Cambridge resident Angela B. Perrigo is all too familiar with cyber fraud.
For the past two years, Perrigo said she has periodically received robocalls reporting suspicious activity using her social security number and telling her it will be suspended unless she returns their call.
If she doesn’t recognize the number, Perrigo said she no longer picks up her phone. But she hasn’t always hung up — in 2013, Perrigo, 56, said she was lured by a man she met on the dating site Tagged into wiring thousands of dollars.
“I thought I met this guy…who claimed he was in the army. And we spoke for about three to six months, and then he asked me, could I send him money to get him home on leave,” she said.
“Stupid and lonely and wanting to find that special someone, yes, I wired this person probably about $2,000 in a matter of time,” she said. “Then I was like — I just started realizing — no, it’s a scam.”
Perrigo is far from the only Cambridge resident who has been targeted by cybercriminals.
Since the start of the coronavirus crisis, hundreds of Cambridge residents have had their personally identifiable information used to fraudulently claim unemployment benefits as part of a broader national scheme. The potentially compromised information includes social security numbers, bank account passwords, and credit card numbers.
Roughly 500 Cambridge residents have reported to the Cambridge Police Department since March that their personal information was used to file claims of unemployment benefits with the Massachusetts Department of Unemployment Assistance, according to CPD spokesperson Jeremy Warnick.
CPD saw a spike in reports of identity fraud during the month of October. From Oct. 19 to Oct. 29, roughly 150 residents reported they were the victim of identity theft, per the department’s daily crime logs. In many cases, people who had not been laid off said their employer told them someone had used their personal information to file for unemployment.
Cambridge residents — including Harvard employees — are among many people nationwide who have been targeted by the scam, which federal authorities believe foreign cybercriminals planned. United States Secret Service investigators suspect a “well-organized Nigerian fraud ring” set the operation in motion, according to reporting by The New York Times. The scheme has cost states hundreds of millions of dollars in payments intended to benefit Americans who are out of work and as a result has delayed the rate at which states distribute benefits to those in need.
Though CPD has not yet analyzed victims’ demographics, Warnick said the cyber scam can target anyone.
“This is something that can victimize anyone just due to the nature of high unemployment in the state and in large part because of COVID,” he said.
Spikes in unemployment during the coronavirus pandemic have provided an opportune moment for criminals who traffic in personal information to profit, according to cybersecurity experts.
States’ efforts to swiftly dispense benefits to out-of-work residents left them unprepared to catch fraudsters in the act, explained Jason I. Hong, a computer science professor at Carnegie Mellon University.
“Unemployment benefits offer a new opportunity to do the same kind of attack. Having everything be digital (e.g. application for unemployment and bank wiring) also makes things easier,” Hong wrote in an email. “COVID claims [are] somewhat unique in terms of its scale and how quickly it had to be rolled out, making it harder for [government] agencies to put checks into place.”
Former National Security Agency official Terry L. Thompson said cybercriminals buy and sell stolen personal information — that can then be used to file for benefits or make purchases — on the dark web, a part of the internet that requires specific authorization and is often used for illicit transactions.
“Personally identifiable information being stolen — that goes on all the time. And it’s for sale on the dark web in these various marketplaces for not too much money,” said Thompson, now a lecturer at Johns Hopkins University. “Filing an unemployment claim by taking information that has been stolen through some other data breach along the way is pretty low-hanging fruit for these cyber criminals.”
“They’re not stupid,” he added. “They’re very sophisticated and they use a lot of interesting tools.”
Cybercriminals overseas have successfully extracted Americans’ data for the past 20 years, according to Thompson.
“There’s no shortage of people in countries that take the easy way out in terms of cybercrime,” he said. “And Americans — I hate to say this — but Americans are just — we’re such easy targets because we’re quite gullible.”
Even before this year’s economic downturn, cyber fraud was rising. Thompson cited a 2019 internet crime report published by the FBI’s Crime Complaint Center that revealed a steady increase in internet crime complaints over the past five years.
Overall, from 2015 to 2019, the FBI took nearly two million reports of online criminal activity that totaled $10.2 billion in losses for victims. In 2019, Massachusetts was one of ten states whose residents reported more than $75 million in losses due to cyber crime.
The fraudulent unemployment scheme is merely the latest in an onslaught of cyber fraud operations that have targeted Americans, including Cambridge residents.
Since she fell for the romance scam seven years ago, Perrigo has become more vigilant.
In 2014, she received a phone call claiming Perrigo was going to be arrested for allegedly stealing from Walmart unless she provided them her checking account information. This time, she didn’t take the bait.
A few years ago, Perrigo said she discovered that roughly $1,000 in Uber fees was fraudulently charged to her bank account. She said she contacted CPD and her bank, eventually recouping the money.
“It’s so easy for somebody to get your information,” she said. “You don’t know if they’re finding out where you’re living.”
Thompson, the cybersecurity expert, said individuals should practice “good cyber hygiene,” including frequently changing their passwords, installing software system updates on their devices, and ignoring suspicious messages.
In response to the recent spate of local fraud cases, CPD published a step-by-step guide encouraging victims to file a police report, change all of their passwords, and notify financial institutions — including credit card companies and banks — where they do business.
During the current economic downturn, Americans’ need for benefits and cybercriminals’ scams have dovetailed.
Due to spikes in illegitimate unemployment claims, the Massachusetts Department of Unemployment Assistance began requiring claimants to provide additional verification of identity this summer. As a result, recipients of benefits could expect delays.
“It is unfortunate that because of this criminal activity, people who really need our support may face delays in receiving the benefits they need,” Massachusetts Labor and Workforce Development Secretary Rosalin Acosta said in a press release announcing the change.
At times, those delays had severe consequences.
Carl J. Diggs, who lives in Cambridge, said the state took roughly five months to process his claim for unemployment benefits.
During that time, Diggs, 32, who contracts for DoorDash and Uber Eats and qualifies for pandemic unemployment assistance as a independent contractor under the CARES Act, said he struggled to earn a sufficient living through food deliveries. Even as social distancing measures kept people at home, Diggs said he was making fewer deliveries each week.
“I went from making almost like four or five hundred for a week, to not even, you know, barely 200 for the week,” he said.
Though he frequently contacted state agencies and elected officials’ offices for help, he still went months without receiving benefits. Diggs said he had to move in with family members because he could not afford his own housing. In August, the government deposited the benefits, with backpay, into his bank account.
“I’ve been reaching out to friends and family and, you know, every day just calling these people and trying to stay on it,” he said. “Until the day that they actually fixed it and it actually came back into place.”
—Staff writer Ema R. Schumer can be reached at firstname.lastname@example.org. Follow her on Twitter @emaschumer.