May 20

U.S. Secret Service: “Massive Fraud” Against State Unemployment Insurance Programs

A well-organized Nigerian crime ring is exploiting the COVID-19 crisis by committing large-scale fraud against multiple state unemployment insurance programs, with potential losses in the hundreds of millions of dollars, according to a new alert issued by the U.S. Secret Service.

A memo seen by KrebsOnSecurity that the Secret Service circulated to field offices around the United States on Thursday says the ring has been filing unemployment claims in different states using Social Security numbers and other personally identifiable information (PII) belonging to identity theft victims, and that “a substantial amount of the fraudulent benefits submitted have used PII from first responders, government personnel and school employees.”

“It is assumed the fraud ring behind this possesses a substantial PII database to submit the volume of applications observed thus far,” the Secret Service warned. “The primary state targeted so far is Washington, although there is also evidence of attacks in North Carolina, Massachusetts, Rhode Island, Oklahoma, Wyoming and Florida.”

The Secret Service said the fraud network is believed to consist of hundred of “mules,” a term used to describe willing or unwitting individuals who are recruited to help launder the proceeds of fraudulent financial transactions.

“In the state of Washington, individuals residing out-of-state are receiving multiple ACH deposits from the State of Washington Unemployment Benefits Program, all in different individuals’ names with no connection to the account holder,” the notice continues.

The Service’s memo suggests the crime ring is operating in much the same way as crooks who specialize in filing fraudulent income tax refund requests with the states and the U.S. Internal Revenue Service (IRS), a perennial problem that costs the states and the U.S. Treasury hundreds of millions of dollars in revenue each year.

In those schemes, the scammers typically recruit people — often victims of online romance scams or those who also are out of work and looking for any source of income — to receive direct deposits from the fraudulent transactions, and then forward the bulk of the illicit funds to the perpetrators.

A federal fraud investigator who spoke with KrebsOnSecurity on condition of anonymity said many states simply don’t have enough controls in place to detect patterns that might help better screen out fraudulent unemployment applications, such as looking for multiple applications involving the same Internet addresses and/or bank accounts. The investigator said in some states fraudsters need only to submit someone’s name, Social Security number and other basic information for their claims to be processed.

Elaine Dodd, executive vice president of the fraud division at the Oklahoma Bankers Association, said financial institutions in her state earlier this week started seeing a flood of high-dollar transfers tied to employment claims filed for people in Washington, with many transfers in the $9,000 to $20,000 range.

“It’s been unbelievable to see the huge number of bogus filings here, and in such large amounts,” Dodd said, noting that one fraudulent claim sent to a mule in Oklahoma was for more than $29,000. “I’m proud of our bankers because they’ve managed to stop a lot of these transfers, but some are already gone. Most mules seem to have [been involved in] romance scams.”

While it might seem strange that people in Washington would be asking to receive their benefits via ACH deposits at a bank in Oklahoma, Dodd said the people involved seem to have a ready answer if anyone asks: One common refrain is that the claimants live in Washington but were riding out the Coronavirus pandemic while staying with family in Oklahoma.

The Secret Service alert follows news reports by media outlets in Washington and Rhode Island about millions of dollars in fraudulent unemployment claims in those states. On Thursday, The Seattle Times reported that the activity had halted unemployment payments for two days after officials found more than $1.6 million in phony claims.

“Between March and April, the number of fraudulent claims for unemployment benefits jumped 27-fold to 700,” the state Employment Security Department (ESD) told The Seattle Times. The story noted that the ESD’s fraud hotline has been inundated with calls, and received so many emails last weekend that it temporarily shut down.

WPRI in Rhode Island reported on May 4 that the state’s Department of Labor and Training has received hundreds of complaints of unemployment insurance fraud, and that “the number of purportedly fraudulent accounts is keeping pace with the unprecedented number of legitimate claims for unemployment insurance.”

The surge in fraud comes as many states are struggling to process an avalanche of jobless claims filed as a result of the Coronavirus pandemic. The U.S. government reported Thursday that nearly three million people filed unemployment claims last week, bringing the total over the last two months to more than 36 million. The Treasury Department says unemployment programs delivered $48 billion in payments in April alone.

A few of the states listed as key targets of this fraud ring are experiencing some of the highest levels of unemployment claims in the country. Washington has seen nearly a million unemployment claims, with almost 30 percent of its workforce currently jobless, according to figures released by the U.S. Chamber of Commerce. Rhode Island is even worse off, with 31.4 percent of its workforce filing for unemployment, the Chamber found.

