‘Pure Hell for Victims’ as Stimulus Programs Draw a Flood of Scammers

Written by Editor in Chief

April 23, 2020

The federal government’s stimulus checks were meant to help people exactly like Krystle Phelps of Owasso, Oklahoma.

She and her husband, Christopher, who have two children, recently lost their incomes after Oklahoma shut down the bars near Tulsa that she cleaned and that he supplied with vending machines. But when Phelps, 33, went to the IRS website to check on the status of her family’s stimulus funds, she learned someone else had filed taxes on her husband’s behalf and used his identity to obtain their $3,400 payment. 

“I cried all day,” said Phelps, who is about a month away from being unable to pay her mortgage and has cut out everything but the basics, canceling cable and eliminating snacks for the kids. “It is a little relief, and then you find out it isn’t happening.”

With the government doling out trillions of dollars to blunt the economic pain of the coronavirus pandemic, these are good times for thieves and dangerous times for those who actually need the money.

“I’ve been in this space for over 30 years, and I have not seen anything like this in my entire career,” said Eva Velasquez, chief executive of the Identity Theft Resource Center, a nonprofit based in San Diego that helps victims. “The scope, the scale, the speed and the efficiency of the scams is breathtaking.”

In recent weeks, criminals have used people’s Social Security numbers, home addresses and other personal information — much of which was available online from past data breaches — to assume their identities and bilk them out of their stimulus checks and unemployment benefits. As a result, calls to Velasquez’s organization were 850% higher in March than a year earlier, she said, and are still soaring.

The scale of the fraud has been enormous, fueled by the economic crisis and the confusion surrounding the $2 trillion stabilization plan that President Donald Trump unveiled last month. That has been compounded by the government’s own lack of security measures for people claiming stimulus payments, with those going through the IRS website to get their checks needing to input just a few pieces of information that scammers can readily obtain.

The Federal Trade Commission recently reported that it had gotten four times as many complaints about identity fraud in the first few weeks of April as it had received in the previous three months combined. And law enforcement agencies have issued warnings about the daunting array of ways that criminals are exploiting the coronavirus.

Even before the outbreak, losses from identity theft were enormous. Criminals made around $16.9 billion from identity fraud last year, the highest total in the last half decade, according to data firm Javelin.

Many people’s personal information is readily accessible to hackers, amassed from dozens of data breaches over the past few years. Last month, Experian, the credit reporting agency, found a fresh batch of stolen data for 3 million people, containing all the pieces of personal information that a scammer would need to file for their stimulus checks.

The coronavirus has made it even easier for fraudsters to get more information. Many are bombarding Americans with emails and phone calls that use the uncertainty around the virus to distribute malware and get people to divulge their bank information and other data, which can then be used to defraud the same people. Google said it intercepted 18 million such emails last week.

Now criminals are deploying those troves of information to get their hands on the checks that the federal government is sending to needy Americans. Over the last month, more than 22 million people have filed for unemployment benefits.

Stimulus funds are separately expected to go out to around 150 million people. While the Treasury Department electronically deposited the money for around 80 million people who have bank accounts on file with the government, the IRS created an online portal for the 70 million or so other recipients who did not have that information on file.

The portal allows people to enter a new bank account address for the government to send them their money. But it requires only a few pieces of data for verification: a Social Security number, an address, a phone number and a date of birth.

Security experts said that the IRS had opened up the door to fraud by requiring so little data to claim the money. “The stimulus site is a little bit like ringing the dinner bell for hackers,” said Brian Stack, vice president for dark web intelligence at Experian.

The IRS did not respond to request for comment.

On forums on the darknet, where criminals gather to buy and sell identity information and discuss tactics, fraudsters have openly discussed the opportunities presented by the stimulus funds and unemployment benefits.

“Just a little warning that when that $1,200 drops in your account keep your eyes peeled because I am coming for that! lol,” said one message on a thread this month about the stimulus checks that was found by security firm Sixgill.

Over the last month, 4,305 malicious website domains were set up to take advantage of people looking for new forms of government support, according to security firm Check Point. The fake sites, with names like whereismystimulus and 2020reliefprogram, generally ask people to input their personal data with the promise that they can get information about their checks. But hackers then use the data against those who fall for the trick.

“This is El Dorado for hackers and pure hell for the victims,” said Adam Levin, founder of CyberScout, a firm that helps companies protect against and manage identity theft.

Unlike many previous victims of identity theft who were often hit at random, those getting targeted now are in particular need of the money.

Colin Chaplain, 21, in East Bridgewater, Massachusetts, found out he had lost his unemployment benefits to a scammer the day after he was put on indefinite leave from his construction job this month. He made the discovery when he logged into the state website to create a new profile and claim unemployment.

To his surprise, when he entered his Social Security number, the site responded “Welcome back.” It also showed the last two letters of the street name of the person who had already claimed his check, he said.

Chaplain has since waited more than 10 days for a police report, which he needs to start the process of correcting things with the unemployment office. He said he has had trouble getting through.

“I just let it ring, and two hours go by and nothing,” said Chaplain, adding that he only has enough savings to get him through the next few weeks. “I don’t know what else to do.”

Cortlyn Taylor, 19, who lives in Fishers, Indiana, has also been trying to get help after she was laid off from her job at Walmart last month. When she applied for unemployment benefits, she learned an identity thief had beaten her to it. On the IRS site, she found that the same person had grabbed her $1,200 stimulus check, which she needed to pay her mounting bills.

For the past few weeks, Taylor has been trying to get a response from the IRS. After not hearing back, she spent 10 hours one day driving to all three IRS offices in Indiana, where she still could not find anyone to help.

Taylor lives with her mother, 56, who doesn’t work and who has been recovering from the coronavirus. On Tuesday, Taylor said they were down to $4 in her checking account.

She said local police told her they were hearing from lots of other people in the same situation. But with all of the backlogs and closed offices, she was told, the glacial speed at which identity theft cases are normally resolved was likely to be even slower.

“I kind of have to pause everything,” she said. “I can’t get a car in my name like I planned. I’m not going to be able to do a lot of things that I planned to do.”

This article originally appeared in The New York Times.

 

© 2020 The New York Times Company

Even before the outbreak, losses from identity theft were enormous. Criminals made around $16.9 billion from identity fraud last year, the highest total in the last half decade, according to data firm Javelin.

The coronavirus has made it even easier for fraudsters to get more information. Many are bombarding Americans with emails and phone calls that use the uncertainty around the virus to distribute malware and get people to divulge their bank information and other data, which can then be used to defraud the same people. Google said it intercepted 18 million such emails last week.

Related Articles

Stay Up to Date With The Latest News & Updates

Join Our Newsletter

Follow Us