CLEVELAND — The victims of one of most disturbing cyber crimes involving unemployment benefits during the COVID-19 pandemic said Ohio has failed to stop the crime or recover their stolen funds. Account takeovers occur when a hacker gains access to an account - in this case unemployment accounts - and reroutes funds to their own bank accounts. Victims, like Marsha Randle, said the cybercrime has created an enormous financial strain during an already difficult time.
Watch investigator Sarah Buduson's report tonight on News 5 at 6 p.m.
Cleveland resident Marsha Randle, 70, discovered her unemployment benefits were stolen in early June.
"At first, I thought this cannot be correct. This just cannot be correct," she said. “I’m just not in that type of income bracket where $3,000 is just something that I can say, 'Oh well'."
When Randle called the Ohio Department of Jobs and Family Services, she said a representative was "no help" and a supervisor hasn't returned her message. "No one has called me — yet," she said.
“We’ve got people who are already in a bad situation because they’re on unemployment," she said. "Now, you’re just telling ‘em 'tough luck'.”
It's unclear how many Ohio unemployment recipients have been the victims of account takeovers. Two months after News 5 began submitting public records requests for the information, ODJFS has yet to provide a total number of victims or investigations. Spokesperson Tom Betti acknowledged account takeovers are a "significant" problem.
New ODJFS Director Matt Damschroder has also refused to answer questions on camera from News 5 about account takeovers. The lack of transparency by the government agency is a dramatic departure from the past year. Starting in March 2020 until she left her job earlier this year, former ODJFS Director Kimberly Hall held weekly news conferences where she answered questions from reporters.
How it happens
ODJFS has been transparent about how it believes unemployment benefits are stolen by hackers, writing in a news release that cybercriminals use "fake websites that closely mirror the agency’s official website" to steal personal and banking information.
“We know that individuals are receiving text messages and emails that link to these phony websites. It’s important to pay attention to know whether they are legitimate,” Director Damschroder wrote in a news release. “Please look closely before clicking sites that look like the real deal, but aren’t.”
The addresses of the fake websites are:
Who's to blame
ODJFS has also shared information about who may be behind the cyberattacks and what the agency has done to prevent hackers from accessing unemployment accounts. A review by Ohio Attorney General Dave Yost's office found a Russian server houses the fake website, unemployment-ohio-gov.com, using a Chinese domain name, according to ODJFS.
ODJFS said it "continues to work closely with the Ohio Attorney General’s Office, the U.S. Department of Labor’s Office of Inspector General and the FBI’s Cyber Crime Unit to shut down fraudulent activities and identify and apprehend criminals."
"We’re also doing everything in our power to prevent future claims hijacking. Our most recent improvements – courtesy of our fraud defense providers (Experian, the Innovate Ohio Platform, and Lexis-Nexis) – are all focused on this issue," Betti wrote in an email to News 5.
Jon Coss, Thomson Reuters' vice president of risk, fraud and compliance, said, "It's a terrible, terrible problem."
The cybersecurity expert said account takeovers have happened in other states. He said Ohio's outdated and overwhelmed unemployment system is easy prey for cybercriminals.
“Once the pandemic hit, it was pretty obvious that this was a target-rich environment for the criminals," he said.
'Not just an 'Oops!''
So far, victims who spoke to News 5 said ODJFS does not appear have plans to reimburse them for the funds stolen from their state accounts.
Olmsted Falls resident Melissa Zahn said more than $4,000 in unemployment benefits were stolen from her OH unemployment account earlier this month.
"I literally freaked out," she said. When Zahn called ODJFS for help, she said, "They said to me, 'Welp, ma’am, I’m sorry there’s nothing that I can do.' Like, repeatedly.”
Zahn said the state should cover the costs to the victims, who are already struggling.
“It’s not just an 'Oops!' It’s happening over and over and over," she said.
"We just can’t get anywhere," she said. "We’re just hitting a brick wall."
Zahn said her 77-year-old mother has had to help pay her bills.
"The little people are the ones that are getting hurt," she said. “I want answers and I want results.”
An ODJFS spoksperson said the agency is providing assistance to ATO victims. In an e-mail, Tom Betti wrote:
"We continue to assist claimants who indicate that their bank account information was changed by someone else in what appears to be phishing schemes. The scams are very sophisticated, and many people do not even realize they are a victim.
"Once we receive a report of this happening, we take several actions:
- We work with the claimant to verify their identity.
- We recommend that they change the PIN number attached to their unemployment benefits and also their PIN security question.
- We recommend that they check their accounts every week for banking or personal information changes.
- We notify the U.S. Dept. of Labor’s Office of Inspector General, which is working with the FBI’s Cybercrimes unit to shut down these sites and identify and apprehend the perpetrators.
"Regarding fund replacement, like other states, Ohio is working on our policy for this. As I’m sure you can appreciate, this involves both legal and systems complexities."
Prevent an ATO
ODJFS said there are simple steps you can take to avoid becoming the victim of an account takeover.
- Ignore all unsolicited text messages
- Never click on hyperlinks in emails or text messages that look suspicious
- Log in each week to your account and review personal information such as your physical address, email address, and banking information
- Remember ODJFS will not contact you or ask for your username or password
If you are a victim of an ATO:
- Report immediately by calling 833-658-0394. ODJFS will then work with you to verify your identity and provide you with next steps, such as changing your Personal Identification Number (PIN) and reporting the theft to law enforcement.
- Notify your bank
- Alert the three credit bureaus: Equifax, Experian, TransUnion
- Report the fraud to the FBI Internet Crime Complaint Center IC3