Dodd said she recently heard from an FBI agent who was aware of a company in Oklahoma that has seven employees and has received notices of claims on several hundred persons obviously not employed there.

“Oklahoma will likely be seeing the same thing,” she said. “There must be other states that are getting filings on behalf of Oklahomans.”

Indeed, the Secret Service says this scam is likely to affect all states that don’t take additional steps to weed out fraudulent filings.

“The banks targeted have been at all levels including local banks, credit unions, and large national banks,” the Secret Service alert concluded. “It is extremely likely every state is vulnerable to this scheme and will be targeted if they have not been already.”

Update, May 16, 1:20 p.m. ET: Added comments from the Oklahoma Bankers Association.

Tags: , , , , , , ,


  1. Washington state is huge thing. I know 50 people with fraudulent claims at least. My wife and I both claims were from @yopmail.com email domain. Seems like an easy thing to flag if so many were from that domain. Crazy.

    • I am making a good salary online from home.I’ve made 97,999 dollar.s so for last 5 months working online and I’m a full time student. I’m using an online business opportunity I’m just so happy that I found out about it…

      ====>>> http://www.workbaar.com

      • Please leave this spam comment. It’s exactly the mechanism through which these fraudulent claims are likely be laundered.

        • Yeah that was my thought, too. This one is really on point.

          • Mr Krebs, I think “witting or unwitting” is a better term to use than “willing or unwitting individuals”.

            Keep up the great articles Mr Krebs. See you at the Krabbie Patty!


    • You know of 50 fraudulent claims? How many have you turned in?

  2. I live in Washington. I was hit twice. I ‘ve never had an ID theft situation and I freeze my credit, use LastPass religiously, etc. Last night I received a Self Employment Insurance Claim notice from the WA Employment Security Dept. I immediately filed a fraud claim with them. Claim number was in the 7XXX range. This AM I arrived at work (yes I’m still going to work) and HR sent me a copy of a an Unemployment Insurance Claim notice from the same WAS ESD. So I again filled out the fraud form. This time my claim number was 11XXX. I hope they aren’t generating them in a serial fashion, but knowing govt systems, I wouldn’t be surprised if they were. The inability of the people running these systems to put the most basic fraud controls in place other than mailing a letter to the victim 30 DAYS!!! after the claim was filed, is disheartening to say the least.

    • Wòw. Problem for you!

    • I am in WA state and received the same message. The fraud claim ID is 27XXX. Unreal. When filing a claim it does say, “We will lock this claim, it will no longer be associated with your personal information.” I pray that means it’s over and not the same circus that was required by the IRS when someone filed my taxes for me.

  3. The government I want and pay for, would send the SS out to fix these issues. The government I dream of, would have anticipated and solved these problems ahead of time.

    • So the first thing you think of is … “go run to daddy”. This is a state issue not a federal issue. Enroll in a civics course. If you already did, enroll again until you pass.

      • Kent Brockman

        You’re the one that needs a lesson in civics. Crimes that cross state lines are in many instances handled by the feds, wire fraud for example.

      • Sacred Ground

        Interstate money laundering for an international fraud ring? How is that not a federal concern?

    • I hope that your reference to “SS” is to the “Secret Service” and not to the Nazis.

  4. Thanks for another good article, Cyberhero Krebs (I’m considering shortening that to “CK” or “CBK” for the sake of/in the name of brevity)!

    I’m definitely not new to computers (almost 30 years of professional software development) but have rather just recently begun to apply my skills to help fight the good fight in “cybersecurity” so what I’m wondering is what types of technology are potentially being leveraged in this scam… Off the bat from the article it sounds like it could be basic old-school social engineering and phishing and what-not but where the hell is all of that PII from that is specifically related to first responders and government/educational employees? That’s a bit creepy and makes me wonder if the head IT agencies (“Department of Information Resources”) in the states that were primarily affected are aware of any leaks in their databases that store the PII of their state employees…

    … But because your site is where I really first became aware of the extent of the whole C&C botnet army problem, and also because I still have nightmares about that IoT army that was conscripted to DDOS the heck outta you and half the Internet backbone, I’m also starting to think that maybe somehow the Nigerians figured out how to turn all those smart refrigerators, thermostats and window blinds into some sort of network of ne’r-do-well ACH mules…

    I swear CBK, ever since I read your story about that record DDOS attempt at censoring you I haven’t looked at a single appliance the same way – I don’t trust any of ’em 😀

    Thanks for keeping up the good fight Cyberhero Krebs

  5. Hi there, I want to subscribe for this website to take most recent updates,
    therefore where can i do it please help.

