With unemployment rising rapidly during the Covid-19 pandemic, and many more people likely to lose their jobs soon as the government’s furlough scheme nears its end, stolen identities are becoming increasingly valuable and are being openly sold on the dark web with the aim of conducting Universal Credit benefit fraud.
That is according to researchers at cyber intelligence firm IntSights, who have identified multiple cyber criminals offering scamming lessons and tutorials on how to commit benefit fraud in several countries, including the UK.
The UK’s Universal Credit system – which was designed to be a predominantly digital service –has struggled throughout the pandemic because of the sheer volume of claimants the Department for Work and Pensions (DWP) has had to deal with, and bottlenecks in the troubled Gov.uk Verify identity verification system.
These factors, coupled with limited face-to-face contact opportunities during the process – again thanks to restricted Job Centre access during the pandemic – have created a golden opportunity for cyber criminals to exploit, said Etay Maor, IntSight’s chief security officer.
In messages shared with Computer Weekly that were sent on the secure Telegram platform – increasingly favoured by cyber criminals because it offers more protection than communicating over the dark web – Maor revealed how cyber criminals are openly discussing the fact that Covid-19 has made benefit fraud more lucrative than ever.
“The government and civic agencies that are providing these benefits are under a lot of pressure to provide money to needy citizens, and what we now see is that a lot of the time, security checks are relaxed because they are under pressure to perform really fast,” said Maor. “Cyber criminals identify the areas in which each of these agencies are lagging, and that’s what they’re taking advantage of.
“These are what we would call fraud-as-a-service providers. These are professionals that are doing this, they are not just kids.”
IntSights shared evidence of one individual who was observed offering a Universal Credit fraud tutorial from a menu of other options – which included prominent online retailers. In this case, the Universal Credit tutorial was the most expensive item on the menu, coming in at £120.
Maor said the tutorial was more costly because of the advanced payment service offered through Universal Credit, which is an emergency one-off payment of between £500 and £1,500 designed to tide claimants over during the five or so weeks it usually takes to set up the full service.
While useful to bona fide claimants, this feature unfortunately makes Universal Credit something of a low-hanging fruit because if a cyber criminal can spoof a claimant’s ID to claim this advance payment, they can pocket the money before their victim has even noticed they have become a victim. Often, the first they will know about it is when a confusing DWP letter arrives telling them a claim that they haven’t made has been successful.
The risks for individuals who have had their identities spoofed to make fake claims are clear, said Maor. “If you are an individual who was going to file a claim, now that money is already gone and you need to start working on convincing the government that you didn’t take this money, and it wasn’t you.
“I don’t have a lot of great solutions for this, other than pay very close attention to the mail you receive. In this this case, it’s not like saying you needed to have better security hygiene because you lost your password – the victim has not really lost anything. The first point of contact is between the criminal and the government agency.”
Maor said there was a clear need for the DWP to take some action to shore up the security of the claims process. “I know as a security person it’s easy for me to say do this, do that and you’ll be secure, and if the DWP was to do everything that I would recommend, they’d have to probably hire thousands of employees just for security, which is not feasible,” he said. “But there are some minimum checks that I would like to see implemented.”
This could be as simple as requesting photo ID during the initial claims process. Maor said that even though this sort of check can itself be spoofed, it could also raise the bar just enough to put off some criminals.
A DWP spokesperson said: “The vast majority of claims to Universal Credit are legitimate and fraud and error in the benefits system remains very low, with 96.5% of benefits paid correctly.
“We continue to monitor and investigate emerging fraud threats and pursue those seeking to rip off the taxpayer using the full range of our powers, including prosecuting and tough financial penalties.”
The department has a number of dedicated teams to investigate various types of fraud perpetrated against the UK’s benefits systems, and recently established an enhanced checking service comprising 600 trained fraud investigators, to whom processing staff are to refer suspicious cases for investigation and verification. It told Computer Weekly this has made inroads into combating abuse of the system.
Elsewhere, the DWP works extensively with online platforms to shut down posts that promote fraud, and engages in proactive messaging on social media to raise awareness of the issue, and remind people of the importance of safeguarding their identity.