Krebs on Security
When a reliable method of scamming money people, companies or governments becomes widely known, underground forums and chat networks tend to light up with activity as more fraudsters pile on to claim their share. And that’s exactly what appears to be going on right now as multiple U.S.
states struggle to combat a tsunami of phony Pandemic Unemployment Assistance (PUA) claims. Meanwhile, a number of U.S.
states are possibly making it easier for crooks by leaking their citizens’ personal data from the very websites the unemployment scammers are using to file bogus claims.
Last week, the U.S. Secret Service warned of “massive fraud” against state unemployment insurance programs, noting that false filings from a well-organized Nigerian crime ring could end up costing the states and federal government hundreds of millions of dollars in losses.
Since then, various online crime forums and Telegram chat channels focused on financial fraud have been littered with posts from people selling tutorials on how to siphon unemployment insurance funds from different states.
Denizens of a Telegram chat channel newly rededicated to stealing state unemployment funds discussing cashout methods.
Yes, for roughly $50 worth of bitcoin, you too can quickly jump on the unemployment fraud “wave” and learn how to swindle unemployment insurance money from different states. The channel pictured above and others just it are selling different “methods” for defrauding the states, complete with instructions on how best to avoid getting your phony request flagged as suspicious.
Although, at the rate people in these channels are “flexing” — bragging about their fraudulent earnings with screenshots of recent multiple unemployment insurance payment deposits being made daily — it appears some states aren’t doing a whole lot of fraud-flagging.
A still shot from a video a fraudster posted to a Telegram channel overrun with people engaged in unemployment insurance fraud shows multiple $800+ payments in one day from Massachusetts’ Department of Unemployment Assistance (DUA).
A federal fraud investigator who’s helping to trace the source of these crimes and who spoke with KrebsOnSecurity on condition of anonymity said many states have few controls in place to spot patterns in fraudulent filings, such as multiple payments going to the same bank accounts, or filings made for different people from the same Internet address.
In too many cases, he said, the deposits are going into accounts where the beneficiary name does not match the name on the bank account. Worse still, the source said, many states have dramatically pared back the amount of information required to successfully request an unemployment filing.
“The ones we’re seeing worst hit are the states that aren’t asking where you worked,” the investigator said. “It used to be they’d have a whole list of questions about your previous employer, and you had to show you were trying to find work.
But now because of the pandemic, there’s no such requirement. They’ve eliminated any controls they had at all, and now they’re just shoveling money out the door Social Security number, name, and a few other details that aren’t hard to find.
CANARY IN THE GOLDMINE
Earlier this week, email security firm Agari detailed a fraud operation tied to a seasoned Nigerian cybercrime group it dubbed “Scattered Canary,” which has been busy of late bilking states and the federal government economic stimulus and unemployment payments. Agari said this group has been filing hundreds of successful claims, all effectively using the same email address.
“Scattered Canary uses Gmail ‘dot accounts’ to mass-create accounts on each target website,” Agari’s Patrick Peterson wrote.
“Because Google ignores periods when interpreting Gmail addresses, Scattered Canary has been able to create dozens of accounts on state unemployment websites and the IRS website dedicated to processing CARES Act payments for non-tax filers (freefilefillableforms.com).”
Indeed, the very day the IRS unveiled its site for distributing CARES Act payments last month, KrebsOnSecurity warned that it was very ly to be abused by fraudsters to intercept stimulus payments from U.S. citizens, mainly because the only information required to submit a claim was name, date of birth, address and Social Security number.
Agari notes that since April 29, Scattered Canary has filed at least 174 fraudulent claims for unemployment with the state of Washington.
“ communications sent to Scattered Canary, these claims were eligible to receive up to $790 a week for a total of $20,540 over a maximum of 26 weeks,” Peterson wrote. “Additionally, the CARES Act includes $600 in Federal Pandemic Unemployment Compensation each week through July 31. This adds up to a maximum potential loss as a result of these fraudulent claims of $4.7 million.”
STATE WEB SITE WOES
A number of states have suffered security issues with the PUA websites that exposed personal details of citizens filing unemployment insurance claims. Perhaps the most galling example comes from Arkansas, whose site exposed the SSNs, bank account and routing numbers for some 30,000 applicants.