  6. http://www.makeOHIOgreat.com
    Umm how they get the Goverment Employees data? From unsecured violations of CJIS laws of Police and Government Systems not being Reported to public and Ohio Attorney General……
    Videos of meetings of Officals from former Government Systems Administrator reporting misconducts of cyber security, public records and funds misconducts to Ohio Attorney General and Ohio Attorney General won’t Investigate as City Council President is Ohio Attorney General Supervisor and Ohio Board of Elections Staff hunting records.
    911 and Cyber Security Issues
    Details at http://bit.ly/39O1NkE

    • In Maryland, as recently as a couple of years ago the state of Maryland’s Department of Labor, Licensing and Regulation required its unemployed customers to input their Social Security numbers in order to use services at its centers. Also, I wonder if the DLLR contractors’ software allowed them access to SSNs which could be cut and pasted.

  7. How come the FBI isn’t mentioned in this?

    • This is basically the secret service’s job. They deal with counterfeit currency mostly, bank heists, and heists like this.

    • The Secret Service has jurisdiction in computer fraud related to the US Treasury like this. The presidential and diplomatic protection detail is only a small part of, though the most visible, what the SS does.

      I do wonder how long it will be before Republican spin doctors start claiming the fraudulent claims are inflating unemployment numbers so the “real numbers” are much lower than reported.

  8. Interesting… The comment I just posted about whether there were any known leaks from any of the state DBs that store PII for state employees said “awaiting moderation” and now it’s just gone.

    There wasn’t anything questionable that I can think of in my comment other than a joke about not trusting IoT devices after Mr. Krebs’ DDOS nightmare…

    I’m a huge fan, Cyberhero Krebs; not sure why I was censored and don’t really like it but I sure am sorry if I offended you in some way…

    • Mikey Likes It

      @Paul Mikol

      Patience is a virtue. (Is that your post, at 1:56am?)

      I don’t blame Brian for setting comments to moderation (especially in the middle of the night), to try to keep comments relevant and appropriate. Or whatever criteria he chooses; it’s his site and, like most of us, I’m grateful for it.

      I’ve had posts seemingly disappear for moderation and then magically appear a bit later. I can only hope that despite moderating while investigating and writing Krebs on Security, Brian somehow manages to get some sleep. 🙂

  9. Here are some thoughts for a related follow on article and possible present answers are appreciated if you have them:

    First, a typical vulnerable group to cooperate with such gangs are millennials, and seemingly all American kid next door, as evident by their poor work ethic, unwillingness to actually want to work and hold a real job, lack of loyalty to their jobs and employers, and pattern of actually scamming their employers in soft or hard scans and having zero remorse about it. A lot of them believe or not even go into reserves, and only work one day a week, to get some ultimate benefit out of it, and get coached by their friends, etc. as to various ways of cheating people or the system out of easy earned money. This is quite a vulnerable group to fall prey to such operations.

    I’m sure there are other patterns so to find these groups, there must be a psychological profiling pattern and methodology on the part of our anti-terrorist units aiding our various agencies and I’m sure they’re already at work on this, or not maybe all of them.

    Next, how are the mentioned crime rings getting this much info to be able to file unemployment claims and tax returns in names of Americans?

    What are the known methods by which the innocent employees’ information are being leaked?

    Are they hacking this information out through cyberattacks, or is the employees’ information being given out through other insider threats such as bad actors—bad employees who are moles and are selling employee info on open market directly or indirectly to those involved in this crime.

    Neli Hayes

    • As Brian has mentioned numerous times, much of the information comes from dark web where people buy things online or fall victims to scam offered information unwittily which is then used to steal from them. They prey on emotion.
      It has nothing to do with their ability to hold jobs as you stated.

    • The bulk of it is from phishing. They send you an email that says “Important update on your amazon order” or some other plausible thing. Then they give you a link to a fake amazon website where you enter your data. I’ve been targeted by hundreds of these over the past few years. Then some company with my data gets hacked and now I get personalized phishing emails, credit card fraud, etc. Then some company like facebook or google sells all my personal data and now I get personalized emails from known contacts with phishing scams.

