Arrow-right Camera
The Spokesman-Review Newspaper
Spokane, Washington  Est. May 19, 1883

How missed ‘red flags’ helped Nigerian fraud ring ‘Scattered Canary’ bilk Washington’s unemployment system amid coronavirus chaos

Washington Gov. Jay Inslee, left, looks on as Suzi LeVine, right, the state's Employment Security Department Commissioner, talks to reporters, Thursday, Jan. 24, 2019, at the Capitol in Olympia, Wash. Scammers  made off with “hundreds of millions of dollars,” LeVine said, speaking last week on the unemployment fraud scheme by Nigerian hackers. (Ted S. Warren / Associated Press)
By Jim Brunner Seattle Times

Earlier this spring, as Washington began to pay out enhanced unemployment benefits to tens of thousands of laid-off and furloughed workers, a criminal organization halfway around the world spied an enormous opportunity.

A Nigerian fraud ring, dubbed “Scattered Canary” by security researchers, would soon begin siphoning off the benefits, notably the extra $600 a week Congress had added to unemployment checks.

Hiding behind a tsunami of legitimate claims, and using personal information likely stolen in past consumer data breaches, the ring and other criminals filed thousands of bogus applications with the state’s Employment Security Department. By the time the fraud was recognized, scammers had made off with “hundreds of millions of dollars,” ESD Commissioner Suzi LeVine acknowledged Thursday.

Exactly how much was carted off by Scattered Canary, as well as other bad actors, hasn’t been determined. But federal and state officials have pointed to sophisticated Nigerian cyber-fraudsters as key players who exploited a once-in-a-generation opportunity, abetted by a chaotic economic crisis and political pressure to swiftly payout checks to distressed workers without the usual scrutiny. Since the start of the pandemic, the state has paid out nearly $3.8 billion in benefits.

Washington’s unemployment system also missed potential red flags, including payments to out-of-state banks and the use of suspicious email accounts, according to security experts. All of that happened despite a $44 million software upgrade at ESD that was supposed to help detect such fraud.

The monumental pilfering of public dollars has left Washington as the largest known victim of the fraud that also has hit at least six other states, according to a May 14 U.S. Secret Service bulletin. The federal Department of Justice is investigating.

It also may have political recriminations: Republicans are already citing the losses to slam Gov. Jay Inslee’s record of managing state government as he seeks a third term this fall.

But the biggest victims may be the innumerable Washingtonians who now have had their legitimate and urgently needed claims for jobless benefits delayed as the state tries belatedly to halt the fraud. Others who have already received money say their claims are being investigated for “possible overpayment.”

Seattle resident Silvia Muhammad and her husband were both receiving unemployment benefits when they got ESD notices demanding more verification, or else “he’s going to have to pay back all the money that they’ve given him.”

Like many workers, Muhammad said she has struggled to get answers from the state ESD, which has been overwhelmed with fraud reports. Without the benefits, Muhammad said she and her husband are struggling to pay basic expenses, including rent.

“We’ve never been faced with this predicament,” she said, in tears. “The Nigerians are getting paid but the people that are owed money are not getting paid. I mean, like, really?”

Vulnerabilities

To some degree, Washington and its workers are the latest casualties in an era of rising identity theft. Filing for unemployment insurance in Washington and many states requires the sort of personal information – Social Security numbers, birth dates, addresses – that is depressingly easy to steal or buy on the dark web, thanks to massive data breaches such as the 2017 attack on credit reporting agency Equifax that allowed access to records of more than 145 million individuals.

Indeed, officials at ESD and at WaTech, the agency that manages the system the state uses to authenticate users for ESD and other state agencies, have repeatedly insisted that when thieves have enough personal information, it’s difficult to stop people from filing fraudulent claims without also obstructing legitimate filers.

The state considered a more stringent authentication system that was included with the upgraded software, but discovered it created headaches for people trying to file claims, and even a less stringent gateway caused “an increased number of phone calls to the agency,” according to a 2017 assessment of the new Unemployment Tax and Benefit system (UTAB).

The net result, it now seems, was an unemployment system that was easier for legitimate users – but also for bad actors, who, once inside, could both file bogus claims and set preferences for how they wanted to be contacted and paid.

“Once you’ve authenticated yourself, you’re free to update your contact information, your direct deposit information, you know, a lot of different things,” said ESD spokesperson Nick Demerice. Attempts to change certain account information would be flagged for review by the ESD’s fraud team, which has recently expanded.

