COLUMBUS, Ohio — In his first one-on-one interview since being appointed director of the Ohio Department of Jobs and Family Services, Matt Damschroder said it's "too early to say with accuracy what the numbers are" as related to victims of the cyber crime known as an account takeover or how each of the cyber attacks targeting the state's antiquated unemployment system occurred.
Damschroder acknowledged, "It’s a ripe target for people who want to take advantage of the situation."
In previous reports, victims of one of the most troubling cyber crimes involving unemployment benefits during the COVID-19 pandemic said Ohio has failed to stop the crime or recover their stolen funds. Account takeovers occur when a hacker gains access to an account - in this case unemployment accounts - and divert the money to their own bank accounts.
So... how many?
Even when pressed during his exclusive interview with News 5's Sarah Buduson, Damschroder declined to disclose whether the number of unemployed Ohio workers whose benefits were stolen is in the hundreds, thousands, or tens of thousands.
"Like I said, I think it’s too early to say with accuracy what the numbers are," he said.
OH Sen. Teresa Fedor (D-Toledo) said in a previous interview with News 5: "I don’t believe them. I believe they’re lying."
Fedor is a member of the state's Unemployment Compensation Modernization and Improvement Council, which was created to improve the Ohio unemployment system after it was quickly overwhelmed by the unprecedented surge in workers' claims at the start of the pandemic in March 2020.
"People in Ohio need to be outraged because all taxpayers pay into this system," she said.
When asked about Fedor's comments, Damschroder said, “I understand her frustration. But I also think it’s important that the number be accurate.”
"The first priority was to stop the bleeding, so to speak," Damschroder said. “We have acted over a series of improvements to create new forms of fraud detection into our systems to limit the ability for [account takeovers] to happen. “
Fedor said unemployment recipients have told her they now receive an email from ODJFS when their bank account information is changed, but one claimant told her ODJFS was unable to verify their identity before the money was deposited into the hacker's account.
How do ATOs happen?
Damschroder continued to blame account takeovers on so-called phishing schemes, where individuals click on a suspicious link and inadvertently provide criminals access to their personal information.
During our interview, Damschroder acknowledged ODJFS "doesn't know" if phishing schemes are to blame for every account takeover.
"There is no evidence at this point that suggests or points to a breach of our systems that would be resulting in these kind of things," he said.
Again, Sen. Fedor disagreed. "They left the vault open, to be stolen," she said. "It's an antiquated, underinvested system that’s causing the vulnerability and for Ohioans to be attacked through identity theft."
ODJFS has consistently said it believes unemployment benefits were stolen by hackers when criminals used "fake websites that closely mirror the agency’s official website" to steal personal and banking information.
The addresses of the fake websites include:
Damschroder said ODJFS also recently brought in David DeVillers, former U.S. Attorney for the southern district of Ohio, to assist the FBI and other law enforcement in investigations into the stolen funds.
Ohio has also hired several companies, including LexisNexis and Experian, to prevent fraud.
Damschroder acknowledged Ohio taxpayer money stolen from unemployment during the pandemic - whether through identity theft or account takeovers - may remain in criminals' hands.
"A lot of that money went overseas immediately and will never be recovered," he said. "But we’re actively involved with federal law enforcement, state law enforcement and whatever avenues we can pursue to recover funds — we will certainly do that."
When will victims get help?
Damschroder said he expects ODJFS to have a process in place for victims to apply for reimbursement by the end of August. He announced during a news conference last week that ODJFS will create a process after months of ODJFS stating it was "working on a policy."
When asked why it will take so long to assist unemployed workers whose benefits were stolen, he blamed federal rules and the state's outdated system.
"At the end of the day, the Department of Labor rules require us actually have an adjudication. So, evidence has to be submitted to us that we have to then look at, to make a fact-finding decision to then reimburse," Damschroder said.
"That’s a process that has to be created because it’s not something that exists in our current system," he said. "So, we have to find a way with our 20-year-old system to create a program and mechanism for that to happen."
"Unfortunately, it takes time, but it’s our top priority," Damschroder said. "All of us here are very empathetic with the situation. Every day when I talk with the team, it’s 'What can we do to go faster'?"
Gov. Mike DeWine appointed Damschroder as director of ODJFS on July 2. He had been acting as interim director since Kimberly Henderson announced she was relocating in March, just weeks before News 5 received the first reports of cybercriminals stealing unemployed Ohio workers' benefits. He previously served as director of the Ohio Department of Administrative Services and Chief of Staff to then-Secretary of State Jon Husted.
Prevent an ATO
ODJFS said there are simple steps you can take to avoid becoming the victim of an account takeover.
Ignore all unsolicited text messages
- Never click on hyperlinks in emails or text messages that look suspicious
- Log in each week to your account and review personal information such as your physical address, email address, and banking information
- Remember ODJFS will not contact you or ask for your username or password
If you are a victim of an ATO:
- Report immediately by calling 833-658-0394. ODJFS will then work with you to verify your identity and provide you with next steps, such as changing your Personal Identification Number (PIN) and reporting the theft to law enforcement.
- Notify your bank
- Alert the three credit bureaus: Equifax, Experian, TransUnion
- Report the fraud to the FBI Internet Crime Complaint Center IC3