For months, the unemployed contract pharmacist said, he received his benefit payments with no problem. But then somebody hacked into his account and directed his money to an obscure bank 1,300 miles away.
That was in April, more than three months ago. He said he quickly complained to the Illinois Department of Employment Security, law enforcement and regulators, but it kept happening. So far, four of his nine most recent payments, for a total of $3,262, have been diverted — including one as late as July 14.
“Somebody robs a bank in Pittsfield, and the cops get there in five minutes,” Winston told the Tribune. “Somebody robs a bank in IDES, and nobody does anything about it for three months. It’s unthinkable.”
What’s happening to Winston is called account hijacking, and it’s another variation on the fraud entangling Illinois’ unemployment agency, which has led to calls for state hearings and audits to figure out what went wrong.
This type of theft is different from impostor fraud, in which criminals file fake claims in the names of real people. In account hijacking, qualified people start getting their benefits and then somebody, somehow, directs that cash elsewhere. In the past year, cases of it have surfaced in news media including WLS-Ch. 7 and WBBM-Ch. 2.
As with the fraud involving fake claims, the administration of Gov. J.B. Pritzker is providing few details on the scope of the problem, as Pritzker gears up for a reelection battle with Republicans looking to question his record.
IDES has declined to provide figures on how many people have reported being robbed of their benefits, and how much money was taken. IDES records show people have filed hundreds of affidavits this year saying they never got their payments, but one industry expert, Haywood Talcove, suggested the total is likely higher because not all victims report the crime.
Talcove, an executive with LexisNexis Risk Solutions, said the solution is simple and relatively cheap: a security protocol called multi-factor authentication. Used by private industry for years, it typically requires people to enter their passwords, then type in an additional code sent to their phone or computer.
“Account takeover is 10-year-old stuff,” he said. “It shouldn’t be happening anywhere. There’s no excuse for it.”
So far, account hijacking has been overshadowed by reports of impostor fraud. The Tribune reported in late June that the state had failed to follow federal guidelines to limit that kind of crime. And a state audit released Wednesday, covering the early months of the pandemic, found IDES’ verification process was so weak that it paid hundreds of claims to people whose listed birthdays would make them older than 90 or younger than 14. In some cases, the birth date was the same as the date the claim was filed, or years into the future.
IDES previously told the Tribune the agency works “vigilantly” to combat fraud but said federal officials should provide states with better tools, while also noting that efforts to block out fraudsters can also unintentionally delay or reject the claims of legitimate filers. IDES told auditors it had stepped up some vetting last fall and this spring.
Still, state Senate Republicans on Thursday called for a broader state audit of IDES’ woes and accused the administration of Pritzker, a Democrat, of trying to hide the scope of the problems.
“If you look at the state of California, a blue state, they’re releasing unemployment fraud information,” state Sen. Jason Plummer, R- Vandalia, said at a news conference. “If you look at red states like Kansas, they’re doing the same.”
Illinois’ Senate Republicans said they hoped their Democratic colleagues would agree to a deeper audit. But an earlier effort by Republicans in the House failed to gain traction.
Talcove, whose firm sells fraud-fighting services, recently told the Illinois House Committee on Cybersecurity that Illinois likely lost a billion dollars, if not more, to impostor fraud.
He told the Tribune on Thursday that thieves could hit the state even harder if Illinois doesn’t improve its approach to cybersecurity, which Talcove said remains too decentralized and bureaucratic.
The July 15 hearing didn’t get into account hijacking, and no IDES officials spoke. The committee’s chairman, Rep. Lamont Robinson, D- Chicago, said he expects to hold a separate hearing focused on IDES’ fraud issues within a month.
Robinson blamed the fraud problems in part on IDES being “gutted” under the previous governor, Republican Bruce Rauner, and said IDES was caught off-guard when the pandemic hit. He said he’s working with the Pritzker administration to assess fixes and called for IDES to release more information about the problems, saying politics shouldn’t get in the way.
