May 23, 2020

When a reliable method of scamming money out of people, companies or governments becomes widely known, underground forums and chat networks tend to light up with activity as more fraudsters pile on to claim their share. And that’s exactly what appears to be going on right now as multiple U.S. states struggle to combat a tsunami of phony Pandemic Unemployment Assistance (PUA) claims. Meanwhile, a number of U.S. states are possibly making it easier for crooks by leaking their citizens’ personal data from the very websites the unemployment scammers are using to file bogus claims.

Last week, the U.S. Secret Service warned of “massive fraud” against state unemployment insurance programs, noting that false filings from a well-organized Nigerian crime ring could end up costing the states and federal government hundreds of millions of dollars in losses.

Since then, various online crime forums and Telegram chat channels focused on financial fraud have been littered with posts from people selling tutorials on how to siphon unemployment insurance funds from different states.

Denizens of a Telegram chat channel newly rededicated to stealing state unemployment funds discussing cashout methods.

Yes, for roughly $50 worth of bitcoin, you too can quickly jump on the unemployment fraud “wave” and learn how to swindle unemployment insurance money from different states. The channel pictured above and others just like it are selling different “methods” for defrauding the states, complete with instructions on how best to avoid getting your phony request flagged as suspicious.

Although, at the rate people in these channels are “flexing” — bragging about their fraudulent earnings with screenshots of recent multiple unemployment insurance payment deposits being made daily — it appears some states aren’t doing a whole lot of fraud-flagging.

A still shot from a video a fraudster posted to a Telegram channel overrun with people engaged in unemployment insurance fraud shows multiple $800+ payments in one day from Massachusetts’ Department of Unemployment Assistance (DUA).

A federal fraud investigator who’s helping to trace the source of these crimes and who spoke with KrebsOnSecurity on condition of anonymity said many states have few controls in place to spot patterns in fraudulent filings, such as multiple payments going to the same bank accounts, or filings made for different people from the same Internet address.

In too many cases, he said, the deposits are going into accounts where the beneficiary name does not match the name on the bank account. Worse still, the source said, many states have dramatically pared back the amount of information required to successfully request an unemployment filing.

“The ones we’re seeing worst hit are the states that aren’t asking where you worked,” the investigator said. “It used to be they’d have a whole list of questions about your previous employer, and you had to show you were trying to find work. But now because of the pandemic, there’s no such requirement. They’ve eliminated any controls they had at all, and now they’re just shoveling money out the door based on Social Security number, name, and a few other details that aren’t hard to find.”

CANARY IN THE GOLDMINE

Earlier this week, email security firm Agari detailed a fraud operation tied to a seasoned Nigerian cybercrime group it dubbed “Scattered Canary,” which has been busy of late bilking states and the federal government out of economic stimulus and unemployment payments. Agari said this group has been filing hundreds of successful claims, all effectively using the same email address.

“Scattered Canary uses Gmail ‘dot accounts’ to mass-create accounts on each target website,” Agari’s Patrick Peterson wrote. “Because Google ignores periods when interpreting Gmail addresses, Scattered Canary has been able to create dozens of accounts on state unemployment websites and the IRS website dedicated to processing CARES Act payments for non-tax filers (freefilefillableforms.com).”

Image: Agari.

Indeed, the very day the IRS unveiled its site for distributing CARES Act payments last month, KrebsOnSecurity warned that it was very likely to be abused by fraudsters to intercept stimulus payments from U.S. citizens, mainly because the only information required to submit a claim was name, date of birth, address and Social Security number.

Agari notes that since April 29, Scattered Canary has filed at least 174 fraudulent claims for unemployment with the state of Washington.

“Based on communications sent to Scattered Canary, these claims were eligible to receive up to $790 a week for a total of $20,540 over a maximum of 26 weeks,” Peterson wrote. “Additionally, the CARES Act includes $600 in Federal Pandemic Unemployment Compensation each week through July 31. This adds up to a maximum potential loss as a result of these fraudulent claims of $4.7 million.”

STATE WEB SITE WOES

A number of states have suffered security issues with the PUA websites that exposed personal details of citizens filing unemployment insurance claims. Perhaps the most galling example comes from Arkansas, whose site exposed the SSNs, bank account and routing numbers for some 30,000 applicants.

