- Unemployment payments were a lifeline to the millions of people who lost their jobs during the pandemic.
- Scammers set their sights on the payments. Transaction fraud involves the theft of unemployment funds from recipients’ accounts.
- In this case, the key problem seems to lie with states’ use of prepaid cards to provide benefits. Cards with only magnetic strips – and not chip protection – can be duplicated and used to steal cash.
As millions of Americans received unemployment payments to get through the crisis, scammers developed a new way to steal cash directly from recipients' accounts, according to an investigation by CNBC.
When one single mother's account was emptied, she had to crack open her child's piggy bank to survive. Another victim choked up when telling CNBC how she left a grocery store empty-handed. A musician said he had to live in his car for a few weeks after his funds were stolen.
At the heart of the issue is the technology that underpins most of the debit cards used to distribute unemployment insurance in certain states, experts say. Unlike standard consumer debit cards, government-prepaid cards often lack a chip — instead they use outdated magnetic stripe technology — making them easier for hackers to penetrate.
"A card without a chip, that's really easy to copy," said Charles Henderson, global managing partner and head of X-Force at IBM Security. "If a criminal gets access to the data on that 'magstripe' and they can either reset the cardholder PIN or get access to the PIN number as well; they can manufacture a card, and go to an ATM."
A CNBC analysis found that states like California and Nevada saw an outsized share of so-called transaction fraud during the pandemic because, with few exceptions, their unemployment insurance was distributed through chip-less debit cards. Other states, such as Hawaii, reported negligible instances of stolen funds because most benefits were directly deposited into recipients' bank accounts.
Still, 45 states and Washington, D.C. issue debit cards as one option for unemployment insurance.
During the pandemic, a wave of unemployment made the world of benefits a prime target for fraud. Improper payments amounted to nearly $40 billion nationwide as of January, according to estimates by the Labor Department.
The bulk of this fraud involved identity theft — whereby criminals would receive unemployment by using false information. But the transaction fraud that wiped clean thousands of unemployment-insurance accounts is different. This involves unauthorized transactions, in some cases copying the cards and cashing in the accounts through ATMs.
Bank of America, which is responsible for distributing government-benefits cards in California, told CNBC that less than 2% of its cardholders had their benefits stolen during the pandemic.
Azuri Moon, 30, experienced this firsthand. A part-time performer and music teacher, Moon found himself unemployed for the first time in his life during the pandemic.
A California resident, he took out unemployment insurance beginning in March. Around October, when he was trying to buy lunch at a taco truck, his card was declined. He said he went to an ATM to take out cash to no avail.
"My entire account was cleared out," Moon said in an interview with CNBC, referring to the account that housed his unemployment payments. "And that was actually the first time that I really needed to rely on it for rent that month."
Moon said he called Bank of America and learned there were two unauthorized ATM withdrawals in the days before he discovered the fraud. In total, he said, about $1,800 was stolen. Moon said it took him 11 hours to file a claim with the bank. He said he was told it would take at least 30 days to get his money back. Having no money to pay rent, Moon said he temporarily became homeless, living in his car.
About a month after he filed his claim, Moon said a bank representative told him he was liable for the stolen money and that the firm would not be providing a credit. Moon said the bank encouraged him to file a police report, which he did.
After months of communication, Moon said Bank of America did credit his account for the stolen funds, but only after he joined a class-action suit against the bank.
A class-action suit, injunctive relief
The suit Moon joined alleges that the firm "failed to take reasonable steps to protect plaintiffs' and class members' benefits from fraud." Filed initially in the U.S. District Court for the Northern District of California, the complaint said that Bank of America failed to implement "fraud preventing" chip technology in the plaintiffs' cards, making them "readily susceptible to cloning."
Brian Danitz, partner at Cotchett, Pitre & McCarthy and lead plaintiffs' attorney for the class-action suit, said that after he filed the case, he received more than 800 calls "from people who wanted to join."
In that case, a San Francisco judge issued a preliminary injunction last month that prevents Bank of America from denying fraud claims and freezing accounts based on its automated filter.
In response to the injunctive relief, Bank of America said it goes "well beyond what is required by law." The firm said in court documents that from October 2020 through March 2021, about 255,000 fraud claims were filed, of which the firm approved repayments to about half.
