When state governments began expanding unemployment benefits for people affected by the coronavirus quarantine in March, fraudsters quickly got to work trying to steal the aid.
About 10% of unemployment insurance payments are improper under the best of times, “and we are in the worst of times,” Scott Dahl, the inspector general for the U.S. Labor Department, told the House subcommittee on government operations on June 1. Dahl estimated that at least $26 billion in benefits could be wasted, most of it going to scammers pretending to be deserving citizens who lost their jobs.
Florida, Massachusetts, North Carolina, Oklahoma, Rhode Island, Washington and Wyoming have all been hit with unemployment fraud, according to the security research firm Agari. The state of Washington has been hit the hardest. On Thursday, state officials said they had clawed back about $333 million of the estimated $550 million to $650 million made to fraudsters.
Banks and prepaid card providers are said to be unwitting participants in the phony transactions. Unemployment insurance is deposited in bank and prepaid accounts set up by money mules who, knowingingly or not, are helping the scammers.
One of the big questions is: Are banks doing enough to stop this from happening?
How the scheme works
Agari says it first discovered Scattered Canary, which it describes as a West African-based fraud ring behind most recent unemployment fraud, when the group impersonated a senior Agari executive in an email to the firm's chief financial officer and tried to trick him into sending a wire transfer. This type of email attack, which is called business email compromise, is a specialty of the group.
Scattered Canary typically assumes the identities of people who are still employed and therefore won’t notice that they’re not receiving unemployment benefits, and apply for unemployment insurance in their name. The fraudsters obtain the basic information they need to apply in three ways:
- They sometimes buy it on the dark web, where the ill-gotten gains of past data breaches are available for sale.
- They conduct business email compromise campaigns in which they send a convincing email that appears to be from a colleague asking for information.
- And they seek tax-filing-related data, impersonating a high-ranking executive such as the CEO of a company in an email asking employees to provide their W-2 documents immediately. Sometimes they simply look up public records to get the information they need.
Once a state government has accepted their applications, the fraudsters arrange to have the unemployment pay deposited into an account they’ve set up or more likely, that of a money mule they’ve recruited. Sometimes they get people to act as mules through a romance scam, in which they pretend to be a love interest. In some cases, the mules are allowed to keep 10% or 20% of the proceeds.
One victim realized her identity had been used to file for unemployment benefits in mid-May when her state government sent her a request to verify her identity. That same day, she received prepaid cards from Netspend and GreenDot in the mail. She realized that fraudsters had concurrently opened up prepaid accounts in her name with Netspend and Green Dot and immediately reported the fraud to both companies and the government. The fraudsters probably planned to use virtual card numbers issued by the companies to collect the money, but they used the target’s actual address in their application. If they had thought it through, they probably would have provided a post office box.
State governments have difficulty spotting scams because they’re trying to help constituents quickly and therefore skipping some of the vetting they would normally do.
Before the COVID-19 pandemic, if someone filed an unemployment claim, there was usually a one- to two-week waiting period during which validation occurred.
“What's happened in this case, which is really why all of these scammers are jumping on the bandwagon of unemployment fraud, is most states want to get the money out as quickly as possible,” said Crane Hassold, senior director of threat research in Agari’s Cyber Intelligence Division. “And because of that, the validation that usually happens is not happening in some places or it's happening retroactively.”
Agari researchers coined the name Scattered Canary. The “Scattered” part of the name comes from the fact that the gang runs different types of scams concurrently, according to Hassold. “Canary” is a reference to the fact that during the 10 years Agari has been following the group, it has grown into a criminal enterprise of more than 35 people, so the researchers think of it as a canary in a coal mine.
Agari’s investigators pose as their client victims (some of which are banks) to communicate with the fraudsters and understand their work. In the past year, they engaged in about 8,000 attacks. Three weeks ago Agari began identifying the group’s work in unemployment fraud scams.
The Secret Service issued an alert about such scams last month, saying many originate from Nigeria. It might seem like it would take a lot of smarts to pull off such a scheme from far-off West Africa, but Hassold said he is not impressed.