In that instance, The Arkansas Times alerted the state after hearing from a computer programmer who was filing for unemployment on the site and found he could see other applicants’ data simply by changing the site’s URL slightly. State officials reportedly ignored the programmer’s repeated attempts to get them to fix the issue, and when it was covered by the newspaper the state governor accused the person who found it of breaking the law.

Over the past week, several other states have discovered similar issues with their PUA application sites, including Colorado, Illinois, and Ohio.


71 thoughts on “Riding the State Unemployment Fraud ‘Wave’

  1. Mike Schumann

    It would be very helpful if you published a list of states that are vulnerable to this fraud, and a list of states that are doing a good job of detecting this stuff.

    As always, great job!!!!

    1. Terra

      Absolutely nothing honestly, can take an Arizona persons info and apply in Washington … they check in to see if it’s a valid social not what issuing state and by the time they catch you never worked in Washington.. ‘the fraudster is long gone” cashing out a prepaid card.

    2. Jen

      Why so the people committing the fraud can know what states are vulnerable?? Smh

  2. Dave

    Great investigate journalism on this topic.

    This article highlights another problem…the lack of “in house” cybersecurity expertise at many state, county and local government levels. In the rush to get money “ out the door” the mundane things like layered authentication and identity validation controls aren’t thought through sufficiently or at all. Just my two cents.

    1. Korwyn

      That’s not the only problem. It’s also when you do have in-house cyber-security or developers who are waving big red flags but they’re being over-ridden by upper management.

      1. Kay

        This was my very 1st thought. It sounds more like our government is funneling this money for themselves, that was meant for the people. I’m honestly not surprised.

      2. Thored

        This is exactly the case. Especially when there is a time constraint.

        Security teams will lay out why something is a bad idea and they are basically told to “shut up and color” because “we don’t have time do do that” and the project goes forward as planned.

  3. Stretch

    In Arkansas as with the administration, the free press is apparently the enemy of the people, and whistleblowers are threatened, and attacked as criminals by elected officials.

    1. Wannanbe tech guy

      The “free press” is an enemy of the people when they skew the “facts” to make someone they don’t like to ALWAYS be in the wrong.
      Not sure what “whistleblowers” you are talking about, but Snowden was an “enemy” under Barry’s time as well as others. I don’t trust anyone in government!

      1. JimV

        You should fit in well with the MAGA crowd of idiots. then.

        1. Jamie B.

          Another “world wide warrior” regurgitates. It’s easy to label people idiots while your sitting in your bathrobe and slippers in your living room and hiding behind your laptop.

    2. Adam

      When an institution becomes dance partners with a specific political party on every major public policy issue (globalism, 2A, abortion, etc), there is no “free press”. Rather, it because a partisan platform for pablum masquerading as unbiased “news”. Hiding behind the First Amendment to deflect criticism of a corrupt reciprocal arrangement with such political party is fraud.

  4. TheFed

    I’ve seen that before. Someone working in an agency bringing forth a major security breach was declared a “hacker” and targeted for discipline. That person was me. They dropped the whole thing as common sense slowly seeped into their thinking. But Arkansas governor accusing the person warning them is a real special kind of stupid.

    1. James Marich

      Yeah that’s typical of people who crucify you in order to take credit. Honestly, you should have just used their flaw to your advantage after ignoring you…..”fuck y’all then, I’ll just be one rich bitch”. All joking aside, I totally respect your skills as a programmer and I admire that skill set. I assume you work on a federal level hence your username and I’m thankful for people like you that know what to look for and how to manipulate. That’s pretty bad ass man, I gotta give it to you….changing a URL? Who in the hell thinks of that. Pretty genius

      1. L

        Who thinks of that? No one maybe because it’s outdated and most would assume greater security measures implemented, Hard to believe url alterations in 2020 of a government is still even an option.

  5. Robert Scroggins

    The free press depends upon free minded, informed users who ignore politically-motivated “news” that doesn’t meet the criteria of common sense and scientific basis.

    Regards,

  6. One Flew Over My House

    Great as always, Brian! Please say “Thank You!” to our HERO fraud investigator hiding in the bushes there.

    In deepest appreciation from… the peanut gallery.

  7. C

    Brian, your reporting is great, but why are you still confused about “citizens” vs. “residents”? You keep writing things like “to intercept stimulus payments from U.S. citizens, mainly because the only information required to submit a claim was name, date of birth, address and Social Security number.”

