May 21, 2022

Visa sees spike in unemployment insurance fraud on prepaid cards

Since July, Visa has noticed an uptick in unemployment insurance fraud with prepaid cards being used as a key disbursement vehicle. And the best solution may be rooted in technology, not law enforcement.

In addition to Visa, state and federal agencies have also been issuing warnings to consumers, employers and unemployment agencies to be on the lookout for fraudulent claims. The Office of the Inspector General, a unit of the Department of Labor, estimated in June that $26 billion in federal supplemental unemployment insurance spent this year will be lost, mostly to fraudsters. This doesn’t include fraud losses at the individual state level.

The claims being filed by fraudsters run the gamut of impersonating real out-of-work consumers, real people actually still employed and synthetic identities created by fraudsters that mix aspects of real, personal identifiable information (PII) with fraudulent data. One key aspect that is making the insurance fraud so costly is the ease and speed with which criminals are able to monetize the theft, through the use of prepaid cards.

Once a fraudulent unemployment claim is approved, “the final step is to monetize the theft,” said Tia Ilori senior director, fraud and breach investigations at Visa. “It starts with getting a prepaid card mailed to them or downloading a virtual card for the benefits and then buying things such as gift cards, cryptocurrency, etc. Sometimes we see the entire benefit spent in a day or two when it should last a person a whole week, since these are weekly benefits.”

The losses across states are mounting into the billions of dollars. The State of Maryland announced in July it had uncovered a scheme to steal $501 million in unemployment insurance. The State of Washington announced it has been attacked by fraudsters, leading to potential losses of up to $650 million. The Montana Department of Labor has reported it stopped $220 million in fraudulent claims. Additionally, the New York Department of Labor announced in August that it had stopped more than $1 billion in losses from 42,200 fraudulent unemployment insurance claims since mid-March. It is unknown how many fake claims were approved in New York, but one thing is apparently clear — the criminal opportunity is big. Colorado also announced that it had stopped upwards of $1 billion in false claims.

“The fraud problem exists because state agencies are using older authentication methods that fraudsters can get around,” said Richard Crone, principal of Crone Consulting. “While agencies are overwhelmed with claims, the problem isn’t the back-end processing. It’s authenticating the applicant and providing funds through a more secure method, such as mobile payments. If state agencies leveraged someone else’s network such as Venmo [PayPal], Zelle or Apple Pay, they would then have someone who is already pre-validated and has gone through the KYC checks.”

Visa reported that it is working with state unemployment agencies to spot potential fraud through spending patterns. However, that may not be enough as the opportunity is too lucrative to keep fraudsters and other “bad actors” out of the game with so many millions of unemployed Americans filing claims.

In July, the Federal Bureau of Investigations (FBI) issued a press release that noted it was seeing a spike in fraudulent unemployment insurance claims filed using stolen identities.

The Federal Trade Commission (FTC) also issued two warnings this summer about the problem. This first was a warning to consumers and employers about scammers applying for unemployment insurance on behalf of real unemployed persons. The second FTC warning was that the unemployment fraud is putting consumers at additional risk of ID theft which could lead to other impacts such as credit card fraud.

Visa’s Ilori noted that the level of due diligence does vary state-by-state, with some being more thorough than others. Fraudsters share this information among themselves so that they can target the easier state agencies as victims.

One ruse scammers favor is phishing emails that offer to help potential victims speed up the process of collecting unemployment insurance. All that is needed is for a victim to hand over his or her PII data. As millions of Americans already live paycheck-to-paycheck and losing a job can be disastrous, the offer of help could appear to be a miracle. Unfortunately, for many, it often leads to fraudsters filing legitimate claims on behalf of someone and then stealing their money.

“We look at spend patterns such as the frequency of usage, and correlate it back to the client level,” Ilori said. “The main cards we are seeing in this fraud are prepaid cards issued by state unemployment agencies and their financial institutions.”

Ilori noted that some best practices agencies could follow include limiting how many unemployment accounts can be loaded onto a single card. Other practices include setting limits on weekly spend velocity and maximum transaction size.

Despite best efforts, the size of the fraud scams are so large, the issue has created a bottleneck in approving new claims. On September 19, the State of California announced it would take a two-week pause in approving 600,000 new unemployment claims and resolving 1 million claims that require additional authentication while the state deploys a new identity verification tool to combat fraud.

“These losses put the spotlight on the opportunity to use mobile payments and disbursements as a safer alternative to prepaid cards, with less settlement risk,” said Crone. “Mobile payments can come to the rescue of unemployment agencies, similar to how contactless cards have come to the rescue of shoppers who still want to pay with a physical card during the COVID pandemic. It’s because they have the ability to provide four-factor authentication.”

Crone describes mobile four factor authentication as: something you have (a smartphone or other device), something you know (password), something you are (biometrics) and something you do (separate out-of-band authentication).

Source Article