This spring, as Washington began to pay out enhanced unemployment benefits to tens of thousands of laid-off workers, a criminal organization in West Africa hacked into the state’s unemployment system. A Nigerian fraud ring, called “Scattered Canary” by security researchers, stole the benefits, specifically the extra $600 a week Congress had added to unemployment checks.
Hiding behind a huge number of legitimate claims, and using personal information that was probably stolen in past consumer data breaches, Scattered Canary and other criminals filed thousands of illegal applications with the state’s Employment Security Department (ESD). By the time the fraud was understood, scammers had made off with “hundreds of millions of dollars,” ESD Commissioner Suzi LeVine said.
The amount that was stolen by Scattered Canary, as well as other bad actors, hasn’t been determined. Federal and state officials have pointed to Nigerian cyber-fraudsters as the people who took advantage of our lack of care, helped along by a economic crisis and political pressure to swiftly payout checks to distressed workers without the usual scrutiny. Since the start of the pandemic, the state has paid out nearly $3.8 billion in benefits.
Washington’s unemployment system missed the red flags, including payments to out-of-state banks and the use of suspicious email accounts, according to security experts. All of that happened despite a $44 million software upgrade at ESD that was supposed to help detect such fraud.
This egregious theft of public dollars has made Washington the largest known victim of the fraud that also has hit at least six other states, according to a Secret Service Bulletin on May 14th. The federal Department of Justice is investigating.
Washington state republicans are already using the losses to hurt Gov. Jay Inslee’s record of managing state government as he seeks a third term this fall. However, the major victims may be the Washingtonians who have now had their much needed claims for jobless benefits delayed as the state tries to stop the fraud. Others who have already received money say their claims are being investigated for “possible overpayment.”
Washington’s workers are just the latest people to experience identity theft. Filing for unemployment insurance in Washington and many states requires personal information — Social Security numbers, birth dates, addresses — that is too easy to steal or buy on the dark web, thanks to massive data breaches. Even the credit reporting agency, Equifax, was hacked in 2017, which allowed access to the records of 145 million people, myself included.
Officials at ESD and at WaTech, the agency that manages the system the state uses to authenticate users for ESD and other state agencies, insist that when thieves have our personal information, it’s really difficult to stop them from filing fraudulent claims without also stopping legitimate filers.
The state considered a more stringent authentication system that was included with the upgraded software, but they found out that it was too difficult for many people to use and it caused a big increase in calls for help from the agency, according to a 2017 assessment of the new Unemployment Tax and Benefit system (UTAB).
Starting in March, as the coronavirus shut down the economy, those numbers skyrocketed to a peak of 181,975 initial claims in a single week. By late April, the state had taken in around 860,000 initial claims, freezing its’ website and call center. At the same time, across the country, federal and state officials demanded that we expedite benefits payments, even if it meant losing some security. Washington and other states dropped the usual waiting period between when a claim is filed and paid, so ESD didn’t always have enough time to verify claims before sending payment.
Scattered Canary began as a one-man shop running Craigslist scams, but has grown over time into a criminal syndicate targeting businesses, governments, and individuals with a variety of cons, according to Agari, the California cybersecurity company that first discovered and named the organization in early 2019.
U.S. authorities have cracked down on cyber-fraud conspirators in Nigeria and elsewhere. In 2018, a six-month sweep by the FBI and other agencies, called “Operation WireWire,” netted arrests of 74 people in the U.S. and overseas, including 29 in Nigeria and three in Canada, Mauritius and Poland, according to the Justice Department. The sweep targeted scammers who allegedly had defrauded numerous businesses and individuals through email schemes.
The United Nations also has been working to combat cybercrime and it’s been in West Africa for more than a decade. At one point, they produced a music video from a popular Nigerian artist urging youngsters not to join the alluring criminal enterprises.
Washington has been the top target so far, but it may not have been the result of any unique security flaw. The state was one of the earliest to start paying out the extra $600 which, on top of Washington’s already-generous unemployment benefits, meant that the thieves could potentially steal $1,390 a week per claim.
Washington may be the state hardest hit to date, but other states’ systems have been breached and defrauded as well, including Rhode Island, which also briefly paused payments, and Texas, which reported a huge spike in fraud in April.
Because Congress made the federal benefits retroactive to late March, several weeks before Washington was able to start paying them, many applicants (not always legitimate) had retroactive claims for multiple weeks waiting in the ESD’s system. As a result, the state was sometimes making abnormally large payments — reportedly as much as $20,000 — on a single date, probably boosting the fraudsters’ theft before the scheme was detected.
Washington made security choices with its individual objectives in mind — to get money into the hands of desperate Washingtonians hurt by the sudden loss of jobs and income. To that end, the state erred on the side of distributing benefits first, and asked for employer verification that applicants qualified for unemployment benefits later. In the meantime, workers, employers and politicians will push to put a price tag on what seems to be Washington state’s largest ever fraud, but experts warn that it may be months before the full scope can be known.