    The stimulus payments were for *all* fiscal residents, not just citizens. That’s *millions* of people that you’re systematically ignoring, pretending that only citizens have social security accounts, are victims of fraud, etc.

    You made the same mistake with the Equifax breach, repeatedly equating “victims of the breach” with “US citizens”.

      1. margaret bartley

        Because they are two different things.

        It’s like confusing “car” with “truck” – they are both vehicles, but they are two different things.

        Facts matter.

  8. KREBS HAS NO LIFE

    STAY OFF TELE GC’S AND STOP BEING FEDERAL I SEE WHY RUSSIANS MADE A CVV SHOP OF U UR A FUCKING NO LIFE

      1. Robert Owen

        Good to see that they are subscribed to your site. Shame their keyboard has the Cap lock stuck

      2. Fedora

        You know you’re doing something right when you get these type of messages..

  9. sun

    Some easy audits against the database:
    1) Look for any duplicates in e-mail after removing dots
    2) Look for any duplicates in the bank account number.

    Duplicate IPs probably a little harder to coordinate considering unemployment office seem apathetic or incompetent.

    1. John Clark

      Duplicate IP addresses for unemployment submissions is unrealistic. I live in an area where there are unemployment offices and libraries that have staff that will assist people to apply online on their office computers. That means that multiple submissions from the same IP. Of course the solution to that is that the security people white-list selected IP addresses. But then it becomes problematic when multiple people from the same household file unemployment from the family computer.

      In this time of Covid-19 households with multiple unemployed residents has created a storm when the government staffers were told set up a system to make it as easy as possible to get money to those that are desperate to get money to buy groceries and pay rent.

      Yep, the criminals behaved as the scummy criminals that they are and took advantage of the situation.

      1. margaret bartley

        A white list of libraries and employment seeking agencies is easy, as is flagging IPs associated with more than two or three SSNs.

        If an IP is flagged, it could be checked by a human. But there is no excuse for not having employment details associated with the claims.

  10. Marie Sibenik

    One can request a personal pin from both the I.R.S. and most State tax departments

  11. The Sunshine State

    Great article #3 in the last two days !

  12. Dave

    I don’t understand the part of Brian’s report about gmail[.]com and Google ignoring the dots. Can someone explain?

    1. BrianKrebs Post author

      Gmail ignores any periods in its addresses that occur before the @gmail.com part. For example, while ex.ample@gmail.com is the same as example@gmail.com to Google, other providers or Web sites will likely treat these as two different email addresses. This in effect allows you to create a potentially huge number of email aliases that all go to the same inbox.

      As a side note, Gmail also ignores anything after a “+” that occurs before the @gmail portion of the address. So you can create an infinite number of aliases this way for each site you sign up at. E.g., if your email address was “example@gmail.com” you could use example+sitenamehere@gmail.com. So if you want want to know if a site ever tries to sell your email address to someone (or perhaps if they get hacked), you can create a filter in Gmail to send all emails with that alias to a specific folder. The only caveat is some Web sites don’t allow you to sign up using “+” symbols in the first part of an email address.

      1. Alan Hodgson

        Many email systems, not just Gmail, treat anything after a + as a destination folder within the same parent account.

      2. LeBeau

        @BrianKrebs
        A big fan and follower of yours for years .
        Thank for this gmail [. ] thing I was confused as previous reader when you mentioned that in your report.
        This GMAIL [. ] you just explained has helped to solve my many years of trouble with gmail – I always received emails with the same Name like mine but when I looked in whole email I see a DOT . Used Between first and last name –
        – I contacted google but never had a positive outcome
        I thought someone was using my account –

        I appreciate and value you

  13. Robert Owen

    I know Florida has reported a “hack” of their system. Which is sorta odd because it’s down more than up. Officials suggest that only 100 or so have had their info accessed.
    Then again we have the Trump mini me running the state, so who knows?

    1. John Clark

      Florida is also the state where government leadership has ordered staff to fudge the numbers or get fired. Example: The GIS manager that created the COVID-19 dashboard.

  14. Zuper

    You made them shut down their group! They’re scared of you!

