As millions of people around the United States scrambled in recent weeks to collect unemployment benefits and disbursements through the federal CARES Act, officials warned about the looming threat of Covid-19-related scams online. Now they’re here.
On Thursday, the Secret Service issued an alert about a massive operation to file fraudulent unemployment claims in states around the country, like Washington and Massachusetts. Officials attributed the activity to Nigerian scammers and said millions of dollars had already been stolen. New research is now shedding light on one of the actors tied to the scams—and the other pandemic hustles they have going.
The email security firm Agari today will release findings that an actor within the Nigerian cybercriminal group “Scattered Canary” is filing fraudulent unemployment claims and receiving benefits from multiple states, while also receiving CARES payouts from the Internal Revenue Service. So far this has netted hundreds of thousands of dollars in scam payments. Regular unemployment, the extra $600 per week that out-of-work Americans can claim during the pandemic, plus the one-time $1,200 payment eligible adults are receiving under the CARES Act are all vulnerable targets for cybercriminals. In the midst of a pandemic and critical economic downturn, though, the theft of those benefits could have particularly dire consequences. The Secret Service warns that hundreds of millions of dollars could be lost to such scams just as states are running out of money to fund unemployment on their own.
The Secret Service says that scammers are using stolen personal information to file the fraudulent relief claims, similar to how they perpetrate tax fraud year to year. The Agari researchers add that the personal data fraudsters are using right now, like home addresses and Social Security numbers, may come not only from ancient data breaches, but from a spike in payroll data theft in March and April. When scammers claim unemployment benefits in someone’s name, they are either getting to the money before the victim has a chance to, or are filing on behalf of people who haven’t actually lost their jobs. In the case of the one-time CARES ACT payments, scammers are submitting through the special “non-filers” IRS category to divert those payments into their own pockets. Agari researchers say that Scattered Canary has filed at least 82 of these claims, of which 30 were accepted by the IRS.
“We can’t 100 percent confirm that the Scattered Canary actors we’re looking at are the actors the Secret Service is referring to, but at least one of these actors is committing unemployment fraud against the states of Washington and Massachusetts,” says Crane Hassold, Agari’s senior director of threat research and a former digital behavior analyst for the Federal Bureau of Investigation. “They’re also involved in committing fraud against CARES payments.”
In addition to those two states, the Secret Service said it also sees evidence of attacks in North Carolina, Rhode Island, Oklahoma, Wyoming, and Florida. Agari researchers say that Scattered Canary has filed at least 174 fraudulent unemployment claims in Washington since April 29 and 17 fraudulent claims in Massachusetts on May 15 and 16 that were all accepted. This is consistent with the Secret Service’s warning that Washington has been hit hardest by scam campaigns. Over time, Agari calculates that all of those claims combined could pay out as much as $5.4 million if they aren’t blocked. On Sunday evening, a Scattered Canary actor also filed a fraudulent unemployment claim in Hawaii. Agari says it was accepted.
The IRS did not return a request from WIRED for comment. The Hawaii Unemployment Insurance Special Activities Unit could not be reached for comment.
“The United States Secret Service Global Investigative Operations Center along with our Electronic Crimes Task Force partners have identified criminal actors targeting state unemployment insurance program funds,” a Secret Service spokesperson said in a statement. “Criminals will use stolen personally identifiable information to file fraudulent state unemployment claims. The Secret Service’s primary investigative priorities are to mitigate any attempts by criminals that target citizens for identity theft and cyber-enabled crimes as it relates to Covid-19.”