce agency, and the Federal Trade Commission (FTC) has reported that criminals are filing claims for benefits using names and personal information of people who haven’t actually lost their jobs.
The FTC notes that these criminals may be based overseas, and most people don’t know they’re affected until they receive a notice from their state unemployment benefits office or employer about their supposed application for benefits. At this point, however, the benefits typically have been paid — to an account the criminals control.
While the government investigation into these scams is ongoing, it’s clear that “the fraud is affecting tens of thousands of people, slowing the delivery of benefits to people in real need, and costing states hundreds of millions of dollars.”
The scam noted by the OIG involves phishing, which is a message typically sent via email designed to entice the recipient to “take the bait” by clicking on a malicious attachment or a link to a website that will then request user credentials or install malware.
In this particular scam, the phishing email may appear to be from a state workforce agency, and those seeking to acquire the recipient’s personal information — such as passwords, account numbers and/or Social Security numbers — may be looking to either collect unemployment insurance in the victim’s name or to change the victim’s bank account number to one of their own to collect unemployment insurance money.
The link in this phishing email sends the victim to what looks like a Microsoft SharePoint website, which further requires the user to sign in using a Google, Microsoft, Apple, Yahoo! or other user account — but, as the OIG notes, no state workforce agency requires use of a secondary account to sign into their system. Every state workforce agency requires creation of a user account unique to their website, and while users may need to initially provide a personal email address, they won’t be asked to log on with that email address.
Training employees is the first line of defense against cyber breaches — bring all employees into your company’s cyber-defensive lineup by taking the following steps.
Assess: Evaluate your employees’ knowledge and overall awareness so you have a baseline to use when creating a training program specific to your company’s and each employee’s needs.
Inform: Increase employee awareness of the type of data an attacker can get and how that data (W-2s, for instance) might be used against the company or against their own personal finances.
Train: Inform your employees of the tactics commonly used against organizations in your industry and show them real-life and fabricated examples of each type of attack and ways to determine whether the incoming email, for instance, is legitimate or an attempted cyberattack. And do this more than once a year — training should be continuous.
Test: Use simulated attacks to keep cybersecurity at the top of employees’ minds and reinforce learning — but don’t shame employees who fail (because some will). If you support them, they’re more likely to build the confidence and skills they need to improve.
Jessica Mulholland, Managing Editor, CalChamber