  15. Rob bonner

    I have been compiling stories on the PUA rollout initially in Illinois but have discovered the issues I have experienced as a claimant all over the country.
    I have a sub reddit called r/illinoisbureaucrats that at this moment has 43 links to local news stories on claimant woes as well management issues. The head of Oklahoma’s program just quit last night with a terse resignation letter. Nevada was supposed to launch PUA today but failed. Keep digging all these contracts to Deloitte were no bid contracts upwards of 22 million in Illinois.
    I started the sub to rant but kept finding story after story, it’s bigger than the fraud, it’s waste mismanagement and corruption or at least over charging. Help.
    I am a claimant in Illinois stuck in limbo for 3 months. I built the sub just today and blown away by how horrible this is, my phone is off, sling will be off, Att will be off shortly. I need the funds. I got in touch my state rep and her chief of staff did try – I recd a eligibility letter but the portal still has me pending. There are thousands like me Illinois. Please don’t stop the first scandal was Fed mismanagement that cost lives, the second is this that is destroying us finacially. We are so deep in debt the lump sum will just bring us up to our eyeballs ,
    Keep going don’t stop

    1. margaret bartley

      So I went to reddit, but I don’t know how to find those 43 stories. Can you provide a link to them?

  16. FiCrimeGuy

    Working at an FI we’ve been trying our hardest to stop these mules, I’m amazed at the amount my relatively small institution has seen and we’ve seen seen a high volume from a state not even covered. They’ve hit 3-4 really hard, once those states patch their flaws the other states better be ready, they’ll absolutely be next.

    1. Nicci Fagan

      SAME! We already have name/SSN matching rules for direct deposits, but many states don’t give SSN, and a few states don’t even send the NAME consistently. We’re seeing a TON of UI payments from states to folks with addresses elsewhere – but since you file where you lost the job, not the state you live in, technically some of them could be legit. Boils down to “we’re doing the best we can with what we have” – and we could do A LOT BETTER if the states were consistent with the info on the deposits. It’s frustrating at best, infuriating most days…

  17. SteveC#

    Why should bureaucrats and politicians listen to IT security experts.

    They know they are smarter than the plebeians. Most politicians are ignorant and arrogant. Just look at Cuomo and Inslee.

  18. Peter J.

    Just saw this, looks like a repeated word in paragraph 8:
    “The ones we’re seeing worst hit are the states that _aren’t aren’t_ asking where you worked,” the investigator said.

  19. Losers

    There are other groups as well. There is a hidden group called the “Dog House” that does a lot of fraud and they brag about it all over the place

    Some of their users brag about it
    @goodtuna
    @PlugSZN

      1. Typical

        “The Westgate Shooter Was an Incel Who Wanted Couples to Feel ‘Pain'” -New Times

        “Hoes are indeed mad” -Maggot

        So you’re happy to cause other people pain and then laugh about it? What makes you any different from an incel who causes physical pain? You are no different and it’s only a matter of time before you snap. You are a danger to society

  20. Concerned Cit

    Telegram knows about these criminals and channels promoting fraud and just lets them continue to operate.

    Telegram even tried to make their own crypto which would have basically been a terrorist dream.

    Telegram is basically encouraging criminals to use their platform and it’s disgusting. We need to do something before the Government removes our right to free speech on the internet.

    Telegram isn’t helping, it’s hurting us in our fight to keep free speech!

  21. Ali McBeal

    These are not all Nigerian scammers.

    A lot of these people are citizens of the USA and I would consider their actions as putting National Security at risk. This is a form of domestic terrorism. They are stealing money for pandemic relief meant for US citizens.

    Not only are they stealing money from tax payers but people REALLY REALLY need this money to get by in these hard times. These people could be costing people their lives. How can telegram let these groups continue to operate while they harm our country.

    AIO crime and other groups like “Dog House” operated by @goodtuna take advantage of the systems we have in place to protect Americans. Please help bring a stop to the harm to our country during these extremely hard times.

    1. ROFl

      Your username sounds very familiar

      Dont you run one of the biggest fraud groups on telegram

      1. Can't break 9k

        Nice try “Dog House”

        Why are you guys so mad lately? All the gift cards you bought with stolen CC and sold for btc on Paxful not making you enough money? Maybe you have your entire life savings in BTC from fraud and it just dropped to 8k?

        How much did you guys steal from Ibotta? $500k?
        @goodtuna claims he did over $80k alone in Walmart gift cards.