“I would classify them more as experienced than smart,” said Hassold. “This is their job. This is what they do 40-plus hours a week. These groups in West Africa, and specifically Nigeria, have been at this for decades. They are very knowledgeable in how our systems work, and the best way to exploit them.”
A typical business email compromise attack will involve one or two dozen mule accounts. Through partnerships with financial institutions and organizations like the Financial Services Information Sharing and Analysis Center, the Agari team tries to notify banks where the funds are going.
What banks could do about it
Though the fraudsters seem to primarily use prepaid providers like Green Dot, they also have their money mules set up new accounts at banks.
“Banks are getting inundated,” said Al Pascual, co-founder of Breach Clarity. One large community bank has seen attempts to deposit as many as $200,000 of fake unemployment checks per day. Banks of all sizes are encountering the problem, Pascual said.
Julie Conroy McNelly, research director at Aite Group, said she has spoken with at least three banks over the past few weeks that have seen a significant uptick in inbound account applications that turned out to be related to mule accounts. They realize this after the mule accepts a bunch of large deposits and quickly drains the account.
Ideally, banks and prepaid providers would not accept unemployment deposits in money mules’ accounts. But recognizing a money mule account is not easy.
For one thing, legitimate new account openings have skyrocketed since the quarantine started. New money mule accounts can blend right in.
“Banks are not going to want to take a blanket approach to adding additional hurdles to new account applicants, since so much traffic has migrated online,” said Conroy McNelly.
However, banks can monitor activity on new accounts. If the first inbound transaction on a new account is an unemployment direct deposit, that should be flagged and routed to a human for manual review, especially if the customer immediately tries to withdraw the money.
“In some cases they catch it early and shut it down early,” Conroy McNelly said. In other cases, banks monitor the accounts to try to catch bigger fraud.
One telltale sign that new account holders might be affiliated with Scattered Canary is extra periods in their email addresses, Hassold said.
Scattered Canary members often insert dots in different places in the email addresses they use. For instance, they might use c.rane.hassold@gmail.com or c.r.a.n.e.h.a.s.s.o.l.d@gmail.com.
“On most websites, that will be interpreted as individual emails, whereas with something like Gmail, Google ignores those periods,” Hassold said. “You can create dozens of accounts with different combinations of dots in an email address, but they all filter into a single Gmail account. So essentially it's centralizing the communication for a number of different accounts.”
This lets the fraudsters work more efficiently: Instead of having to log in to dozens of different email accounts and see what’s in them, messages from all the accounts are all funneled into one central email account. In one case Hassold investigated, Scattered Canary was using 259 variations of a single email address on state and federal websites.
For banks, it’s a nuisance to have to shut these accounts down. The real victims are taxpayers, states and people whose stolen identities are used in the schemes, especially if they need to apply for unemployment benefits but can’t because somebody already used their identity to do so. People who seek jobless benefits are also affected even if their identities aren’t used, because states are having to devote resources to dealing with fraud, which delays or prevents them from helping legitimate claimants.
“Part of the problem is for the banks and credit unions who are facing this particular challenge, this is not on them, so they have to figure out how much effort they’re going to make for something that's not affecting them financially,” Pascual said.
Can banks do more?
Hassold acknowledged it's a challenge for prepaid card providers and banks to identify the mule accounts in unemployment scams, especially since the mules themselves don’t always know what’s going on.
“Unfortunately for a lot of business email compromise attacks, they're using legitimate bank accounts because they have romance scam victims that have been turned into unwitting mules,” he said. “They're using legitimate accounts that have no actual legitimate historical activity on them.”
Banks could also be educating customers at risk of becoming money mules in these schemes, such as people with low balances who might be tempted to participate or young people who lack experience in financial matters.
“At the end of the day, the mule is the other victim, even though they may seem complicit,” Pascual observed. “When things go sideways, they're going to wish they weren't involved.”
“Part of the problem is for the banks and credit unions who are facing this particular challenge, this is not on them, so they have to figure out how much effort they’re going to make for something that's not affecting them financially,” Pascual said.