    • The people who fall for romance scams aren’t millennials. They’re usually older (60+) and not very savvy with technology.

      • That is such BS people over sixty have great computer skill and they don’t constantly use there phone for that kind of stuff it’s all the millennials that are the ones that are the idiots when it comes to personal data and use there phones to pay for purchase and more and if you are a big enough idiot to store such info on your phone at some time it will be taken by Bluetooth or other means !!

    • In short; ‘Millenials are targets’.

  10. The ides .gov ive some how got multiple ids . logining save in my email not sure how they got there or what but ive waited for unwmployment for 5 weeks almost. Then the days it told me to certify for example- monday so i go to certify on monday it tells me my days are thurs fri. But when those days come around i try thurs. It says cant certify then fri says certify mon. But uve got 2 kids and women to provide for new born at that 5 weeks of missed unemployment. On top on that i go to renew my liscense o

  11. I’m a single-member LLC in Oklahoma, and I’ve received about 18 letters, so far, informing me that an unemployment claim has been filed by someone that presumably used to work for me. I’ve never had any employees. Interestingly, the letters all show the unredacted SSN of the person supposedly filing for unemployment.

    • Robert Russell

      Do those letters about fraudulent claims include any other information about who the claim was filed against other than the SSN? If not the full SSN may be the only way to research the person in your HR database. If you had one.

  12. I was hit by this. I was lucky and got through to State of Wa to stop payment. They wouldn’t give me any details.

    I went to WA unemployment sites attempting to claim my own SSN account and it showed the exact email address being used @mail.com and tried to reset the PW and it pointed to another @mail.com. Of @mail.com has no phone support or security Dept to help. All my identity and credit monitoring shows zero problems but I know my SSN was used here in the State of WA. I’ve frozen all my credit, filed with FTC, etc but if the very systems aren’t getting hits then it’s all useless.

  13. Katheen Garrity

    As a tax paying resident of Washington State, I’d be curious about why the state is sending unemployment to those residing outside the state. I guess you can look for, apply for and interview for a job remotely, but ….

  14. Robert Scroggins

    I wonder if this, and similar illegal ways of making money, can be attributed to a lack of morals among a large segment of society aided by an equally large lack of good leaders and further aided by a large number of important problems that are starting to overwhelm the decreasing number of good leaders charged with solving these problems. It’s just getting to be too much! God help us!


    • Yup, Robert Scroggins, exactly as you said: “Microsoft Corporation” 😀

    • I’d assume most of the managers of these frauds are neither US citizens nor US residents.

      The mules are almost certainly ignorant to the majority of how the fraud functions.

      The probably don’t quite realize that the money they’re receiving and then laundering is unemployment money.

      Generally such things are described as “salary” for doing some “activity”.

  15. Two weeks ago most of the governments of South America began to distribute public funds as unemployment aid, payment of wages.

    Most of these beneficiaries are not banked, therefore these funds are withdrawn presenting only a paper that is issued from a government website.

    Losses for governments are estimated to be in the millions, but distribution systems have still not been updated. It doesn’t just happen in the USA, it happens here too.

    Most of these scams are occurring in the elderly. This group is being banked by the government quickly, to prevent them from going to the banks. The results are being disastrous, as much in a difficult banarization, as in the increase of those infected by coronavirus.

  16. 1) the bad guys have home address. Ssn. Employer. On many gov and school employees.
    2) the bad guys (Via mules) are filing LOTS of claims in multiple states
    3) The database the are using may be dated. They used a year-old address.
    4) i am betting they might have title or income info. They seemed to target managers and similar high income earners in our collection of fraud filings…
    5) anyone hit by this should carefully watch for tax fraud filings on their behalf. If the bad guys have income and ssn, that’s going to be an easy mark.

  17. Canada’s SSI #’s have a check digit, but it’s not hard to get ‘free money’ from Justin.

    Canada’s “Prime Minister Trudeau defended the government’s liberal approach to handing out emergency benefits Thursday, saying Ottawa would have “paralyzed” the system and deprived millions of jobless Canadians if it had rigorously checked every application it received.

    Memos obtained by the National Post tell officials to approve Canada Emergency Response Benefit (CERB) payments even if they suspect abuse, or if the person quit voluntarily or was fired for cause.”

  18. Social media reports the same thing is happening to Oregon employers. People who never worked for the company. People who were fired for cause from the company years ago. People who still work for the company. UI phone lines are jammed up even with hundreds of new hires.

