How Employment Identity Theft Occurs

Employment identity theft occurs when a perpetrator uses another individual’s personal information to secure employment, obtain benefits, or submit fraudulent claims related to work. This type of identity theft significantly impacts victims’ financial standing, tax obligations, and employment history. It directly affects an individual’s professional identity and reported earnings. The scheme relies on the unauthorized use of sensitive data like a Social Security number (SSN), name, and date of birth to impersonate someone for employment-related gains.

Methods Used by Perpetrators

Criminals acquire personal information for employment identity theft through various tactics. One prevalent method involves digital scams such as phishing, smishing, and vishing, which trick individuals into divulging sensitive data. Phishing emails often appear to originate from legitimate sources like an employer or payroll service, requesting personal details such as W-2 data, Social Security numbers, or bank account information for direct deposit. These fraudulent communications pressure recipients into acting quickly, leading them to inadvertently provide confidential employment-related data.

Another significant source of stolen information is data breaches affecting entities that store employee records. These can include employers, third-party payroll providers, human resources platforms, or government agencies. When these systems are compromised, large volumes of personally identifiable information (PII), including names, addresses, dates of birth, and Social Security numbers, become accessible to cybercriminals. This stolen data is often sold on dark web marketplaces, providing perpetrators with details to commit identity theft.

Insider threats also represent a vulnerability. Current or former employees with authorized access to sensitive information may abuse their privileges, stealing co-worker or company data for fraudulent purposes. This internal access can bypass external security measures, making such breaches challenging to detect. The stolen data might include payroll records and employee contact information.

Perpetrators may also piece together information from publicly available sources or social media profiles to facilitate targeted attacks. While individual pieces of information might seem harmless, combining them can create a comprehensive profile. For example, details about an individual’s workplace or job title found online can be used to craft specific and believable phishing attempts.

Common Scenarios of Exploitation

Once personal information is acquired, perpetrators exploit it in various employment-related contexts. One common scenario involves filing fraudulent unemployment insurance claims using a victim’s stolen identity. Criminals use the victim’s Social Security number and other personal details to apply for unemployment benefits without the victim’s knowledge. These fraudulent claims can result in the victim receiving unexpected communications from state unemployment agencies, or tax forms like a Form 1099-G for benefits they never received.

Another prevalent form of exploitation is when criminals use a victim’s identity to secure actual employment. They might present the victim’s Social Security number and other identifying details to an employer, working under that stolen identity. This can occur when the perpetrator cannot pass background checks or is not legally authorized to work, making the victim’s clean record appealing. Consequently, wages earned by the perpetrator are reported to the Internal Revenue Service (IRS) under the victim’s name, potentially creating unexpected tax liabilities for the victim.

The diversion of paychecks or direct deposits also represents a significant form of employment identity theft. In these schemes, criminals gain access to an employee’s payroll information and alter the direct deposit banking details, redirecting legitimate earnings into an account controlled by the perpetrator. This often begins with phishing emails that trick employees into revealing payroll login credentials or manipulate payroll administrators into making unauthorized changes. The victim may not discover the theft until their expected paycheck fails to arrive.

Perpetrators may also use stolen identities to open fraudulent accounts or apply for employment-related benefits. This can include applying for health insurance, retirement plans, or other ancillary benefits associated with legitimate employment, all in the victim’s name. Such actions can lead to complex administrative challenges for the victim, as they may become unknowingly associated with medical claims or financial accounts they did not authorize.

Recognizing Signs of Compromise

Identifying employment identity theft often begins with recognizing indicators that something is amiss.

Unexpected Tax Forms

One common sign is receiving unexpected tax forms, such as a Form W-2, from an employer the individual has never worked for. Similarly, receiving a Form 1099-G for unemployment benefits from a state where no claim was filed is a strong red flag. These forms indicate that income has been reported to the IRS under the victim’s Social Security number, even if they did not earn it.

Notifications of Denied Benefits

Notifications of denied unemployment benefits or other employment-related claims that the victim never initiated can also signal compromise. For example, an individual might receive correspondence stating that their application for unemployment was denied because a claim already exists under their name, indicating a fraudulent application. The IRS may also send notices about discrepancies in tax filings, such as a duplicate tax return or an alert about unreported income.

Issues with Direct Deposit

Issues with direct deposit or unexpected changes to payroll information are another direct indicator of potential theft. If a regular paycheck does not arrive as expected, or if an individual notices unauthorized changes to their bank account details within their employer’s payroll system, it suggests a perpetrator may have diverted funds. Employers often report these changes to the IRS and Social Security Administration, linking the fraudulent activity to the victim’s official records.

Unexpected Mail or Credit Report Discrepancies

Receiving mail or other communications about jobs applied for or benefits received that the victim did not initiate can also be a warning sign. This might include job offer letters, background check notifications, or benefit enrollment packets for positions or programs the individual never pursued. Discrepancies on credit reports related to employment history or income that the victim does not recognize can also point to identity theft. For instance, an unfamiliar employer appearing on a credit report or an unexpected inquiry related to an employment background check could indicate fraudulent activity.