Illinois unemployment accounts repeatedly hijacked by thieves

Illinois unemployment accounts repeatedly hijacked by thieves

Unemployment benefits are being stolen by thieves who redirect the funds. Repeat victims say the problem is within Illinois Department of Employment Security computers, but the state won’t release data to pinpoint the problem.

Unemployment benefits are being hijacked in Illinois, and victims say the thieves have penetrated Illinois Department of Employment Security computers.

That’s according to Warren Winston, a contract pharmacist who has been the victim of account hijacking on four different occasions. He’s worked closely with IDES since April to combat hijacking attempts on his account that cost him $3,262 in unemployment payments. The latest successful theft was in mid-July.

According to a complaint he later filed with the state, Winston reported the instances of fraud in his account to IDES after the first hijacking. He updated his banking information and changed passwords.

Despite changing this information and putting IDES on notice to watch for future hijacking attempts, scammers stole benefits from his account three more times. The unemployment agency never intervened.

“Somebody robs a bank in Pittsfield, and the cops get there in five minutes,” Winston said in an interview with the Chicago Tribune. “Somebody robs a bank in IDES, and nobody does anything about it for three months. It’s unthinkable.”

In his complaint to the Illinois Attorney General, Winston theorized the state system, not his computer, had been hacked by criminals. He wrote: “This should be given the highest priority by all authorities.”

Winston is one of hundreds of Illinoisans reporting that unemployment benefits never reached their accounts, according to records obtained from IDES by the Chicago Tribune.

Now, state lawmakers are questioning the efficacy of state cybersecurity after other repeat hijacking victims suggested scammers could have compromised IDES systems.

While IDES reportedly continues to address the evolving fraud, the agency declined to explain why it has been unable to stop repeat theft from the same accounts, even after the fraud was identified.

The rise of account hijacking cases in Illinois accompanies a growing wave of unemployment fraud that has swept through IDES since the early months of the pandemic. IDES exposed Social Security numbers and other personal information of nearly 32,500 unemployment applicants when a new system went online to handle claims from self-employed and gig workers, leading to multiple lawsuits by applicants who had their identities stolen.

Cybersecurity experts estimate the flood of imposter fraud, where criminals file fake claims in the names of real people, likely cost the state more than $1 billion.

But unlike imposter fraud, account hijackings occurs when a criminal reroutes a real unemployed person’s payments to a new bank account for their personal use.

This requires hijackers to access IDES systems and change financial information in residents’ accounts, raising questions on how scammers are bypassing state cybersecurity measures.

So far, IDES has suggested the fault rests with claimants who were likely scammed out of their account login information.

Senate Republicans took up the charge July 29, calling for a broader audit of IDES and accusing Gov. J.B. Pritzker’s administration of trying to hide the scope of the issues.

IDES has declined to share figures with the public on how many Illinoisans reported being robbed of their benefits during the pandemic and how much money was stolen. Additional audits of IDES by federal officials revealed the state agency was late to adopt free security tools that could have protected thousands of residents against fraud.

“If you look at the state of California, a blue state, they’re releasing unemployment fraud information,” state Sen. Jason Plummer, R-Vandalia, said at a news conference. “If you look at red states like Kansas, they’re doing the same.”

That sentiment was echoed by state Rep. Lamont Robinson, D-Chicago, the chairman for the Illinois House Committee on Cybersecurity. He also called on IDES to release more information, saying politics should not get in the way.

“Look, the cat’s out of the bag,” Robinson said. “The director knows she has an issue. The governor knows it’s an issue. I don’t think anybody’s hiding anything.”

Robinson said he, too, would support a deeper audit if he felt the issues were not being adequately addressed by IDES. One industry expert told Robinson’s committee the solution for a majority of IDES’ woes is relatively cheap and simple: a security protocol called multi-factor authentication.

“Account takeover is 10-year-old stuff,” said Haywood Talcove, an executive with LexisNexis Risk Solutions who testified before the cybersecurity committee. “It shouldn’t be happening anywhere. There’s no excuse for it.”

That security measure, long employed in the private sector, requires people to enter their passwords, then confirm their login with a separate code temporarily sent to one of their personal devices.

Talcove warned lawmakers in July that scammers who made a fortune defrauding the state are not going to stop with unemployment benefits.

Illinois Attorney General Kwame Raoul reported spending over $2.5 million to combat a ransomware attack that crippled his office in April. It might have exposed gigabytes of confidential and personal records, and parts of his website remain offline.

Despite calls from both Democratic and Republican lawmakers to make the full extent of state unemployment fraud public, IDES continues to ask patience of Illinoisans. Too bad scammers won’t wait.

Want more? Get stories like this delivered straight to your inbox.

Thank you, we'll keep you informed!