  19. There’s a few special reasons:

    1. Washington state has one of the highest unemployment benefits. I worked contracts in WA and OR and it was over 20% higher in WA when I was laid off at the end of the contract and I could choose which state as I qualified in both. Then they added the $600/week.

    I’m not in OK, but another low tax, low expense state. WA is high sales tax, high expense so the expensive unemployment may be warranted for residents.

    2. The Covid crisis has removed the requirements to be “actively looking” as well as other things which would make the fraud harder and more easily audited. You just phone or go to the web site and check the right boxes and you get your check.

  20. The real story is that its happening from the inside out. I had been successfully filing for seven weeks. Thieves got into the system. Then deleted my contact info, changed to direct deposit, and had that money deposited to a credit union I don’t have. There will be a ton of lawsuits from this I’m sure for Washington state not protecting peoples personal info with a secure system. The state has hidden this so far by shutting system down for a couple days to deal with “backlog.” The reality is the phone system has crashed, and the system is so compromised that it’s unsafe to use.

  21. The Illuminati are setting you up to receive the ‘Chip’.

  22. This is pathetic and inhumane at this critical time.

  23. “A federal fraud investigator who spoke with KrebsOnSecurity on condition of anonymity said many states simply don’t have enough controls in place to detect patterns that might help better screen out fraudulent unemployment applications, such as looking for multiple applications involving the same Internet addresses and/or bank accounts. The investigator said in some states fraudsters need only to submit someone’s name, Social Security number and other basic information for their claims to be processed.?
    Don’t blame only the states. I understand that some years ago, 23,000 tax refunds were sent to the same address in Atlanta.

  24. The sars-cov2 is destroy slowly the capitalism of incomes and gains. The virus then is comunist and uts not developed in wuhan

  25. You can add Illinois to the list.

    Several employees in our company just got hit.

    But the state (At least Illinois does) submits a query to the employer (Or ex-employer) to certify that the applicant was actually employed / eligible (As the employer has to contribute). So, if the employer ignores or denies, then the state does not pay.

    Moral of the story, HR Departments need to keep their eyes open too.

  26. The PUA is being fraudulantly claimed in huge waves as well. Claiming 6o be self employed, and have not worked since March 29, gets you a $5000+ bsck payment then $800/week. I reported 8 ppl i know of illehally claiming the PUA.

  27. This is surely organized crime, and I think FBI or possible CIA should track down the criminals, and get the money back.

    All this said, the US should try to use some modern stuff like IT to keep on top. Other smaller countries does it.
    Register 1 bank account per person, for which person will receive all their payouts. Demand a fixed bank account per person.
    Then either force people to visit some government institution with sufficient ID to register their account, or let the banks handle that with strict requirements. That would help most cases.
    Now we are talking fake ID to bypass it, and their photo will be stored on record.

  28. Hi Brian,

    Man, you sure keep my wife and me hopping! Just wish it was in a ‘good’ way (haha) and not always with worry.

    Question: under any circumstance (whether a person is in-state or out-of-state), should we call our State of residence’s “government unemployment office” to—as you’ve taught us before with so many things (like the IRS, credit monitoring agencies freezes & account creation)—plant our flag?

    i.e. like telling them to ‘never’ approve an unemployment filing claim unless it is done in person (or something like this)??


  29. I would issue a word of caution. I am in the opposite situation. Recently I was burnt out in the mega fires we have had in Australia. I was blackballed by every government agency and charity that I applied to for assistance. It turned out that I had been profiled by a government anti fraud team. They had a program that “proved” that I was scamming. They had a mistake in their database that generated bonuses for the team leader and the guys that wrote the code. There was no motive for them to fix the mistake when they were informed of it. The more hits they got , the bigger the bonus. They cant have been that confident in their data because they didn’t charge me with anything. The Australian government is now facing a class action thay are likely to lose for half a billion dollars from people they accused of stealing welfare using a broken algorithm. Every one associated with this madness got a bonus for pretending their “AI” was intelligent. I hope the Secret Service is smarter than that, but how do you know? There certainly were some frauds going on, a few dozen at least, but there were thousands of false positives. The government was humiliated by the fires and headlines in the Murdoch media about scams were a great way to hide what had happened. It was a political stunt to claim that these rocket scientists were saving the country millions. I predict we will never know who was responsible. Be careful not to join any crusades.

  30. I’m no programmer, but how hard would it be to query
    “if State NE to State(of filing) – prompt Review”