In that instance, The Arkansas Times alerted the state after hearing from a computer programmer who was filing for unemployment on the site and found he could see other applicants’ data simply by changing the site’s URL slightly. State officials reportedly ignored the programmer’s repeated attempts to get them to fix the issue, and when it was covered by the newspaper the state governor accused the person who found it of breaking the law.
Over the past week, several other states have discovered similar issues with their PUA application sites, including Colorado, Illinois, and Ohio.
Agari, Pandemic Unemployment Assistance, Patrick Peterson, Scattered Canary, secret service
Covid-19 Scammers Driving Unemployment Fraud Across Nation
Unemployed Americans aren’t the only ones waiting for the next pandemic relief check. A slew of fraudsters, including an organized Nigerian cybercrime ring, are also looking to get paid.
And they have plenty of tricks to pull it off— using the names of dead people and personal information collected in previous data breaches to create false beneficiaries to gain access to benefits meant to help workers.
At least 11 states are seeing an increase in fraudulent unemployment insurance activity fueled by the millions of claims coming in each month and additional federal dollars being offered to the unemployed due to the coronavirus pandemic.
Places including Arizona, Colorado, Maryland, New York, Ohio, Texas, and Washington combined are reporting billions of dollars in fraud, according to a Bloomberg Government review of unemployment actions across the nation. States and the U.S. Department of Labor and I have issued alerts.
The rise in criminal activity not only leads to less money for the unemployed, but also could increase contribution rates for businesses, lead to a loss of funds for states, and add to the federal deficit, experts say.
“It’s its own cyber pandemic,” said Leslie Corbo, director of cybersecurity programs and associate professor of cybersecurity at Utica College.
“They’re taking advantage of a bad situation right now,” she said of the scammers. “I think it’s going to continue until there’s some kind of controls that are put in place.”
An Enticing Opportunity
The increase in fraud is driven largely by the rush of legitimate claims coming in, and pressure on state governments to get benefits out as soon as possible, Corbo said. Many government controls were relaxed in an effort to get the funds out, she said.
The situation is exacerbated by the availability of personal information on the “dark web” as a result of major security breaches, as well as the push to get government services online, experts said.
The $2.2 trillion federal CARES Act, which provided an additional $600 a week in benefits per person, created an even more enticing opportunity for fraud, said Douglas Holmes, president of UWC – Strategic Services on Unemployment & Workers’ Compensation, a business group.
“They tend to target claims that have multiple weeks to be paid that are high-value claims, so that the return on taking the risk of being caught is greater,” Holmes said. Under the act, individuals as late as May could claim unemployment dating to March.
The federal relief bill also provided aid to independent contractors and gig workers, who traditionally wouldn’t qualify for unemployment benefits under what’s known as the Pandemic Unemployment Assistance, or PUA, program. States have seen massive amounts of fraud related to the program, which largely relies on self-attestation by the independent workers as they file claims.
Colorado last month announced it had stopped $750 million to $1 billion in improper payments—more than three four claims made under the PUA program were fraudulent, according to the state’s Department of Labor and Employment.
President Donald Trump in August authorized the release of an additional $44 billion in disaster relief for unemployment payments under the Lost Wages Assistance program, extending benefits.
Nigerians, Dead People, the Dark Web
Typical problems, such as people collecting unemployment while they’re working are still occurring, but there’s been a rise in well-organized attempts at identity theft, the creation of fictitious businesses and account takeovers, both domestic and overseas, said Jon Coss, founder of Pondera Solutions Inc., a firm that searches for fraud, waste, and abuse in health-care and government programs
And then there’s the Nigerian fraud ring known as “Scattered Canary.”
The crime ring—ironically birthed high unemployment rates in the African country and focused on romance and real estate scams—has diversified to include fraudulent unemployment filings, said Armen Najarian, chief identity officer for Agari, the Silicon Valley-based cybersecurity company that works with federal law enforcement that first identified the ring.
Hundreds of millions of dollars in unemployment insurance already has been extracted by organized crime rings, including Scattered Canary, from at least 11 states including Washington, California, Massachusetts, and Hawaii, Najarian said.
They run a business, with several dozen employees testing states for weaknesses in their systems using everything from hacked information to procuring identities from the dark web—where fraudsters, using hidden websites not accessible through conventional browsers, buy personal information such as social security numbers.
The ring often uses Google’s free Gmail service to mass-create accounts on state unemployment websites and the IRS website dedicated to processing CARES Act payments, according to an Agari report. They then direct all communications to one email.
