25 Investigates: Fraudsters ‘taking over’ legitimate unemployment accounts, siphoning funds

BOSTON — A year into the pandemic, fraud continues to dog the Massachusetts Department of Unemployment Assistance (DUA).

25 Investigates uncovered a new way scammers are targeting the agency and stealing much-needed unemployment benefits. It’s known as ATO in the cybersecurity world and it stands for Account Take-Over. That’s when fraudsters take control of an account that does not belong to them and redirect the funds.

This type of fraud is typically associated with credit cards and bank accounts. And, as investigative reporter Ted Daniel found, it’s now being used to target unemployment claimants.

“I was supposed to get my deposit last Tuesday, and it didn’t hit my account,” Sara Marino, a single mother in Foxboro, told 25 Investigates this week.

When Marino called the state unemployment office to find out what happened, she said the customer service representative initially had trouble finding her account in the system. Turns out, all of her personal information had been changed and her money was redirected to a Green Dot debit card.

“I had a legit claim, my legit claim, and then somebody went into the system and changed my banking information, my email and my phone number. It’s not good,” she said.

Marino, who was interviewed by 25 Investigates last year when she was unable to sign up for benefits, provided our team a screenshot of her unemployment account after it was compromised showing the bank name on the account as Green Dot Bank.

“I said, ‘I don’t know what that is.’ They said, ‘It’s a bank.’ And I said, ‘Well, I’ve never heard of it,’” she recalled. “So I actually went into my account, and I saw that the person, whomever had changed it, had left the banking information there.”

As 25 Investigates reported last July, Green Dot debit cards have been used by international scammers to file fraudulent unemployment claims.

>>>MORE: Stimulus update: Millions of checks deposited Wednesday; what to do if you don’t get yours

“There’s really two types of major fraud occurring right now in the unemployment insurance system,” said Jon Coss, founder of Pondera Solutions, a cybersecurity company focused on fraud in government programs, and also vice president of Risk, Fraud, and Compliance at Thomson Reuters. “One is for initial applications. The second type of fraud that’s occurring is account takeovers.”

According to Coss, the vast majority of unemployment fraud is committed by criminal networks overseas. He added that, as states get better at detecting fraudulent applications from entering their systems, criminals are targeting existing accounts instead.

“We’ve seen a lot more chatter and even state-by-state how-to kits on the dark web that explain exactly how to defraud state unemployment insurance programs. We’ve seen, for example, in one state where there were 6,000 payments made to a single mailbox,” he said.

Personal information is required to take over an account. But with billions of files from previous data breaches available on the dark web, accessing that information is not difficult, Coss said. Earlier this month, the DUA announced new security measures were added to speed up identity verification and protect existing accounts.

For Marino, the new measures came too late. She told 25 Investigates that multiple deposits posted to her unemployment account on March 9, just days after the new measures were announced. It’s unclear when her account was redirected to Green Dot.

She said she’s still waiting to get back control of her account.

“You do this to somebody who is in a worse situation, a terrible situation; like they have no job, three kids and [are] a single parent. That’s not okay. It’s not okay to do that to somebody,” Marino said.

Residents can protect themselves from account takeovers by taking the following steps:

  • Use different complex passwords for all of your accounts or password management tools
  • Choose multi-factor authentication when available
  • Limit who you share your account information with
  • Don’t open suspicious links