Investigates

How criminals got away with hacking Pennsylvania unemployment accounts

PENNSYLVANIA — Paula Soffa is just one of the thousands of Pennsylvanians whose unemployment insurance account was hacked over the past year— not once, but twice.

“They changed my password, they changed my username, and they changed my security questions,” Paula told 11 Investigates Angie Moreschi. “I was like what the heck! I was in shock.”

Most of the fraudsters are international criminals using identity theft on the dark web as their key weapon to pierce the system, and it’s nearly impossible to catch them.

Cyber security expert Haywood Talcove says once the money is gone, it’s gone for good.

“The probability of getting caught when you’re a transnational criminal group is zero,” said Talcove, Chief Executive Officer of LexisNexis Government Risk Solutions.

After more than $6 billion dollars in unemployment benefits were stolen in Pennsylvania during the pandemic, as of January 2022, the Department of Labor and Industry now says it has a fix that’s helping to stop much of the fraud.

Hacked Twice in Two Months

Paula’s account was hijacked twice in just two months.

The first time fraudsters changed her bank account information.

“Somebody went in and changed my bank account information to James Roosevelt,” Paula said.

“I thought ‘Oh my God, where is my money gonna go?!’”

When that happened in December, it took two months for the state to investigate and reimburse her for the money stolen.

But then, it happened again. And this time, she was locked out of her own account.

She doesn’t know exactly how her personal information was stolen but says it’s been a nightmare ever since.

“Now that they have my name and social security number, what else are they gonna get?” she said.

Dark Web Drives Hacks

Criminals steal personal information in a number of different ways.

They can buy it outright on the dark web, where it’s advertised as “sure money,” shown on screen grabs that Talcove shared with 11 Investigates.

Or they can trick people into giving up personal data through phishing scams, where fraudsters pretend to be a government agency contacting you to fix a fake issue.

During the pandemic, they even posted fake ads on sites job sites like LinkedIn and Indeed, requiring applicants to fill out detailed personal information.

“The job never materialized, but they gave to fraudsters the information. That is needed to pierce the systems,” Talcove explained.

He says unemployment fraud can be incredibly lucrative, and fraudsters know it.

“An average unemployment insurance claim for an individual is worth right now about $14,000 across the country, so for every identity, they can get through the system, they get $14,000,” Talcove said.

With that kind of money as incentive, overseas criminals have developed sophisticated operations to drive much of the fraud and few ever get caught.

Pennsylvania confirms at least $6 billion dollars were stolen across UC programs, as of January. That’s a 13% fraud rate, but some cyber experts believe that number is more than double, as high as 30%.

In an exclusive interview with 11 investigates, the Deputy Secretary for PA Unemployment Compensation Programs acknowledged that controlling fraud has been a challenge.

“It’s definitely a surprising number,” Deputy Secretary Susan Dickinson said. “They get the information from the dark web. They use it to file a claim or hijack a claim, and, you know, that’s how they get their foot in the door.”

Lack of red flags for hacks

Despite a $35 million upgrade to the Pennsylvania UC system last June, a lack of safeguards to red-flag unemployment recipients when their accounts are hacked proved to be a serious problem.

That upgrade added facial recognition technology, called ID.me, which was supposed to make it harder to hack accounts.

But Paula questions how effective it is, since ID.me hasn’t required any facial recognition verification from her, other than when she first set up her account. And, she says, it definitely didn’t stop hackers from getting in.

“Literally you click the button ‘verify with ID.me’ and it just takes a minute; and it says okay, your identity was verified. You go right through,” Paula said, demonstrating the process.

Progress in stopping hacks

It wasn’t until earlier this year that the state finally added multi-factor authentication for recipients to access accounts— something Talcove criticized for being too little, too late.

“To me that’s incredibly irresponsible. I can’t imagine accessing any system that didn’t have that tool in place. (I)t is a basic part of fraud prevention,” he said.

But the state says even multi-factor authentication didn’t stop hackers. Dickinson says it wasn’t until the department made a technical change behind the scenes to how recipients login that they finally saw a difference, just last month.

11 Investigates asked directly if that means the state is no longer seeing hackers change people’s bank account information anymore.

“It’s not something that’s happening anymore,” Dickinson responded. “It’s finally something that is kind of going away, dying down. So that we can address those who have been caught in that previously.”

The department also put a link to instructions on UC recipient accounts for how they can retrieve their accounts if they are locked out.

“That’s been tremendously helpful to help individuals get at least back into their account,” Dickinson said. “We may still have to help them with things like straightening out payments, but at least you know they can regain control of their account, and it does not get hijacked again.”

Getting help still a problem

Unfortunately, that’s not making it any easier for those who were already hacked.

Many report to 11 Investigates they often go months and months without the unemployment money they are owed or any communication from the state, while they investigate.

Frustrating for many recipients is the difficulty they have getting through to anyone for help.

Like Paula, many complain of constant busy signals and unreturned emails when they try to contact UC customer service.

“I called probably 70-some times in a row one day and busy signal, every time,” she said dialing the number to unemployment and holding up her phone to show the “beep, beep, beep” of the busy signal.

The Department of Labor and Industry says part of the problem is a hard time finding enough employees to adjudicate fraud investigations on unemployment claims.

The state is now investigating a backlog of about 50,000 fraud claims.

Other than recommending recipients try calling on Thursdays and Fridays when it’s less busy, rather than Mondays and Tuesdays, Dickinson did not have substantial advice for recipients.

Instead, she urged them to be patient and keep trying.

“We’re certainly not satisfied. Until, you know, we are able to address everyone in real time and be able to give them the information, and at least the peace of mind that they need, even if they’re not eligible for benefits,” Dickinson said.

That offered little comfort to recipients like Paula.

“It’s crazy. It’s just, it’s not fair,” she said. “They’re supposed to be helping people, and you’re just ignored.”