The House Select Subcommittee on the Coronavirus Pandemic has tallied up a total of $191 billion of fraudulent claims paid out through state unemployment insurance (UI) agencies to hackers and fraudsters – up from previous estimates that put the fraud figure closer to $100 billion.
That was the headline number in the subcommittee’s 557-page report made public on Dec. 5.
Fueled by business lockdowns and social distancing in the initial period of the pandemic, U.S. unemployment spiked to nearly 15 percent in 2020.
In response, the Department of Labor (DoL) established Federal guidelines for unemployment benefit programs to address the surge, and Congress enacted pandemic relief packages including the $2.2 trillion Coronavirus Aid, Relief, and Economic Security Act (CARES Act) which established weekly UI payments, extended the length of time people could receive UI benefits, and expanded the eligibility of benefits to new sectors under the Pandemic Unemployment Assistance (PUA) program.
According to the subcommittee’s report, an estimated $872 billion was allocated to pandemic UI benefit programs – nearly $200 billion of which was paid out to fraudulent claimants – marking an uptick from the Government Accountability Office’s (GAO) previous estimation of a little more than $100 billion.
“Extending these programs, with insufficient oversight, allowed fraudsters, international criminals, and foreign adversaries to steal billions in taxpayer dollars through UI fraud,” the report says, asserting that a lapse in oversight was largely to blame.
“Most of these losses could have been prevented if Congress and Federal agencies provided up-to-date technologies along with proper verification methods for oversight, something GAO [Government Accountability Office] has been specifically recommending for more than ten years.”
States, which are responsible for administering UI benefits, didn’t take the right steps to prevent UI fraud, subcommittee members said. Two particular pandemic-era UI programs reported improper payment rates of 18.7 percent – and the PUA program reported estimated improper payments of 35.9 percent.
When reviewing applications for benefits, states failed to properly ensure that applicants weren’t filing in multiple states, were not prisoners, were not a high fraud risk, or had real identities – resulting in what the report called “widespread fraud at an unprecedented level.”
“This absence of robust verification measures allowed criminals to exploit the system by receiving multiple payment cards, with some sent to the same address, and by fraudulently obtaining benefits in the names of incarcerated individuals,” the report reads.
Other state-level failures noted by the report included missing reporting deadlines and submitting inaccurate reports – which resulted in not having up-to-date financial management systems in place – and not following Federal guidelines more generally.
As of the publication of the report, subcommittee members said that states have only recovered $1.2 billion in payments lost to fraudsters across UI and relief payment programs.
“Agencies are actively working to recover funds lost to fraudsters but are having difficulties tracking down some of the money, as some was converted into tangible assets,” wrote subcommittee members. “Fraudsters bought cars, property, and even hired hitmen with the money stolen from taxpayers.”
States’ outdated IT systems also made it difficult to prevent cyberattacks and the use of fraudulently obtained information, subcommittee members said, noting that this made the UI programs vulnerable to fraud from international criminal organizations. Chinese-government linked hackers reportedly stole at least $20 million in relief funds, and a Nigerian fraud ring and an Indian national also stole $10 and $8 million, respectively.
Technological failures also drove insufficient data sharing and integration to prevent the use of fraudulent identities. The Social Security Administration (SSA) was restricted from sharing its death data with the Treasury Department, resulting in “5,097 fraudulent loan applications unable to be accounted,” the subcommittee said.
Agencies such as the Small Business Administration (SBA) also didn’t implement recommendations urging the use of enhanced data analytics, fraud risk assessments, and stronger internal controls.
“Integrated, functional, and secure data systems are essential for effective fraud and risk management. Agencies’ IT systems were unable to facilitate fraud detection and recovery,” the subcommittee reported.
Recommendations for future preparedness include strengthening internal controls and verification processes; mandating use of the Treasury Department’s do-not-pay list – used to prevent payments to those barred from doing business with the government; enhancing data sharing and integration by removing legal barriers that prevent the SSA from sharing death data with the Treasury; making state IT systems compatible with resources provided by Federal entities; undergoing rigorous identity verification; and modernizing IT systems to enhance cybersecurity.
Cybersecurity protocols include implementing multi-factor authentication, intrusion detection systems, and regularly conducting security audits and comprehensive risk assessments. Clear guidance and enhanced coordination should also be used to improve cybersecurity outcomes, subcommittee members wrote.
“This work will help the United States, and the world, predict the next pandemic, prepare for the next pandemic, protect ourselves from the next pandemic, and hopefully prevent the next pandemic. Members of the 119th Congress should continue and build off this work, there is more information to find and honest actions to be taken,” wrote subcommittee Chairman Brad Wenstrup, R-Ohio, in a letter to Congress accompanying the report.