AS MILLIONS OF people around the United States scrambled in recent weeks to collect unemployment benefits and disbursements through the federal Cares Act, officials warned about the looming threat of Covid-19-related scams online.
Now they’re here. The Secret Service issued an alert about a massive operation to file fraudulent unemployment claims in states around the country, like Washington and Massachusetts.
Officials attributed the activity to Nigerian scammers and said millions of dollars had already been stolen. New research is now shedding light on one of the actors tied to the scams—and the other pandemic hustles they have going.
The email security firm Agari today will release findings that an actor within the Nigerian cybercriminal group Scattered Canary is filing fraudulent unemployment claims and receiving benefits from multiple states, while also receiving Cares payouts from the Internal Revenue Service.
So far this has netted hundreds of thousands of dollars in scam payments. Regular unemployment, the extra $600 per week that out-of-work Americans can claim during the pandemic, plus the one-time $1,200 payment eligible adults are receiving under the Cares Act are all vulnerable targets for cybercriminals.
In the midst of a pandemic and critical economic downturn, though, the theft of those benefits could have particularly dire consequences. The Secret Service warns that hundreds of millions of dollars could be lost to such scams just as states are running out of money to fund unemployment on their own.
The Secret Service says that scammers are using stolen personal information to file fraudulent relief claims, similar to how they perpetrate tax fraud year to year.
The Agari researchers add that the personal data fraudsters are using right now, like home addresses and Social Security numbers, may come not only from ancient data breaches but from a spike in payroll data theft in March and April. When scammers claim unemployment benefits in someone’s name, they are either getting to the money before the victim has a chance to, or are filing on behalf of people who haven’t actually lost their jobs.
In the case of the one-time Cares Act payments, scammers are submitting through the special “non-filers” IRS category to divert those payments into their own pockets. Agari researchers say that Scattered Canary has filed at least 82 Cares claims, of which 30 were accepted by the IRS.
“We can’t 100 percent confirm that the Scattered Canary actors we’re looking at are the actors the Secret Service is referring to, but at least one of these actors is committing unemployment fraud against the states of Washington and Massachusetts,” says Crane Hassold, Agari’s senior director of threat research and a former digital behavior analyst for the Federal Bureau of Investigation.
“They’re also involved in committing fraud against Cares payments.” In addition to those two states, the Secret Service said it also sees evidence of attacks in North Carolina, Rhode Island, Oklahoma, Wyoming, and Florida. Agari researchers say that Scattered Canary has filed at least 174 fraudulent unemployment claims in Washington since April 29 and 17 fraudulent claims in Massachusetts on May 15 and 16 that were all accepted. This is consistent with the Secret Service’s warning that Washington has been hit hardest by scam campaigns.
Over time, Agari calculates that all of those claims combined could pay out as much as $5.4 million if they aren’t blocked.
All sorts of hackers are on the prowl amidst the Covid-19 pandemic, deploying ransomware, conducting espionage operations, or scrambling to maintain an edge on public health and treatment measures for the virus. But as millions of people around the world face economic ruin, now is an especially cruel moment to target government programs designed to help them.