Why States’ Unclaimed Property Websites are Becoming a Lucrative Target for Fraud

Unclaimed Property Fraud

There are literally billions of dollars — somewhere between $40 billion and $50 billion — of unclaimed property held by states.

Each year, unclaimed or abandoned assets are turned over to each state’s Unclaimed Property divisions by financial institutions and businesses that lose contact with the owners of those assets. Each state’s treasury department serves as custodian of these assets and makes every effort to return them to the rightful owner or their heir.

Most states make it easy to check for your unclaimed property. Each state maintains a database of unclaimed property for that state, and most states make it easy to check for your unclaimed property.

Common types of unclaimed property are:

  • Bank accounts
  • Stocks and bonds
  • Uncashed checks (including dividend checks)
  • Insurance benefits
  • Wages
  • Safe deposit box contents

Current Safeguards

Unfortunately, the methods used to identify people attempting to reclaim this property are woefully inadequate. And given the large potential payoff, it’s not surprising that cybercriminals are flocking to these websites, especially those with weak verification defenses, to make fraudulent claims.

In 2019, the State of Arkansas was found to have paid more than $40,000 to at least one person who used stolen identities to make fraudulent claims through the state’s online claims tool. The state’s auditor said that the fraudsters used stolen identities to pose as owners of unclaimed property held by the auditor’s office and claim the property for themselves.

A spokesman for the auditor’s office said that whoever submitted the fraudulent claims had access to the type of documents, such as a passport or driver’s license, that the office required as proof of identity for people filling out online claims, and that “this person was an expert criminal.”

But, you really don’t have to be an expert to perpetrate this type of fraud given the dark web and the variety of simple online tools that cybercriminals now have access to in order to impersonate legitimate property owners. Without more modern approaches to identity verification, anyone with decent fakes can walk away with lots of money with little risk of apprehension.

State auditors and treasurers employ a variety of measures to sniff out fraudsters, — they focus on specific email addresses, track IP addresses where claims originate and also examine browser versions being used. In some cases, they looked at the rapid completion of forms and use of all capital letters which should raise red flags, since most claimants do not fill out forms quickly or use all caps. But, for a reasonably sophisticated fraudster, these defense mechanisms are child’s play.

“Any organization or government agency that still relies on counter fraud tools that cybercriminals defeated more than a decade ago is just asking to be victimized,” said Brett Johnson, known in cyberspace by the alias Gollumfun and dubbed the “Original Internet Godfather” by the U.S. Secret Service. Johnson was listed on the notorious U.S. most wanted list in 2006, before being arrested for cybercrime and laundering $4 million.

“The true insanity is there is an easy fix to make sure this fraud doesn’t happen — biometric-based identity verification,” Johnson said.“With this defense, the cybercriminal has to put some skin in the game — their actual selfie — and subject themselves to a liveness check. For most fraudsters, this shatters the anonymity that they often hide behind and introduces an extra layer of risk.”

A Smarter Way

Clearly, states need a better way to verify the actual identities of online claimants. Instead of relying only on government-issued IDs and online forms, state treasury departments need to add an extra layer of identity corroboration — a simple selfie.

Here’s how a selfie-centric approach would work:

  1. Users would complete an online form to make a claim for their rightful property.
  2. The user would then be asked to capture a picture of their government-issued ID (e.g., a driver’s license or passport). The ID is examined to ensure it is legitimate and undoctored.
  3. The user would also be asked to take a quick selfie, and is subjected to a brief liveness check.. This check is vital to ensuring the online user is physically present and not a spoof, bot or deepfake.
  4. A definitive “yes” or “no” verification decision is made within seconds.

This method offers several advantages over existing methods. The identity is rooted in a legitimate government-issued ID which is evaluated via AI and advanced machine learning algorithms. The selfie requirement is a strong deterrent to any would-be cybercriminal since it means they’re sharing their own likeness with the government agency that they’re looking to defraud — a powerful chilling effect.

The selfie is then compared to the picture on the government-issued ID to ensure that the ID hasn’t been stolen. Fraudsters can easily buy fake and real ID documents off the dark web and through a variety of websites. Lastly, the liveness check ensures that the claimant is physically present — another strong deterrent to even the most sophisticated cybercriminals. Because the whole process takes less than a minute, it can help lessen the friction of these sites and deliver a better user experience for legitimate claimants.

Next Steps

In practice, confirming the validity of uploaded documents is increasingly difficult as technology improves and offshore suppliers peddle fake IDs (as well as stolen IDs) over the internet. There are a variety of security features embedded in most ID documents, including watermarks, ghost images, holograms of the state seal, features only seen in ultraviolet light (blacklight), microtext visible only with a magnifying glass, and a “laser retrievable” element and these security features change from year to year.

At Jumio, we support more than 3,500 ID types across 200+ countries and territories and leverage informed AI and ML to check against these security features and help distinguish, with high levels of assurance, legitimate IDs from manipulated ones. It would be virtually impossible for human reviewers at a state auditor’s office to delineate fact from fiction without relying on advanced technologies.

Given the rise of the dark web and identity theft, states need a more robust, reliable and secure means to establish the legitimate online identities of property claimants. States must continue to share knowledge and best practices about processing claims and combating fraud and this necessarily should include modern forms of biometric-based online identity verification.

The potential payoff to fraudsters of unclaimed property is just too alluring, especially given the weak methods of identity verification in place to protect legitimate claimants.

Learn more about the security vulnerabilities of the states’ unclaimed property processes by listening to my podcast with Brett Johnson.

Listen on Spotify

Listen on Apple Podcasts

Jumio