“Look, the cat’s out of the bag,” he said. “The director knows she has an issue. The governor knows it’s an issue. I don’t think anybody’s hiding anything.”
But Robinson said he will support a deeper audit only if he feels the issues aren’t adequately addressed at his next committee hearing.
Melissa Matarrese of Wicker Park is among those waiting for answers.
Her benefits had been deposited into her bank “pretty seamlessly” beginning in the fall, Matarrese said. Then, on June 28, she got an email from IDES stating that the direct deposit information on her account had been changed two days earlier.
She called and left a message on IDES’ fraud line, then tried to log into her IDES account, but her password didn’t work. She said IDES called the next day and promised to fix the problem.
But Matarrese hasn’t gotten payments since and still can’t log into her account, despite repeated phone conversations with IDES. The cycle goes like this: She calls and leaves her contact information in a voicemail. In a day or two, an IDES employee calls back. By her count, she’s had eight phone calls with IDES so far, totaling nearly four hours.
“While they’ve been pleasant, nothing’s happened,” Matarrese said.
IDES has said it cannot by law discuss individual cases. In what little IDES has said about account hijacking, the agency has suggested that beneficiaries are falling for scams that allow thieves to steal their login information and redirect the cash, as opposed to hackers breaking into computer systems used by IDES.
Even if that’s true, IDES has yet to explain how it has been unable to stop repeated thefts from the same accounts, even after fraud was reported.
That’s the case with Winston. Winston, who lives about 45 miles southeast of Quincy, on the state’s western border, provided records to the Tribune showing that payments were being sent to his bank near Springfield through late March.
When an IDES email alerted Winston in April that his direct deposit information had been changed, he called IDES to report the fraud, then dug into it more himself.
Logging into his account, he saw his bank’s name had been erased from the direct deposit screen, and the routing and account numbers had been replaced.
Winston traced the routing number to a bank registered in Sandy, Utah, tied to Go2Bank. That’s an affiliate of the branchless Green Dot financial services firm that scammers have used to quickly transfer cash online or siphon it out through prepaid cards.
IDES told Winston to reenter his banking information online, and he did. Winston said he changed his IDES account password, to better protect himself, and also reported the fraud to Green Dot. So both IDES and the bank were on notice, according to a complaint Winston later filed with the state. Yet weeks after the first fraudulent transfer, another one was sent to the same Go2Bank account, Winston’s records show.
Talcove said this shouldn’t happen. Even if states don’t adopt two-factor authentication, states should be able to trace past changes to accounts, deduce how the fraud occurred and put special conditions on previously hijacked accounts that avoid another fraudulent takeover.
Winston said IDES told him the problem would be fixed. And, through May, he got his payments. But then came another email notification from IDES, and sure enough, his next payment went to the same Go2Bank account.
He complained to IDES and Green Dot again, along with the FBI, who he said directed him to file a complaint with the Illinois attorney general’s office. In the complaint, he theorized the state system, not his computer, had been hacked by criminals and wrote: “This should be given the highest priority by all authorities.”
In a statement, Green Dot’s chief risk officer, Philip Lerma, said the firm couldn’t discuss Winston’s specific complaint but said in general that Green Dot works with states and others to stop fraud, as part of an “ongoing process of learning and refinement across the industry.”
Nonetheless, it happened to Winston again. On July 14, he said, an IDES representative went over his correct bank account information on the phone with him before authorizing payment. But that payment, somehow, still went to a Green Dot account.
Winston said all the IDES workers have been friendly, and he’s been told he’ll be reimbursed for his hijacked payments once IDES completes a review to confirm they were stolen. He also said his last payment went to his real bank. But he is still worried about future payments and wonders when the state will fix the bigger problems.
“Once you call IDES and say, ‘I didn’t change my bank account number,’ that should be a big enough red flag, a big enough warning, that they should start an investigation and lock down the account. And that was in April,” he said, “and here we’re still worrying about it.”
©2021 Chicago Tribune. Distributed by Tribune Content Agency, LLC.