Latest Threat Research: LetMeowIn – Analysis of a Credential Dumper

Get Informed


Unemployment Fraud on the Rise

What is Unemployment Fraud?

Unemployment insurance, a state-administered program that has helped countless people who suddenly found themselves without work since the beginning of the COVID-19 pandemic, is actively being taken advantage of by scammers who are looking to steal money. Unemployment Fraud is a scam that involves people stealing personal identifying information including name, Social Security Number (SSN), Date of Birth (DOB) and other information about people from all income brackets, then fraudulently creating accounts on state employment agency websites to file for unemployment benefits in the victim’s name. This is happening in every state all over the country, and now with tax season upon us, many victims are finding out about the fraud when the state government sends them a 1099-G tax form to report unemployment payments which they did not receive. This form of identity theft is becoming all too common because of the surge in unemployment at the beginning of the pandemic it made it difficult for states to verify the information of the increased number of people who were signing up for unemployment and identify fraud.

How Threat Actors are Stealing Data

To begin this fraud, threat actors will need to have access to Personally Identifiable Information (PII). This information can be obtained in a number of ways: first, threat actors can steal the information themselves through various data breaches. PII also can be procured through data leaks on forums across the Internet, or by threat actors purchasing bulk data sets from previous breaches. In a recent post on a Russian language criminal forum that Binary Defense monitors, one of the members offered a database of 1,150,450 identity records. Each record had the full name, SSN, date of birth, home address, telephone number and email address of a person.

The main piece of PII that threat actors need access to is the victim’s SSN. With this piece of information, threat actors can create accounts through the victim’s home state, giving the state the impression that the victim is signing up for unemployment benefits. After the account is created with the SSN, the threat actor will use an email address or physical address which they have access to so that they can redirect all of the information including sensitive PINs and the actual unemployment check to themselves.

It is not until the victim goes to file for unemployment themselves or receives a 1099-G tax form that they can realize what has happened.

How You can Protect Yourself

Anyone can create an unemployment account on their state’s website with their own SSN. By doing this, it allows the actual owner of the SSN to fill out all of the information on the unemployment website such as email address and physical address as well as create their own secure password for the account. This will prevent threat actors from being able to go in and register for a new account under someone else’s SSN.

Once an account is created, the owner of the account is responsible for keeping the password or PIN number safe. If the owner of the account uses an old password, it is possible a threat actor could still log in to the account and change the information. Likewise, people should make sure that their email is secure with a good password and Multi-Factor Authentication (MFA) in place to protect any emails coming to that account from the state.

After the account is created, they do not have to do anything else on the website. It is important to note that when the account is created, the creator does not need to file for unemployment themselves. By simply creating the account, the person is protecting themselves and they should not have to do anything else on the website depending on the state.

How to Know if You’ve Been Affected by Unemployment Fraud and What to Do

Finding out that you have been a victim of unemployment fraud can take you by surprise and potentially put you in a stressful situation. Fortunately, there are many resources available to help unemployment fraud victims, which we have included at the bottom of this article. The first thing someone in this position should do is report the unemployment fraud claim to their state to start the mitigation process. (Please see below for a list of contact information per state.)

How will you know if you’ve been a victim? First, if you try to create an account through your  state’s employment agency website and it states that an account has already been created. From there, you should go through the recovery steps for the account to ensure that you have not created one before. If the account was created by someone else without authorization, you should contact your state to report fraud.

Another way to find out someone has been a victim is if they receive a 1099-G tax form outlining how much in benefits they received so they can pay taxes on those benefits. If the form is not correct and the recipient is not receiving benefits, they should first contact their state. The victim should ask for a corrected 1099-G to reflect the actual benefits, if any. It is important to do this as quickly as possible because it will take time for the state to investigate.

Following alerting the state to the fraud, affected parties should check their free credit report to make sure that the filing threat actor did not open any new credit accounts with the same information that they used to file for unemployment. If someone finds out they have new credit accounts open, they should alert each credit bureau (Equifax, Experian and Transunion) to begin a credit freeze.  The three major credit bureaus are required to alert the others if they receive notification of fraud.

The next step is to file an identity theft complaint with the U.S. Justice Department’s National Center for Disaster Fraud by completing a complaint form or calling them directly. People should also consider signing up for the IRS’s Identity protection PIN program to help stop scammers from filing federal tax returns.

Binary Defense Can Help

How can you avoid becoming a victim? Unfortunately, it’s hard to trace stolen PII, or determine when or how it will be used by the threat actor. Many times threat actors who access to this type of PII do not share it publicly. PII may be sold on Darknet markets but is accompanied with a limited amount of sample data, if any.

Often times, executives of companies are targeted in these types of attacks. If a company finds out that many of their executives and employees have fallen victim to unemployment fraud, someone may be targeting their company. Binary Defense’s Counterintelligence team may be able to help in this situation. By proactively searching the Clearnet and Darknet, the Counterintelligence team is able to find threat actors that are publicly naming companies that they want to target in various attacks. If a company has already been attacked, it may be beneficial to the organization to have a deep dive investigation done into the company’s online presence on the Clearnet and Darknet. Read more on the Counterintelligence team here:

If your organization wants to have an investigation conducted into their organization’s online presence or look to see if any executives’ PII is listed online, please reach out to Binary Defense.

Unemployment Fraud Resources:

List of Unemployment Insurance Fraud Reporting by State:

U.S. Justice Department’s National Center for Disaster Fraud:

IRS Identity Protection PIN Program:

Credit Bureau Contacts: