In our 50+ interviews with states, state partners, and advocacy partners, more often than not we heard some version of “our mission is fraud prevention.” Due to the recent increase in fraud, this is understandable. Unfortunately, many current strategies for fraud prevention hurt the very people who need help the most.
A fraud-focused operation assumes that the more difficulty a person has with the process, the higher the chance of them being a fraudster. In reality, it often means that the benefits program — the application and recertification processes — hasn’t been designed with this person in mind.
This report encourages states not to punish users for faults in system design. In this section, we:
In the context of unemployment insurance, fraud is when applicants supply false information to get unemployment benefits they’re not legally entitled to. There are 2 main types of fraud:
People who commit either type of fraud are called “fraudsters,” and cases are often a combination of both — using a stolen identity to file a false claim.
Before the pandemic, a significant percentage of claims were technically associated with fraud. “For the last eight years, the Department’s Office of the Inspector General (OIG) has determined that the UI program is out of compliance with the Improper Payment Elimination and Recovery Act of 2010 due to an improper payment rate over 10 percent.”3
The vast majority — 99% — of this fraud was benefit theft, not identity theft. Real individuals conducted benefit theft in their own name, by doing things like:
Given the complexity of the unemployment application process, some of these thefts may have been the result of honest mistakes. And many times, these overpayments could have amounted to just a few dollars.
If an individual returned to work but lied to continue to collect unemployment, they might have collected benefits for a certification period or two. But the agency would soon get an alert as to their new employment status and shut off benefits. This is an overpayment and counts as benefits theft, but compared to the scale of today’s fraud, it was miniscule — and states were relatively well equipped to catch and stop it.
Since the pandemic, UI fraud has changed dramatically. It’s now:
And in contrast to benefits theft, states aren’t at all prepared to catch and stop it.
Preventing identity theft fraud requires effective identity verification. States have always had ineffective identity verification methods. State identity verifications for unemployment benefits have never been subject to any standards or oversight.
But this weakness was rarely exposed, because in order to qualify for unemployment prior to the pandemic, you also had to prove your connection to your former employer, including wage verification records. This verification step effectively served to strengthen identity verification, since it was difficult and cumbersome to:
Pandemic Unemployment Assistance (PUA) opened the door to rampant fraud by removing the need to verify someone’s connection to an employer or wages. Applicants simply self-certified that they had been employed.
Now, all that was standing between imposters obtaining benefits payments fraudulently was states’ identity verification systems. And because these identity verification methods didn’t work, there was nothing standing between criminals and the benefits.
Thanks to decades of data breaches, criminals can buy large databases of high-quality personally identifiable information (PII) such as names, social security numbers, addresses, and passwords. This makes it very easy for fraud syndicates to submit large numbers of false claims.
Real people mistakenly enter their name as “Kathy” when their legal name is “Kathryn” and get flagged, but fraudsters have the correct legal name in their files from the start. It is easy for criminals with spreadsheets of stolen data to fraudulently apply for and receive billions in benefits. Meanwhile, real claimants often cannot get past the front door.
Almost all anti-fraud measures make legitimate applications more difficult in some way for some claimants. Poorly designed ones can reject more legitimate applications than they ever stop in fraud. While the current focus on fraud prevention and reduction is understandable, even more emphasis and resources are needed to increase access for eligible and legitimate workers in need.
Some of the issues that can lead to a legitimate claim getting flagged as fraud today include:
In cases where there is no criminal intent and the issue is caused by poorly conceived requirements, weekly certification questions, or data errors, it’s disingenuous and harmful to categorize the applicants as “fraudsters.”
Manual claims processing, at scale, harms the populations who most need unemployment benefits:
Instead, we should focus on ways to design effective, and largely (but not entirely) automated, identity verification and claims processing methods that serve all populations, and actively measure whether all populations are achieving equitable outcomes.7
As of this writing, the majority of states have withdrawn from the PUA program, many citing fraud as a reason to discontinue delivering these benefits. This leaves many gig and freelance workers struggling to make ends meet as the pandemic grinds to its end. Some vendors, including large banks, have withdrawn from participating in unemployment benefits programs, citing fraud, which limits states’ ability to deliver the benefits even if they want to.
Paying fraudulent claims is obviously not good for taxpayers, or for the employees and employers who paid into unemployment insurance accounts. But fraud has cast a shadow over unemployment benefits as a whole.
The federal government has already largely solved the issue of identity verification for preventing identity theft. Federal agencies must follow NIST guidelines8 for building secure online accounts for applying for and managing benefits like taxes9, Social Security benefits, Veteran disability compensation, and more. These agencies aren’t suffering newsworthy breaches every day, because these standards for preventing identity theft fraud work.
When individual states have adopted federal identity verification standards, their fraud rates fell significantly. Colorado calculated that 87.4% of its PUA claims were fraudulent after adopting a NIST-compliant identity verification process.10 In Arizona, a staggering 99% of PUA claims may have been fraudulent,11 a trend which reversed immediately after adopting a federally-compliant identity solution.
Once we stop the firehose of identity theft, we can then measure the next highest buckets of fraud and implement measures to identify those bad actors (including those who operate across state lines). For example, identity verification alone wouldn’t prevent a prisoner (who is really themselves–not an identity thief) from committing benefits theft, even if the law says unemployment benefits cannot go to a prisoner. But this volume will be a small fraction of the current identity theft fraud.
While this is addressed in NIST guidelines already, we want to particularly call out how laughably ineffective it is to use Social Security Numbers for identity verification. They have all been stolen–multiple times. The criminals have them in well-organized spreadsheets. They are not private information any longer, and to continue to treat them as such complicates matters. Any state using social security numbers as a means of identity verification should stop, immediately.12
As we explain in the identity verification section, federal guidelines provide significant flexibility for serving claimants who:
Our recommended balance is to follow federal guidelines, but actively design for underserved populations,13 and then measure how effectively these groups are able to accurately pass identity verification. If issues are discovered, work to design solutions.
The only way to prevent all fraud is to stop the distribution of all benefits. All real-life financial systems tolerate some amount of risk. Unemployment systems need to weigh the amount of risk of overpayment they are willing to tolerate, relative to other risks, like underpaying real claimants or not paying desperately needy people for months.
Reports of how many fraudulent claims have been filed and how many have been successfully blocked are murky due to a lack of a standard, or transparent, means of measurement. Some states block all foreign IP addresses (including Mexico and Canada, where plenty of legitimate claimants live) and declare all claims attempted from foreign IP addresses to be fraud. Others count all incomplete applications as fraud. This isn’t accurate.
The variables contributing to a risk score must:
The National Association of State Workforce Agencies (NASWA) operates the Integrity Data Hub14 on behalf of the U.S. Department of Labor. NASWA operates multiple mandatory services within the Integrity Data Hub that likely prevent some fraud, such as the National Directory of New Hires Cross-Match and the Quarterly Records Cross-Match. As of this writing, they are credited with preventing $243 million in improper payments. But current estimates are that more than $400 billion in fraudulent claims were paid out.15
To better understand existing fraud-prevention tools, we recommend state demonstration projects. These projects would determine:
The people behind PUA believed they were doing a good thing for millions of Americans. But they didn’t anticipate how decoupling unemployment benefits from wage verification would also make it trivial for criminals to extract billions of dollars.
As policymakers design benefits in the future, the early design process should consider how to equitably detect and prevent fraud.
If we don’t put this sort of planning into the design of future benefits, the perceived threat of fraud may prevent the very existence of critical benefits during difficult times.
“The OIG has opened over 15,000 investigative matters related to the pandemic. The vast majority of these matters involve identity theft related UI fraud. In response to this unprecedented amount of potential UI fraud, the OIG hired 22 additional special agents, a 20 percent increase in field investigative staff. In addition, our special agents prioritized their case inventory so that 75 percent of the investigative workload was focused on UI fraud. Prior to the pandemic, UI fraud made up approximately 10 percent of the investigative workload. The OIG’s investigative efforts have directly resulted in the identification and recovery of over $100 million in fraud involving the UI program. In addition, OIG special agents assisted in the identification and recovery of over $565 million in fraudulent UI benefits.” Pandemic Response Oversight Plan, p2 https://www.oig.dol.gov/public/oaprojects/DOL_OIG_Updated_Pandemic_Response_Oversight_Plan.pdf ↩
“A new phenomenon created more confusion. Before the pandemic, most cases of fraud in the UI system consisted of claimants misrepresenting the facts in order to get a larger benefit amount. During the pandemic, the predominant type of fraud has been false identification: as of this report, there are approximately 50,000 UI claims with questionable identity characteristics. The federal rules require that notice be given to these individuals, but it is not possible to contact a claimant who is fraudulent or is a bot. This is just one example where state and federal laws were not up to the unprecedented challenges of the pandemic. As context, in the regular UI system, the employer serves as a deterrent to fraudulent benefit claims. If an employer disagrees with a claimant’s eligibility for the program or a false claim is filed, they can file an appeal. In the PUA system, there is no employer of an independent contractor to review the claim and disagree with the application for benefits. Also, Nevada has no state income tax, and so the state had no way to validate to see whether an individual had self-employment income or not.” - Nevada Strike Force Report https://cms.detr.nv.gov/Content/Media/Strike_Force_Report_2021_FIN.pdf ↩
While there are examples of unemployment benefits in the past that were not tied to wages, these amounts were very small: $25 per week. During the COVID-19 pandemic, $600 per week over an extended period of time made it very profitable to invest in filing fraudulent claims. ↩
No state has enough trained claims processors to process all claims manually in an acceptable time period. In reviewing GAO and IG reports from past recessions, every employment agency cites inadequate staffing to meet increased demand. In fact, in reports during non-recession times, agencies also report long-standing training, staffing, and retention challenges. There is no evidence that employment agencies can achieve the staffing levels necessary to process all claims manually in a timeframe that also delivers benefits quickly to those who need them most. ↩
“Human equity is when outcomes are not predictable based on someone’s identities or characteristics (e.g. race, sexual orientation, gender identity, ability status, etc.).” - Equity-Centered Community Design Field Guide ↩
The IRS account breach involved user accounts that were not compliant with these standards. The IRS has since adopted them. ↩
Using SSNs to verify that a claimant is not deceased may still be a valid use, but not for identity verification. The key here is that knowledge of a SSN is not a secret, so it should be treated similarly to a phone number: fine to ask and use it where needed, but knowledge of your phone number should not be all that’s needed to get into your bank account or redirect your IRS tax refund. ↩
The head of each agency, or designee, shall conduct such review and within 200 days of the date of this order provide a report to the Assistant to the President for Domestic Policy (APDP) reflecting findings on the following:
(a) Potential barriers that underserved communities and individuals may face to enrollment in and access to benefits and services in Federal programs;
(b) Potential barriers that underserved communities and individuals may face in taking advantage of agency procurement and contracting opportunities;
(c) Whether new policies, regulations, or guidance documents may be necessary to advance equity in agency actions and programs; and
(d) The operational status and level of institutional resources available to offices or divisions within the agency that are responsible for advancing civil rights or whose mandates specifically include serving underrepresented or disadvantaged communities.
(a) Within 1 year of the date of this order, the head of each agency shall consult with the APDP and the Director of OMB to produce a plan for addressing:
(i) any barriers to full and equal participation in programs identified pursuant to section 5(a) of this order; and
(ii) any barriers to full and equal participation in agency procurement and contracting opportunities identified pursuant to section 5(b) of this order.
(b) The Administrator of the U.S. Digital Service, the United States Chief Technology Officer, the Chief Information Officer of the United States, and the heads of other agencies, or their designees, shall take necessary actions, consistent with applicable law, to support agencies in developing such plans. ↩