Schemes and ways to defraud the government are seemingly endless and there are even how-tos on how to defraud states, available for sale on the dark web.
The scammers have unemployment funds sent to houses that are for sale where the owners have already moved out, Corbo said. Using personal information from the dark web, they can sit by the mailbox and wait for the money to come in.
Fraudsters have also been known to create a fake businesses, register with a state, steal identities to create employees, and then “hire” them, Pondera’s Coss said. They then lay those employees off and apply for unemployment insurance benefits using the stolen identities.
They often use shared bank accounts for hundreds or thousands of claimants, as well as shared phone numbers and addresses, he said, adding they may also use the names of people who are still working and don’t know their information is being used.
In Ohio there were 1,700 claims seeking cash on behalf of dead people, and three separate email addresses that were attached to 100 claims each for people who didn’t live in the state, according to the state Department of Job and Family Services.
In the States
Arizona reported nearly 2.7 million unemployment claims from the beginning of the pandemic through August, and there are only 3.4 million working Arizonans, with more than 1 million PUA claims flagged as potentially fraudulent.
Colorado, as previously mentioned, reported from from July 18 to Aug. 25, that it had processed 62,498 filings, 48,206 of which were found to be fraudulent.
Maryland in July uncovered a massive criminal enterprise with more than 47,500 fraudulent unemployment claims totaling over $501 million, according to its labor department.
New York has seen $1 billion in fraudulent activity since the start of the health crisis, referring more claims to law enforcement from mid-March to August than it has in the past decade, stopping more than 42,200 fraudulent claims.
Potentially fraudulent PUA claims in Ohio are estimated to cost the government $200 million in payouts each week. In July alone the state placed 270,000 suspicious claims on hold.
Texas locked more than 4,500 potentially fraudulent claims so far this year for a total of $68.2 million—nearly 150% increase over the more than 1,856 in phony claims valued at about $11.5 million identified in 2019. The state has seen 5.3 million claims for $32 billion—several years’ worth of claims in just six months.
Washington state was hit hard by Scattered Canary, according to experts and media reports. From March through July, the state paid out more than $8.8 billion in benefits to almost 1 million people. Nearly 86,500 claims paid, equating to $576 million, were fraudulent, $351 million have since been recovered.
There’s ly to be more fraud discovered in January when tax forms are mailed out, said Terry Savage, a nationally syndicated financial columnist and author who has written on the recent rise in unemployment scams.
Taxpayers may see unemployment funds listed on their tax forms that they may not have requested or received, she said. It will be telling of how many dollars were actually paid out in fraudulent claims, she said. “I think it’s going to be monumental.”
Combating Fraud, Increasing Debt
States are getting better at identifying these threats, Najarian said.
They increasingly are using artificial intelligence and other technology to identify and deny claims before they’re paid out.
They’ve also increased their verification processes, authenticating emails and addresses, and looking at Internet Protocol, known as “IP” addresses to see where the requests are coming from, experts said.
New York has a “rigorous” application and screening process to weed out fraudulent claims, including checks by multiple state agencies, state labor department Commissioner Roberta Reardon said in an emailed statement.
“Unemployment benefits are a lifeline for New Yorkers who lose their jobs, and it is unconscionable that dishonest individuals would steal from them and the system for their own gain,” she said.
Still, states may end up having to borrow money from the federal government or issue bonds to pay for the spike in unemployment claims, UWC’s Holmes said. “Sometimes you can’t catch it before you make the payment, because of the volume or connection.”
The increase in fraud also could be bad for businesses, which have to pay an unemployment contribution, basically a tax to the state, he said. If there are no layoffs, the contribution rates go down, if there are more, the rates go up, he said. And if the federal government also needs to borrow, the federal deficit increases.
“It’s a bad, bad, bad thing,” he said.
The failure of the federal government to come to an agreement on a second relief package, however, decreases the allure for fraudsters.
The U.S. Department of Labor announced it would provide $100 million to states to combat an “unprecedented increase” in unemployment claims and “increased fraudulent activity and identity theft amid new and emerging fraud schemes,” across the nation.
More funding is needed to modernize some of these state systems, Coss said. “It’s critical to the functioning of the economy.”
—With assistance from Alex Ebert, Tiffany Stecker, Tripp Baltz, and Paul Stinson.