Warren Winston thought he’d escaped all the unemployment fraud occurring across the country.
For months, the unemployed contract pharmacist said, he received his benefit payments with no problem. But then somebody hacked into his account and directed his money to an obscure bank 1,300 miles away.
That was in April, more than three months ago. He said he quickly complained to the Illinois Department of Employment Security, law enforcement and regulators, but it kept happening. So far, four of his nine most recent payments, for a total of $3,262, have been diverted — including one as late as July 14.
“Somebody robs a bank in Pittsfield, and the cops get there in five minutes,” Winston told the Tribune. “Somebody robs a bank in IDES, and nobody does anything about it for three months. It’s unthinkable.”
What’s happening to Winston is called account hijacking, and it’s another variation on the fraud entangling Illinois’ unemployment agency, which has led to calls for state hearings and audits to figure out what went wrong.
This type of theft is different from impostor fraud, in which criminals file fake claims in the names of real people. In account hijacking, qualified people start getting their benefits and then somebody, somehow, directs that cash elsewhere. In the past year, cases of it have surfaced in news media including WLS-Ch. 7 and WBBM-Ch. 2.
As with the fraud involving fake claims, the administration of Gov. J.B. Pritzker is providing few details on the scope of the problem, as Pritzker gears up for a reelection battle with Republicans looking to question his record.
IDES has declined to provide figures on how many people have reported being robbed of their benefits, and how much money was taken. IDES records show people have filed hundreds of affidavits this year saying they never got their payments, but one industry expert, Haywood Talcove, suggested the total is likely higher because not all victims report the crime.
Talcove, an executive with LexisNexis Risk Solutions, said the solution is simple and relatively cheap: a security protocol called multi-factor authentication. Used by private industry for years, it typically requires people to enter their passwords, then type in an additional code sent to their phone or computer.
“Account takeover is 10-year-old stuff,” he said. “It shouldn’t be happening anywhere. There’s no excuse for it.”