        1. Rofl

          We are so pissed why are you jealous people made money including yourself and how do you know about ibotta lol i dont even know what that is

    2. livid1

      1000% agree. this is in your face theft.

  22. Phil

    The last three payments made on my PUA claim are all marked as being paid to me, but my bank account does not show anything having come in. I had that setup for direct deposit, but I don’t have a clear cut way to double-check if the bank & account routing numbers were altered. My bank shows a payment coming in from UI, but for a very low amount and it doesn’t correlate with anything on my PUA claim for outgoing payments. Maybe I’m getting payments from an entirely different UI user account? I have no way to verify or audit any of this!

    1. Jay Smith

      I know that sometimes it says it was paid but takes 2 pr more days to actually show up in your bank account. Keep trying to call fhe unemployment office. If you don’t have time to hold you can request a call back. I find the early morning is the best time to call. I hope this helps. If you’re too suspicious see if you can request a debit card now rather than direct deposit. Good luck!

  23. Wolfnoodle

    Phil, when I started out on UI something similar happened…I got a payment that didn’t quite match any amounts on my profile. At the time I had just finished wrangling with my employer and DUA over some furlough issues so thought it was back pay related to that. When my employer got PPP funds six weeks later to bring us back I went off UI…only when I closed my claim did DUA come after me for “overpayment fraud”. I had never received notifications about any irregularities, and this went down a few days before the fraud news broke. I haven’t been able to get any info from DUA about where this investigation came from. The only thing DUA will let me do is submit an “overpayment waiver” which assumes guilt.

  24. Sky

    So since they shut down websites how will everyone get their pua payments? When will the websites re open?

  25. PHP

    The US needs to get in control with income/tax etc.

    Where is the monthly reporting of income on SSN ? It should exist. And that would allow government to eliminate all who did not have an income before CoVid-19. And they would know where people worked and what they earned. Can also be used for tax purposes at the end of the year. And bust employees who work at a place, who does not seem to have a taxable income.

    All that said, there is plenty of e-commerce tools out there that can help spot fraud. And matching duplicate account number should be trivial, the same with e-mail addresses with . or + (Google throws away everything after +).

    1. Gnecht

      Far as I know, most of these unemployment agencies have quarterly reporting of employee wages. They’d know at least that much.

      The unemployment agencies can try to reduce friction for their claimants, and be exposed to fraud like this.

      Or they can try to eliminate fraud, and make the claims process about as hard as opening and maintaining a USA bank account. Which isn’t all that hard, but it’s enough to have an “unbanked” population.

  26. ann branchaud

    That’s a real bite in the *** because many people in NVare not getting paid the pua they are entitled to and now to hear all this money is going to Nigeria, and here I was thinking state governments were stealing funds…which I’m quite sure that is why NV is letting their citizens become homeless by holding back their payments for over 3 months now. Its disgusting what this state has done to the citizens during this pandemic. The feds really need to step in here and take it away from the states system. Because they still cant get it right by a long shot and the self employed and 1000’s of gig workers here are drowning.

    1. livid1

      Nevada government is proving to be pure evil. they are showing their hand. everyone should contact the president’s office as I have, and make serious noise.it is unreal what they put us through.

  27. Stephanie M Donahue

    Did anyone have any information on somebody that is open to it on their Pua and I’ve already given then information specifically on this site. I’ve called each and every day trying to figure out when the pending claims that are due to this issue and supposedly due to the last holiday will go through. If anyone has any contact information or a website or anything other than the actual Pua they don’t give you anything please contact me

  28. livid1

    Nevada is stealing from our PUA. they are making fun of us. no one is this incompetent.this seems like it is being done on purpose.
    the problem is ,Americans have become too passive and they let these crooked politicians step all over them . where is the fighting spirit. everyone should contact the President’s office, like I have, and make some serious noise.enough is enough . all this evil indifference is destroying livelihoods.

  29. Amy

    So people that need unemployment benefits are not getting them because to many fraudulent claims? I cant work yet as and need unemployment. What can I do?

  30. Joseph Stalin

    If you have bad credit, and you’re trying to rebuild your credit, and the suggestive solution is to contact Raycreditrebuild At Gmail Dot Com and,just get to him and tell your credit score issue, and believe it is already solved.they have the best credit repair program available.

Comments are closed.