MAY 18, 2020, STARTED as an ordinary Monday. I was busy with office work. An email from our human resources department hit my inbox. It said something about fraudulent unemployment benefits. I couldn’t pay attention right away, so I saved it to read later.
That evening, I found five letters from our state’s unemployment claims department in the mail. I’d never heard of such a department, but it reminded me about the email I got earlier. This time, I read the email more carefully.
It turned out that someone had filed for unemployment benefits using my personal information. Many coworkers were also affected. They’d had little luck in contacting the state’s unemployment claims department directly. On behalf of the impacted workers, our employer was working with the department to flag these claims as illegitimate. Needless to say, I was surprised and worried.
The letters from the state, dated between May 14 and 16, had bigger surprises. First, the department still seemed unaware that the claim filed on my account was fraudulent. Second, it appeared the department had started making payments without complete verification.
The third surprise was most disturbing. Sensitive personal information about my employment and wages were included in the letters. I couldn’t tell whether that information was also sent electronically to the fraudulent claimant. That would surely make me a target for future, possibly more sophisticated, cyberattacks.
I was curious about how this had happened, but first I needed to worry about my own vulnerability. My personal information had previously been exposed by a few of the well-known security breaches, including one involving my former mortgage lender. It had taken me months to sort out an identity-related tax fraud a few years ago. That experience was frustrating. The prospect of repeating that same drill was daunting. Sadly, I had no choice.
My first step was to confirm the fraud with the state. I tried to create an online account with the unemployment claims department. The system reported that my information was associated with a different email address—one I didn’t recognize. I reported this to the department and to the cybersecurity division of the state attorney general’s office.
Next, I looked for suspicious activity in other places. After my previous identity theft incidents, I had set up a credit monitoring service and an extended fraud alert. Neither had reported any unusual activity, but I wanted to check myself. I pulled a free credit report to review it thoroughly. As far I could tell, it was all clear.
The prior incidents had also increased my paranoia about online transactions. Not only did I set up two-factor authentication for most of my online accounts, but also I signed up for text alerts for all financial transactions and profile changes. On top of that, I had started routinely reviewing my credit card accounts, bank accounts and brokerage activities.
Nothing had stood out the last time I looked, but I wanted to be doubly sure. I spent a few hours going over all withdrawals and credit card transactions in recent months. While I was at it, I also changed the passwords for all my online accounts. I was relieved that everything looked normal.
The other places I checked were the Social Security Administration and the Internal Revenue Service. To protect my future Social Security benefits from ending up with cyberthieves, I’d created an online my Social Security account and adopted the agency’s security guidelines. I logged in to see if there was any suspicious activity. The next day, I called Social Security and got hold of a representative, who confirmed that there was no unusual activity in my account.
Similarly, per IRS guidance, I had opened a secure account that I used to periodically check my tax transcripts and account balance. Since I hadn’t filed my 2019 federal taxes yet, I logged into my online IRS account to verify that no fraudulent return had been filed. I made a mental note to stop procrastinating and file my tax return that weekend, which I did.
Once I’d exhausted my search for fraudulent activity, I reported the incident to the Federal Trade Commission. Next, I filed a police report online. I sent an identity theft affidavit to the IRS. I froze my credit with the three national credit bureaus, namely Equifax, Experian and TransUnion. I also sent them a written request to extend my existing fraud alert for another seven years.
Checking off these steps made me feel better, but the feeling was short-lived. A week or so later, I received another letter from the unemployment claims department. This time, the department asked me to refund the money that was supposedly paid out. Another letter, demanding a larger refund, followed soon after.
I was confused. So far, I hadn’t received any formal acknowledgment from the department about the fraudulent claims on my account. The department was unreachable by phone.
Some online research revealed that the department was battling tens of thousands of fraudulent claims. Cybercriminals had siphoned off hundreds of millions of dollars. Even worse, many legitimate claims were suspended while the department combated this large-scale fraud. I had little hope of a timely resolution. Thankfully, the department soon sent an email to all affected employees of our company—and possibly other firms as well—saying we didn’t owe anything.
Identity and privacy breaches have reached crisis level. One out of three Americans were compromised by the Equifax data breach alone. Personal information for over 1.2 billion people worldwide, compiled by People Data Labs and Oxydata.io, was leaked. These are just the tip of the iceberg. For many of us, it isn’t a question of if, but when, the next identity theft strikes. All I can do is to take a few practical precautions that help me sleep better. I suggest you do the same.
A software engineer by profession, Sanjib Saha is transitioning to early retirement. His previous articles include Triple Blunder, Freedom Formula and Feelin’ Groovy. Self-taught in investments, Sanjib passed the Series 65 licensing exam as a non-industry candidate. He’s passionate about raising financial literacy and enjoys helping others with their finances.
Want to receive our weekly newsletter? Sign up now. How about our daily alert about the site's latest posts? Join the list.
After nearly 3 months, I got a letter from the unemployment claims department today, notifying that the fraudulent claim has been denied removed from my account. I tried to log on and was relieved to be able to access my account online.
Sanjib, sorry for your troubles, but thanks for sharing with us. Really good information.
Thanks, Rick.
wow, what a lot of work you had to do–that doesn’t seem the correct way to manage the problem of fraud by others.