Rhode Island Senator Victim of Cybersecurity Scam

"I had someone apply for unemployment insurance in my name," said DiPalma, a Democrat whose district covers parts of Middletown, Newport, Tiverton and Little Compton. "They were able to get one week."

Just within Rhode Island, millions of dollars in unemployment fraud took place during the pandemic, DiPalma said.

He made the comments during the fifth annual Cyber Hygiene Event he co-hosts with U.S. Congressman James Langevin, D-RI, to make people aware of various cyber exploitations and the practical steps people can take to protect themselves, their families and their identities and data from cyberattacks.

This year's guest was Michael Tetreault, an employee of the Cybersecurity Infrastructure & Security Agency, better known as CISA, within the Department of Homeland Security. Tetreault was named cybersecurity advisor for Rhode Island nine months ago and was previously the Rhode Island National Guard chief information officer. He is a retired Army colonel.

This was a virtual event streamed on a YouTube channel and on DiPalma's Facebook page and Twitter account. There was a chat function that allowed the public to ask questions.

One viewer said more than 40% of unemployment claims were fraudulent and asked how the three large private credit companies could be trusted.

Some of the fraud does go back to data obtained when Equifax was breached, Tetreault said. Equifax, one of the big consumer credit reporting agencies along with Experian and TransUnion, had its data breached in the spring of 2017, when private records of more than 147 million Americans were obtained by hackers. It was one of the largest identity theft cybercrimes ever.

"Once that data was breached, it was out there for people to buy," Tetreault said. "They buy the information and start filing fraudulent claims. I can't tell you how many people I talk to on any given day who say, 'My HR office called and said I was filing for unemployment and I'm not unemployed.' Their information was compromised."

"Be aware of what can happen and what some of the scenarios are," Tetreault said. "Have processes in place to reduce some of the rampant abuse of stolen data."

Equifax had not updated their servers at the time of the breach. DiPalma and Tetreault said multiple times during the discussion to always allow your software to be updated immediately. Don't click the "Remind Me Later" button, they said.

Unemployment fraud became a major issue during the pandemic when payments were increased significantly, DiPalma said. It has abated somewhat now because so many federal unemployment benefits have expired.

In Rhode Island, there were millions of dollars in unemployment fraud, he said, but California lost about $2 billion to such claims.

"All the information gets filed appropriately and the claim goes to a U.S. Internet bank and very quickly goes overseas. They get the money," DiPalma said.

Another viewer asked in the chat function if the landline phone number had become obsolete with so many scams. The majority of calls people get on any given day are scam phone calls, the person wrote, and sometimes the calls look like they are local or from a personal contact.

Tetreault said scammers can do that by using VoIPs (Voice over Internet Protocol), the technology for the delivery of voice communications over the internet.

"They grab a pool of unused numbers and cycle them through," he said. "There really is no accountability. You can sign up and get whatever phone number you want, be whoever you want, and then throw that number away."

Tetreault said he's had the same landline phone number for more than 20 years, but he doesn't use it. "I don't answer that number when someone calls the house," he said. "I have my cell phone."

"Be skeptical," he said. "If it doesn't seem right and seems weird, it probably is. Go with your gut in a lot of cases."

Hackers target organizations through fraudulent email links, a process known as "phishing," so Tetreault also advised against clicking on links that are unknown. Look at the URL carefully, he said, because scammers can make them look official. Secure sites from local, state and federal governments have the .gov ending.