D.C.’s unemployment benefits system became infamous during the pandemic for excruciatingly long hold times and delayed payments that affected thousands of desperate, laid-off workers. There are now signs that the troubled system enabled another disaster: extensive identity theft.

The problem is ongoing, and it has affected both claimants and people who never had any contact with the system.

DCist/WAMU interviewed a dozen D.C.-area residents who say fraudsters have used their personal data during the pandemic to steal their unemployment benefits or file bogus unemployment claims with D.C.’s Department of Employment Services. Most requested full or partial anonymity to discuss sensitive financial matters. 

Those people say the agency failed to flag unemployment claims that contained inaccurate or patently false information, possibly harming their credit or exposing them to IRS scrutiny. Others say the agency has been completely unresponsive in helping identify breaches.

The interviews followed reporting by DCist/WAMU in August about official-looking emails unemployment beneficiaries received promising additional payments. DOES has recently posted general warnings on social media about identity theft, but the agency has not informed the public about specific threats or the breadth of fraud affecting the system.

A D.C. resident named Michael says that he lost a week of payments — $744 — after an unauthorized third party accessed his benefits account online and redirected his deposit to a different bank account. 

“I called DOES and I said, ‘Hey, what’s going on? Stop this. I don’t know what’s happening here. What bank account is that?’ They couldn’t tell me,” he says. “They sent my payment to a stranger.”

Another city resident received a debit card in the mail to access unemployment funds he had initially applied for but never pursued because he was able to find a job quickly. He later learned that subsequent payments were sent to an address in Hagerstown, Maryland. Since then, he says, his information has been used to apply for credit cards and payday loans — some as recent as this week.

“It’s a game of whack-a-mole,” he says. He placed a freeze on his credit to protect himself from further fraud. 

The District’s Department of Employment Services, which oversees the benefits program, declined to say whether fraudsters have targeted their system, or what steps the agency has taken to combat identity theft. The agency also declined to disclose how many people it had contacted about the unemployment phishing scam DCist/WAMU reported on in August.

“As a rule, the Department does not release specific numbers of potentially fraudulent claims or prevention/detection strategies,” an agency spokesperson wrote in an email. “Preventing fraud has always been a priority for DOES, as the Director has testified to District Council numerous times. UI and other types of fraud attempts have been on the rise across the country since the pandemic began. DOES has communicated how UI claimants and members of the public can safeguard their personally identifying information.”

The spokesperson added that anyone who suspects their information has been used fraudulently should report their concerns to DOES, “so we can help confirm if the communication is legitimate.”

Several people targeted by unemployment fraudsters say DOES has not communicated with them about their cases after they reported irregularities to the agency, or even confirmed they’ve been affected by fraud. In Michael’s case, he was told to call a fraud investigator at DOES — only to find that their voicemail was full. Those who reported attempted identity theft say they don’t know if they’re still at risk.

“It’s really frustrating, because there is nothing I can do about it,” says Tom Bridge, a Brookland resident whose information was used to file a fraudulent claim. “I mean, my Social Security number isn’t going to change. I’m not moving. So everything they need to do bad things is out there, if the system isn’t working the way it’s supposed to. And it clearly isn’t.”

Bridge says he received a letter in the mail last week informing him that a claim filed under his name had been rejected. Nevertheless, he received a debit card in the mail Monday to access the funds for which he never applied. He contacted DOES about the fraud over the weekend and he is now awaiting a response.

It’s not clear where thieves obtained the personal information they used to file or redirect claims filed in the District. Michele Evermore, senior policy advisor for unemployment insurance with the U.S. Department of Labor, says people’s data could have been sourced from older breaches, not necessarily a new hack affecting the D.C. government. 

“The [2017] Equifax breach, for example, was the original source of a lot of the infiltration of the systems,” Evermore says.

The D.C. government is hardly the only one clobbered by unemployment fraud during the pandemic. The problem ballooned quickly after millions of people across the country were forced to sign up for benefits after their jobs disappeared at the onset of the health emergency last year. Outdated, under-resourced benefits systems in Maryland, Virginia, and many other states fell prey to bad actors who used stolen data to file claims that in some states were worth more than $1,000 per week at the height of the pandemic. Three Maryland residents are now facing federal charges for filing bogus unemployment claims in at least 19 states, stealing more than $2.7 million over a period of one year.

It’s a torrent of fraud that only a mass unemployment event could have created, says Tarah Wheeler, an International Security program fellow at the left-leaning think tank New America.

