Recently, I wrote about how Experian is assisting NASWA (National Association of State Workforce Agencies) with identity verification to help mitigate the spike in fraudulent unemployment insurance claims. Because of this I was not all that surprised when I found a letter in my mailbox from the Texas Workforce Commission with a fraudulent claim using my identity, inspiring me to follow up on this topic with a focus on fraud prevention best practices.
Identity theft is on the rise
According to Experian data analysis and a recent study on unemployment insurance fraud, at least 25% of new claims are a result of identity theft. This is 50 times higher than what we have traditionally seen in the highest ID theft fraud use case, new credit card applications, which generally amounts to less than 0.5% of new applications.
Increasing digitization of the last few years—culminating in the huge leap forward in 2020—has resulted in a massive amount of information available online. Of that information, a reported 1.03 billion records were exposed between 2016 and 2020. There are currently approximately 330 million Americans, so on average more than three records per person have been exposed, creating an environment ripe for identity theft.
In fact, a complete identity consisting of name, address, date of birth, and Social Security number (SSN) can be purchased for as little as $8. This stolen data is then often leveraged by both criminal rings who are able to perpetrate fraud on a large scale and smaller scale opportunists – like the ones in Riverside, CA leveraging access to identities of prison inmates.
Fraud prevention through layered identity controls
In the 20 years that I have been combatting ID theft both in the private and public sectors, I’ve learned that the most effective identity proofing goes beyond traditional identity resolution, validation, and verification. To be successful, you must take advantage of all available data and incorporate it into a layered and risk-based approach that utilizes device details, user behavior, biometrics, and more. Below, I outline three key layers to design an effective process for ID proofing new unemployment insurance claims.
Layer 1: Resolve and Validate Identities
Traditional identity data consists of the same basic information—name, address, date of birth, telephone number, and SSN—which is now readily available to fraudsters. These have been the foundation for ID proofing in the past and are still critical to resolving the identity in question. The key is to also include additional identity elements like email address and phone number to gain a more holistic view of the applicant.
Layer 2: Assess Fraud Risk
Determining an identity belongs to a real-life subject is not sufficient to mitigate the risk of ID theft associated with a new unemployment insurance claim. You must go beyond identity validation to assess the risk associated with their claim. Risk assessment risk falls into two categories – identity and digital risk.
Identity Risk
When assessing a claim, it’s important to check the identity for:
Velocity: How often have you (or other states) seen the information being presented with this application? Has the information been associated with multiple identities?
Recency of change: How long has the identity been associated with the contact information (phone, email, address, etc.)?
Red flags: Has the subject been a recent victim of ID theft, or are they reported as deceased?
Synthetic Identity: Are there signs that the identity itself is fictitious or manipulated and does not belong to a real-life person?
Digital Risk
Similar to the identity risk layer above, the device itself and how the subject interacts with the device are significantly important in identifying the likelihood a new claim is fraudulent. Device risk can be assessed by utilizing geolocation and checking for inconsistent settings or high-risk browsers, while behavioral risk might check for mouse movement, typing speed, or screen pressure.
Layer 3: Verify Highest Risk Subjects
The final stage in this process is to require additional verification for the highest risk claims, which helps to balance the experience of your valid subjects while minimizing the impact of fraud. Additional steps might include:
Document verification: Scanning a government-issued ID (driver’s license, passport, or similar), which includes assessing for document security features and biometric comparison to the applicant.
One-time passcode (OTP): It is key to deploy this sparingly only to phone numbers that have been associated with the subject for a significant time frame and incorporate checks to determine if it is at high risk (e.g., recently ported or forwarded).
Knowledge-based verification (KBV): Leveraging non-public information from a variety of sources.
By adding additional, context-based identity elements, it becomes possible to improve the three main objectives of most agencies’ identity proofing process – get good constituents through the first time, protect the agency and citizens from fraud, and deliver a smooth and secure customer experience in online channels.
While there’s no quick fix to prevent unemployment insurance fraud, a layered identity strategy can help prevent it. Finding a partner that has a single, holistic solution empowers agencies to defend against unemployment insurance fraud while minimizing friction for the end-user, and preparing for future fraud schemes.
To learn more about how you can protect your constituents and your agency from unemployment insurance fraud request a call today.