The Arkansas General Assembly is expected to pass legislation to forgive taxes on unemployment benefits paid to Arkansans in 2020 and 2021, in part because unemployment scams ran rampant.
Lawmakers fear a scenario in which hundreds or even thousands of Arkansans get tax bills on income that actually went to scammers instead. Many other Arkansans, the bill’s sponsors say, received the benefits lawfully but didn’t realize they would owe taxes on them.
“My phone has been ringing pretty constantly” from constituents who were victims of unemployment fraud, state Rep. Joe Jett, R-Success, told Arkansas Business. “It’s pretty significant.”
Jett and state Sen. Jonathan Dismang, R-Beebe, sponsored the legislation for the nearly 282,000 Arkansans who received $2.6 billion in state and federal unemployment benefits in 2020. For comparison, the Arkansas Division of Workforce Services paid $97.7 million in benefits in 2019, said Zoë Calkins, its communications director.
She declined to say how much unemployment fraud the division has identified or how much money has been recovered. Calkins also wouldn’t comment on fraud investigations or DWS’ tactics to stop the crime.
“While DWS values transparency, it also recognizes the risk involved, and to provide this type of detail would only give fraudsters more information, jeopardize system security and put the entire unemployment program at risk,” she said via email.
But in a news release last week, DWS said it had started an online identity verification process for those who file claims for Pandemic Unemployment Assistance. The verification process started Jan. 26 and involves claimants scanning their driver’s licenses or state-issued IDs using an online service.
The CARES Act expanded unemployment aid to people affected by COVID-19 and to those who were self-employed and normally wouldn’t have qualified for unemployment benefits under the Pandemic Unemployment Assistance program.
The PUA, however, was a favorite target of criminals.
A federal inspector general’s report released earlier this month estimated that at least $63 billion of the $630 billion in unemployment insurance program funds paid out nationally could have been paid improperly, “with a significant portion attributable to fraud.”
Some experts think the fraud is even more widespread.
“We have just seen fraud rates that are extraordinarily high, over 10 times what we typically see at federal agencies,” said Blake Hall, co-founder and CEO of ID.me of McLean, Virginia. ID.me is a federally certified identity verification company that uses a multifactor authentication system to confirm a person’s identity online.
The Pandemic Unemployment Assistance program “has fraud targeted at it at a level that’s unlike anything that I’ve ever seen in my career, and is, in fact, the largest cyberattack in American history in terms of fraud,” said Hall, who started the company in 2010. He estimates the fraud losses could be closer to $200 billion.
In Arkansas, between May and December, $313.6 million was paid in the federal PUA benefits.
The state Department of Finance & Administration projected that if the tax forgiveness legislation is approved, it will cost the state $51 million in the current fiscal year that will end June 30 and at least $3.1 million in the 2021-22 fiscal year.
Dismang said he has been contacted by a number of people who had never filed for unemployment before the pandemic hit, and some didn’t understand that they would owe taxes on the benefits. “So I think it’s the right thing for us to do to provide the relief, especially during the pandemic,” Dismang said.
How the Scam Works
In August, ID.me was hired by Florida’s unemployment benefits department, and the company quickly added several states as clients, Hall said. It’s now in 14 states with seven others under contract, but Arkansas is not one of them, he said.
Unemployment scams work when a criminal plucks a real person’s stolen data from websites that don’t appear on Google searches — the so-called “dark web,” which is part of the internet that uses an encrypted network and isn’t easily accessible. The personal information has been stolen through security breaches like the Equifax breach in 2017 that exposed 147 million American names, dates of birth and Social Security numbers.
Armed with the stolen information, criminals then follow a step-by-step diagram on how to maneuver through a state unemployment agency’s website to file a claim, Hall said.
“The organized crime rings have created these playbooks,” he said. “It’s like a how-to guide to defraud the agency.”
Once the benefits are approved, the criminals, who primarily originate in Nigeria, focus on moving the money out of the country, Hall said. The fraudsters direct the state workforce agencies to mail the debit cards to a house that has been listed for sale or one where the only occupant recently died, Hall said. Scammers will hire someone to collect the cards and transfer the cash overseas.
“If you’re going to distribute hundreds of billions of dollars, you’ve got to invest in more modern infrastructure in cybersecurity,” Hall said.
The states are in a difficult position, though, and could make two wrong choices, said Chris Kanich, an associate professor of computer science at the University of Illinois at Chicago.
They could unwittingly give money to scammers, but they could also deny unemployment benefits to someone who has a legitimate claim and desperately needs the money, he said.
“I really don’t think that these state unemployment agencies are equipped to do that kind of investigation of these large-scale fraud attacks,” Kanich said. “They just kind of have to sift through them after the fact and hope that they didn’t send any [benefits] to the wrong place.”
To reduce the fraud, ID.me uses several factors to verify a person’s identity, including matching the person with a government identification and a cellphone.
ID.me will also send a text message informing people that their information was used to apply for unemployment benefits. ID.me will ask if that was an authorized use, similar to some banks texting their customers about suspicious activity.
“So we have hundreds of ‘no’ responses per day on that text message control,” Hall said.
Fraud Expected to Continue
People often don’t discover they’ve been victims until they apply for unemployment benefits and realize someone else has already applied in their name, Hall said.
Or in some states, the workforce agency will mail letters to employers letting them know that their employees filed for unemployment. In many fraud cases, the employee is still working for the employer when the letter arrives.
A third way the crime is discovered is when the victim receives the tax form 1099-G for unemployment benefits that they never applied for, Hall said.
“So until each state has adequate cybersecurity protection, it’s not going to stop,” Hall said.