Clever new phishing scam targets unemployed New Yorkers
A new phishing scam is targeting unemployed New Yorkers, stealing their driver's licenses, Social Security numbers and other personal information in order to resell it on the "dark web."
Here's how it works: Victims are lured with authentic-looking text and email messages that link to a carbon copy of the New York State unemployment website. After a victim enters their username and password, the fake site asks for high-quality images of sensitive documents. That gives the cybercriminals access to the person's name, address, phone number, date of birth, driver's license number, Social Security number and email address.
The phishing attack was active for several weeks, according to Steve Ragan, the security researcher at Akamai Technologies who discovered the scam. The scammers were able to remain anonymous by hiding the fake website behind a proxy server, an intermediary domain that cloaks the originating IP address.
The documents are widely available on dark web markets, Ragan said, noting that he found Social Security cards related to the scam selling for about $1.50 each and driver's licenses netting about $100 apiece.
One dark web seller discovered by Ragan used a New Yorker's personal information to create a fake driver's licence scan. The total cost of the ID package was listed for $130. Another dark web criminal listed personal information for $5 per record and offered identification cards that the seller claimed cleared New York state's manual verification process on the "My NY" website. Sold in bulk, many of these records cost about 49 cents per document.
"Criminals are making money selling the information, and they are making money committing unemployment fraud. In some cases, they can do both. Data is highly valuable, and can be used for a number of scam types including credit fraud, money laundering and assistance fraud, which is what we see in the video," Ragan said.
The amount scammed per victim can vary widely. Some victims take a small financial hit, or are inconvenienced by identity theft. Losses to the state and private companies can be significant.
The New York Department of Labor announced in February that the state has uncovered 500,000 similar scams since the start of the pandemic and that it has stopped more than $6.4 billion in payments to criminals. The state also launched a site that allows New Yorkers to report identity fraud and cybercrime.
The state now claims to use both human investigators and AI to prevent and prosecute cybercrime. The new tools "add to the Department of Labor's constantly-expanding arsenal of weapons to combat fraud," New York Labor Commissioner Roberta Reardon said in a statement. "Every day, we leverage highly experienced investigators, artificial intelligence, and other sophisticated techniques to identify fraud as quickly as possible, stop these criminals in their tracks, and protect New Yorkers' unemployment system."
Last week, the Department of Justice warned workers about unemployment-benefit scams. People who receive text messages with links that claim to be from state workforce agencies should report them, the DOJ said.
Recovering from identity theft can take time, and the process can be expensive and stressful, Ragan said. Victims should notify credit agencies and monitor bank statements. "Waiting can cause the most stress, because until the changes are made concerning your report, the criminal has free reign."