COLUMBUS, Ohio — More than two years after the pandemic started, cybercriminals continue to target Ohio's unemployment system.
News 5 Investigators found reports of identity theft and fraud started increasing at the beginning of 2022.
News 5 Investigators found between December 15, 2021 and the end of March, 72,308 Ohio workers reported identity theft to the Ohio Department of Jobs and Family Services online portal.
REPORT OH UNEMPLOYMENT IDENTITY THEFT: ODJFS Identity Theft and Unemployment Benefits
Reports of attempted account takeovers, where cybercriminals access workers' unemployment accounts and reroute benefits to their own bank accounts, have also increased in 2022, according to Bill Teets, Director of Communications, Ohio Department of Jobs and Family Services.
He said ODJFS is unable to provide a specific number of attempted account takeovers.
Alex Hamerstone, a cybersecurity expert at TrustedSec, an information security consulting business based in Strongsville, was not surprised when we told him about the increasing reports of identity theft.
"It's going to ebb and flow," he said. "They have a lot of money. They have a lot of information flowing through there and so they're going to be a target for criminals."
He said cybercriminals also pay attention to news and current events.
"So when there's going to be a huge glut of unemployment claims, scammers know that they can kind of get in on that," he said. "It's almost like hiding in a crowd."
One year ago, News 5 Investigators showed you how Ohio's unemployment system was easy prey for cybercriminals.
RELATED: Easy Prey: How cybercriminals stole billions of dollars meant for unemployed Americans
For example, until last December, ODJFS used unemployed Ohio workers' social security numbers as the Login ID for their accounts.
When News 5 asked Hamerstone if it was an "objectively bad practice" to use workers' social security numbers, he said, "In general, yes. There are much better ones."
However, he said, "It's still such a common practice."
Hamerstone said it's easy for cybercriminals to purchase social security numbers stolen from data breaches on the dark web.
Then, he said cybercriminals can run a computer program to identify unemployed workers' passwords and steal their benefits.
Since then, Ohio has made significant improvements to its cybersecurity.
"Ohio has continued to make strides," Hamerstone said. "I know a number of people that work in it and security for state and local government and they're all very dedicated to their jobs."
Ohio hired Experian, Google, and other technology companies to upgrade its archaic and outdated cybersecurity systems.
ODJFS stopped using social security numbers as the Login ID last December.
Unemployed Ohio workers now use the new OH|ID to log into their accounts, which Ohio websites describe as a safe and secure location for all Ohio citizens to access information and conduct business with the State of Ohio.
Users are locked out of accounts after three unsuccessful login attempts and are notified when there are changes to their accounts.
Amherst resident Paul Scaglione said there needs to be even more cybersecurity improvements to the state's system.
"It's unthinkable that something seemingly secure could be so unsecure," he said.
Scaglione received a notification the PIN was changed on his Ohio unemployment account in early April. He said he immediately notified ODJFS and learned a cybercriminal tried to file a new claim in his name.
Despite the notification email preventing the theft, he said his account shouldn't have been accessible at all.
He was only unemployed for three weeks at the beginning of the pandemic.
His account has remained dormant since April 2020, but it was still online with his social security number as the Login ID.
"That really blows me away," he said. "That just seems like an unnecessary risk and jobs left undone."
ODJFS estimates at least $506 million in benefits meant for Ohio workers was stolen by cybercriminals since March 2020.
"How could that much money slip through a department's fingers?" asked Scaglione. "The fact that money has just evaporated is unbelievable."
However, the stolen $506 million is only 2% of the $24 billion Ohio paid workers in unemployment benefits since the pandemic started, according to ODJFS.
"In the grand scheme of things, in the benefits programs, it's a very small number, " said Hamerstone.
How to protect yourself
If you receive a notice about a change to your unemployment account, go to https://unemploymenthelp.ohio.gov . Then, select the "Report ID Theft" button.
Workers who report can regain access to their accounts by creating an OH|ID account, then calling (877) 644-6452. An agent can connect the new OH|ID to their unemployment account.
When you report ID theft to ODJFS, you will then be eligible for one free year of credit monitoring.
If your unemployment benefits are stolen, you can apply for reimbursement by calling the same number. As of Feb. 11, ODJFS received approximately 636 requests for reimbursement from victims of account takeovers. ODJFS approved 252 requests, which totaled $846,469.
How to protect yourself
To prevent becoming a victim of identity theft, Hamerstone advised the following:
- Monitor your accounts
- Don't re-use your passwords
- Use longer passwords
- Use phrases instead of names or dates for passwords
- Don't click on suspicious links
- Never pay an agency or the IRS with gifts cards
- Be skeptical. The IRS and ODJFS will never text you out of the blue or demand you act quickly.