“Previous to the pandemic, although it would have been wonderful to see real information security controls on many of these unemployment systems, there wasn’t really a big incentive to do so, because [thieves] couldn’t really steal that much money from each, single person” who filed a claim, Wheeler says. “But when you can create a situation where fraud en masse is feasible and easy to accomplish, like it was in March 2020, you create a moment where the previous incentives for information security don’t match the reality of the moment.”

In other words, the pandemic made unemployment something it was not before: a lucrative target for fraud.

Evermore with DOL says most unemployment fraud is committed by international crime rings whose tactics became more sophisticated as the pandemic wore on. At first, most were simply filing phony claims for Pandemic Unemployment Assistance, a program that Congress established in March 2020 to deliver benefits to gig workers, part-time employees, and others who weren’t previously eligible for the payments.

But eventually, Evermore says, criminals “figured out how to hijack people’s identity.”

Another D.C. resident who discovered a fake claim filed under his name says he’s been affected by multiple data breaches, and he’s not sure which one yielded the sensitive data that the thief, or thieves, used to submit the claim. His data could have been sourced from the LinkedIn breach. Or the University of Maryland breach. Or the hack that targeted Drizly, the alcohol delivery service.

“I mean, there’s so many of them,” he says.

Some cybercriminals are also synthesizing identities and setting up phony employers to collect payments, says Evermore. “The number of actors now in the space doing this, their tactics just escalate weekly. It seems like they’re talking to each other on the dark web and coming up with new ways to get at people.”

But as sophisticated as cyber criminals’ tactics have become, some are filing claims in D.C. that seem — at least on the surface — easy to flag as fraudulent.

Two individuals interviewed by DCist/WAMU say they were affected by phony unemployment claims that should have immediately raised eyebrows at DOES. A Northwest D.C. resident named Tom says he received a notice in the mail that DOES had approved a claim linked to his address. The name on the claim was “Test Two.” It could have been a data entry error, he says, or a poor attempt at fraud that somehow made it through DOES’ verification process. He says he reported it to the agency in July and never received an update on the claim.

Ben, who owns a small food business in D.C., says someone listed his company as their employer on another phony claim filed with DOES. He found out last week, when he received a letter from the agency asking him to verify the applicant’s eligibility for benefits. Both his company’s name and address contained errors, which he says DOES should have noticed, since it maintains a database of employers in the city, and his business has dealt with authentic unemployment claims regularly in the past. He contacted DOES multiple times to tell them the claim was illegitimate, but he hasn’t been able to reach anyone who can help him. Every time he calls, he says he gets routed to someone in another department that doesn’t deal with employers.

“It happened three times this morning, and it was super annoying and frustrating,” the business owner said on Monday.

Another D.C. resident says her wife discovered her information had been used illegitimately in January, when her employer received a letter about an unemployment claim filed under her name. After reporting the fraud to DOES and hearing nothing back, she contacted the office of D.C. Councilmember Elissa Silverman (D-At Large). Soon afterward, a DOES agent returned her call and advised her to file a police report, which she did. She suspects the police report will come in handy during tax season.

“If my wife gets a tax form from the D.C. government saying, ‘Hey, we paid you all this money in unemployment, and now you owe taxes on it,’ we’ll have a paper trail to explain why we’re not going to pay taxes on money she didn’t receive,” she says.

The day after she spoke with DCist/WAMU about her wife’s experience with unemployment fraud, the same woman contacted DCist/WAMU to say that she, too, had received an unemployment approval letter from DOES. Like her wife, she never applied for benefits.

“It’s almost funny,” she says.

Michele Evermore with the U.S. Department of Labor says the federal government has poured millions into combating unemployment fraud across the country. The agency is using some of that money to build centralized technology that states can use to process claims, rather than relying wholly on decaying state-run systems. 

But the trick will be creating a fraud prevention mechanism that catches criminals while allowing legitimate claims to be approved. “A well-designed system both gets the right people in and the wrong people out,” Evermore says.

Unemployment fraud victims interviewed by DCist/WAMU describe the identity theft they experienced as at best an inconvenience, and at worst a potentially long-term problem. Several filed credit freezes or placed alerts on their credit reports after they realized their information was compromised. 

“I’m fortunate. I’m savvy enough that I got it very early,” says Michael, whose benefits were temporarily rerouted to an unknown bank account. DOES later sent him the money he was owed, but he still doesn’t know what happened to the payment that was delivered to an unknown recipient. 

Michael admits that he was fortunate enough to be able to weather the inconvenience of missing a weekly payment, but he acknowledges that other victims might not be so lucky. 

“For a number of people, what happened to me is an out-and-out catastrophe for their families,” he says.