The federal government’s stimulus checks were meant to help people exactly like Krystle Phelps of Owasso, Okla.
She and her husband, Christopher, who have two children, recently lost their incomes after Oklahoma shut down the bars near Tulsa that she cleaned and that he supplied with vending machines. But when Ms. Phelps, 33, went to the I.R.S. website to check on the status of her family’s stimulus funds, she learned someone else had filed taxes on her husband’s behalf and used his identity to obtain their $3,400 payment.
“I cried all day,” said Ms. Phelps, who is about a month away from being unable to pay her mortgage and has cut out everything but the basics, canceling cable and eliminating snacks for the kids. “It is a little relief, and then you find out it isn’t happening.”
“I’ve been in this space for over 30 years and I have not seen anything like this in my entire career,” said Eva Velasquez, the chief executive of the Identity Theft Resource Center, a nonprofit based in San Diego that helps victims. “The scope, the scale, the speed and the efficiency of the scams is breathtaking.”
In recent weeks, criminals have used people’s Social Security numbers, home addresses and other personal information — much of which was available online from past data breaches — to assume their identities and bilk them out of their stimulus checks and unemployment benefits. As a result, calls to Ms. Velasquez’s organization were 850 percent higher in March than a year earlier, she said, and are still soaring.
The scale of the fraud has been enormous, fueled by the economic crisis and the confusion surrounding the $2 trillion stabilization plan that President Trump unveiled last month. That has been compounded by the government’s own lack of security measures for people claiming stimulus payments, with those going through the I.R.S. website to get their checks needing to input just a few pieces of information that scammers can readily obtain.
The Federal Trade Commission recently reported that it had gotten four times as many complaints about identity fraud in the first few weeks of April as it had received in the previous three months combined. And law enforcement agencies have issued warnings about the daunting array of ways that criminals are exploiting the coronavirus.
Even before the outbreak, losses from identity theft were enormous. Criminals made around $16.9 billion from identity fraud last year, the highest total in the last half decade, according to the data firm Javelin.
Many people’s personal information is readily accessible to hackers, amassed from dozens of data breaches over the past few years. Last month, Experian, the credit reporting agency, found a fresh batch of stolen data for three million people, containing all the pieces of personal information that a scammer would need to file for their stimulus checks.
The coronavirus has made it even easier for fraudsters to get more information. Many are bombarding Americans with emails and phone calls that use the uncertainty around the virus to distribute malware and get people to divulge their bank information and other data, which can then be used to defraud the same people. Google said it intercepted 18 million such emails last week.
Now criminals are deploying those troves of information to get their hands on the checks that the federal government is sending to needy Americans. Over the last month, more than 22 million people have filed for unemployment benefits.
Stimulus funds are separately expected to go out to around 150 million people. While the Treasury Department electronically deposited the money for around 80 million people who have bank accounts on file with the government, the I.R.S. created an online portal for the 70 million or so other recipients who did not have that information on file.
The portal allows people to enter a new bank account address for the government to send them their money. But it requires only a few pieces of data for verification: a Social Security number, an address, a phone number and a date of birth.
Security experts said that the I.R.S. had opened up the door to fraud by requiring so little data to claim the money. “The stimulus site is a little bit like ringing the dinner bell for hackers,” said Brian Stack, the vice president for dark web intelligence at Experian.
The I.R.S. did not respond to request for comment.
On forums on the darknet, where criminals gather to buy and sell identity information and discuss tactics, fraudsters have openly discussed the opportunities presented by the stimulus funds and unemployment benefits.
“Just a little warning that when that $1,200 drops in your account keep your eyes peeled because I am coming for that! lol,” said one message on a thread this month about the stimulus checks that was found by the security firm Sixgill.
Over the last month, 4,305 malicious website domains were set up to take advantage of people looking for new forms of government support, according to the security firm Check Point. The fake sites, with names like whereismystimulus and 2020reliefprogram, generally ask people to input their personal data with the promise that they can get information about their checks. But hackers then use the data against those who fall for the trick.
“This is El Dorado for hackers and pure hell for the victims,” said Adam Levin, the founder of CyberScout, a firm that helps companies protect against and manage identity theft.
Unlike many previous victims of identity theft who were often hit at random, those being targeted now are in particular need of the money.
Colin Chaplain, 21, in East Bridgewater, Mass., found out he had lost his unemployment benefits to a scammer the day after he was put on indefinite leave from his construction job this month. He made the discovery when he logged in to the state website to create a new profile and claim unemployment.
To his surprise, when he entered his Social Security number, the site responded, “Welcome back.” It also showed the last two letters of the street name of the person who had already claimed his check, he said.
Mr. Chaplain has since waited more than 10 days for a police report, which he needs to start the process of correcting things with the unemployment office. He said he’d had trouble getting through.
“I just let it ring, and two hours go by and nothing,” Mr. Chaplain said, adding that he had only enough savings to get him through the next few weeks. “I don’t know what else to do.”
Cortlyn Taylor, 19, who lives in Fishers, Ind., has also been trying to get help after she was laid off from her job at Walmart last month. When she applied for unemployment benefits, she learned an identity thief had beaten her to it. On the I.R.S. site, she found that the same person had grabbed her $1,200 stimulus check, which she needed to pay her mounting bills.
For the past few weeks, Ms. Taylor has been trying to get a response from the I.R.S. After not hearing back, she spent 10 hours one day driving to all three I.R.S. offices in Indiana, where she still could not find anyone to help.
Ms. Taylor lives with her mother, 56, who doesn’t work and has been recovering from the coronavirus. On Tuesday, Ms. Taylor said they were down to $4 in her checking account.
She said the local police had told her that they were hearing from lots of other people in the same situation. But with all of the backlogs and closed offices, she was told, the glacial speed at which identity theft cases are normally resolved was likely to be even slower.
“I kind of have to pause everything,” she said. “I can’t get a car in my name like I planned. I’m not going to be able to do a lot of things that I planned to do.”