The bank said that part of the risk is that criminals will falsely claim fraud and then obtain provisional credits, something that has cost the firm $200 million in 2020 in California alone, according to court documents. A provisional credit is one that is temporarily added to an account as a fraud claim is evaluated. Based on the outcome of a review, it can be made permanent or removed.
"No more food in the house"
Legitimate recipients say they've been caught in the crosshairs. Single moms Candace Koole, 29, and Vanessa Rivera, 30, said they had a similar experience to Moon's. Koole, a doula, and Rivera, a lien negotiator, said they became unemployed last spring and were granted California benefits.
Koole discovered her funds were missing when she was trying to buy food at the grocery. She said she was unable to quickly recoup the $9,000 that had been stolen.
"I never knew if I was gonna be homeless. I never knew if...you know, if I was going to be able to get birthday presents for my kid," Koole said in an interview with CNBC. "I never knew what was going on. It was around Christmastime, that was also really hard."
When Rivera noticed $800 of benefits were stolen, she said she had to drain her family's savings.
"At one point, I had to actually break my son's piggy bank 'cause I didn't have gas and he didn't have — we didn't have — like, no more food in the house," Rivera told CNBC. The two are also plaintiffs in the same class-action lawsuit as Moon.
Bank of America did not comment on Moon, Koole and Rivera's situations. The bank said in a statement to CNBC that its "No. 1 goal always has been to ensure legitimate recipients could access their benefits."
Bill Halldin, a spokesman for the firm, said that last year it increased its team serving these programs "from several hundred to more than 6,000 people, dramatically reducing wait times as we answered calls and reviewed claims." Halldin said the bank committed to "additional measures to help unemployment recipients who have been victimized by fraud receive their benefits as quickly as possible."
The higher cost of chips
Moon, Koole and Rivera said that their debit cards did not include chips.
Card experts told CNBC that prepaid government cards typically lack chips because they can be about 50% more expensive to produce. Additionally, unlike typical debit and credit cards for bank customers, these benefits cards are temporary — lasting just several months, until the recipient finds full time employment.
CNBC obtained an agreement between Bank of America and California to distribute government benefits from 2016. In it, the state only requested a magnetic stripe, never a chip, therefore, the bank did not need to include chips in the cards it issued for Californians.
California recently extended its contract with Bank of America, although the bank told CNBC that it "would like to exit this business as soon as possible."
Bank of America recently ceased this type of work in Iowa, Kansas, Maryland and Nevada.
U.S. Bank, Comerica and KeyBank are the other three largest distributors of unemployment benefits. U.S. Bank and Comerica did not respond to CNBC's requests for comment. KeyBank declined to provide any further commentary on fraud incidents due to ongoing investigations.
In the meantime, California and other states are looking to ameliorate the onslaught of transaction fraud that proliferated in their systems during the pandemic.
"I have to imagine that if there was anti-fraud chip technology in these cards, there'd be an awful lot less fraud," said assembly member David Chiu, a Democrat, who is spearheading reform to California's Employment Development Department, which manages the benefits on behalf of the state.
As part of a package of bills, California lawmakers are looking to allow unemployment-insurance recipients to bypass cards altogether to deposit funds directly into their regular bank accounts.
California's Employment Development Department, as well as Bank of America, told CNBC that they're in the process of transitioning to cards with chips in them to improve security for recipients.
Maryland recently transitioned away from debit cards to direct deposits or paper checks for unemployment insurance. Nevada is the only other state that doesn't allow for direct deposit, but recently switched vendors with new cards that include chips, the state told CNBC.
Other states, like Oklahoma, are using technological solutions for their recent fraud problems. IDEMIA provides identity verification solutions for 34 state agencies, using facial recognition and biometric identification technology.
Oklahoma's Employment Security Commission is one of those agencies, having implemented the security solution in December 2020. Shelley Zumwalt, executive director of the commission, said the state was able to prevent about 40% of fraud within the first 30 days of implementing the IDEMIA solution.
"While we had a global health pandemic, we had a national pandemic in terms of identity fraud and theft," said Matt Thompson, senior vice president of civil identity for North America at IDEMIA.
For those who say their benefits were already stolen, the main way to replenish those funds is through the banks that oversee the accounts and debit cards.
Ultimately, Moon, Koole and Rivera were given a credit from Bank of America for their missing funds. But they say that their lives had already been upended.
"This is people's lives that you're messing with," Rivera said. "I feel very, like, punched in the gut."
Please email tips to email@example.com.