Today we shift the focus from markets and portfolios in order to highlight the importance of managing another form of risk that has proliferated recently: cyber-fraud risk. During the pandemic over 1 million people in Washington State and 36 million people nationwide have filed for unemployment benefits, and the rapid influx of claims has overwhelmed state unemployment systems. This has created ideal conditions for scammers looking to exploit the crisis, and in early May it became apparent that they had done so successfully in Washington, when still-employed-people all over the state began receiving notices in the mail confirming unemployment claims they had never filed.
After initially finding that roughly $1.6 million had been paid to fraudsters in April, the Washington State Employment Security Department announced last Thursday that there would be a two-day delay on unemployment payments in order to give the state time to verify claims. Since then, they have conceded that the amount paid to fraudsters is “orders of magnitude” greater, possibly in the hundreds of millions. The New York Times has reported on a US Secret Service memo that raises the possibility that this was an organized attack by a Nigerian fraud ring and notes that “Washington State had emerged as the primary target thus far, but there was also evidence of attacks in Florida, Massachusetts, North Carolina, Oklahoma, Rhode Island and Wyoming” (full article here). It is likely that the scammers have been stockpiling “personally identifiable information” (PII) from the various data breaches over the years, e.g., the 2017 Equifax breach, which we wrote about here.
So, what should you do if you or your employer receive(s) notice of an unexpected claim? The Seattle Times has compiled this helpful guide, covering whom to contact now and how to protect your data in the future. We offer the following reminders about steps you can take if you suspect there has been an attack, as well as to prevent an attack:
- Let us know as soon as you can so we can inform Schwab and keep an eye out for any suspicious activity.
- Notify your banks and credit card companies and ask them to monitor for fraudulent charges. (Be aware that they may immediately cancel your cards and issue new ones.)
- Set up a verbal passphrase with Schwab—something they would ask for before providing information or taking instruction over the phone. This won’t inhibit their ability to work with us as your advisor, but we aren’t able to add this feature on behalf of clients. Here’s the number to call if you’d like to set this up: 1-800-435-4000.
- Check in with your CPA to see if a tax return has been filed fraudulently in your name with the IRS. (The fraudster’s goal here would be to underreport your income and receive a tax refund in your name.)
- Freeze your credit with the three credit bureaus if you haven’t already. This is probably the most important preventative move you can make, and you can do so for free online. Click here to learn more. Lifting freezes temporarily, when you have a legitimate need for credit, can also be done for free online.
- Request and review regular credit reports from each of the three credit bureaus. In a joint statement last month, the three credit bureaus announced that they are temporarily increasing the amount of free credit reports each agency will provide from one per year to one per week. You can request your credit reports at AnnualCreditReport.com.
- Practice good password hygiene. The guide from The Seattle Times linked above includes resources for selecting a password manager, which is one of the best ways to protect your data. Getting it up and running can be a bit labor-intensive, but afterwards many find it actually adds convenience. We also recommend setting up multifactor authentication wherever possible, and checking to make sure all of your passwords are long (at least 20 characters) and unique (in the hands of a fraudster, a password reused across web-based accounts can cancel out any other work you’ve done to keep your data secure). A good summary of password best practices can be found here.
In the midst of this all, we hope you are finding space for joy, and we wish you a safe and happy holiday weekend.