Under ordinary circumstances, with 5,000 to 7,000 new, or “initial,” claims filed a week, the ESD system appeared to have been sufficient to detect and stop suspicious claims.

But starting in March, as the coronavirus response shut down the economy, those numbers skyrocketed to a peak of 181,975 initial claims in a single week. By late April, the state had taken in around 860,000 initial claims, paralyzing its website and call center.

At the same time, across the nation, federal and state officials pushed to expedite benefits payments, even if it meant losing some security. Washington and other states dropped the usual waiting period between when a claim is filed and paid, so ESD didn’t always have enough time to verify claims before sending payment.

It was a situation ripe for exploitation. And, according to security experts, actors like Scattered Canary did just that.

Scattered Canary

Scattered Canary began as a one-man shop running Craigslist scams, but has grown over more than a decade into a criminal syndicate targeting businesses and governments, as well as individuals with a variety of cons, according to Agari, the California cybersecurity company that first discovered and named the organization in early 2019.

The group and others like it are “behind a lot of the fraud that’s taking place,” said Armen Najarian, chief identity officer for Agari, which he said works with law enforcement agencies and has briefed the Secret Service on the group. Some slice of fraud may also be coming from domestic sources, and there are always the run-of-the-mill efforts by individuals to game the system.

Najarian said Scattered Canary appears to use some software automation tools, but it mainly employs dozens, or perhaps hundreds, of individuals who tap out their schemes on computer keyboards. While the group adopts “a bit of a Robin Hood mentality” to spend some of the ill-gotten cash to help African communities, he said some ringleaders also live large, lavish lifestyles including first-class flights, expensive Champagne and gold jewelry.

Marcus Fowler, director of strategic threat at Darktrace, a cybersecurity firm, said the fraud scenario reported by Agari is feasible, but identifying specific actors in cyberfraud can be extremely difficult. Artificial intelligence could improve fraud detection but that technology is not mature enough to stem the tide of unemployment cresting with the federal pandemic bailout, he said.

U.S. authorities in recent years have cracked down on cyberfraud conspirators based in Nigeria and elsewhere. In 2018, a six-month sweep by the FBI and other agencies, called “Operation WireWire,” netted arrests of 74 people in the U.S. and overseas, including 29 in Nigeria and three in Canada, Mauritius and Poland, according to the Justice Department. The sweep targeted scammers who allegedly had defrauded numerous businesses and individuals through email schemes.

The United Nations also has been working to combat cybercrime and its concentrated presence in West Africa for more than a decade, and at one point produced a music video from a popular Nigerian artist urging youngsters not to join the alluring criminal enterprises.

Washington’s unwelcomed role as the top target so far may not have been the result of any unique security flaw. But the state was one of the earliest to start paying out the extra $600, which, on top of Washington’s already-generous unemployment benefits, meant that the thieves could potentially steal $1,390 a week per claim.

“It is clear this is not just a Washington state problem,” said a statement from Gov. Jay Inslee’s office Thursday. “This is a national and international criminal conspiracy. We were among the first states hit by these fraudsters but we will not be the last.”

But Caleb Heimlich, chairman of the Washington State Republican Party, said responsibility for the massive swindle rests with Inslee. “No other state was susceptible to this level of fraud. Inslee and his hand-picked department heads continually mismanage our state. All of these failures are Inslee’s to own,” he said in a statement Friday.

‘Huge red flag’

On May 14, the ESD acknowledged a sharp rise in suspected fraud and abruptly suspended benefits payments for two days. By then it was too late.

But experts say that, even before then, there were some clues that should’ve raised alarms about fraud. Some Washingtonians said they found their ESD accounts redirected to an email service called Yopmail, which provides “disposable” email addresses that require no password. Scattered Canary also used so-called “google.dot” accounts, that is, variations of the same Gmail address that can be used to set up a separate ESD account but, which all deliver to a single Gmail email address, according to Agari.

Then there was the payment system. In order to actually receive the fraudulent benefits, Scattered Canary and other groups often use “mules” – people who knowingly or unknowingly help launder money by opening bank accounts or online debit card accounts.

The Secret Service, in its May 14 bulletin, noted Washington had sent automated payments to persons outside the state “all in different individuals’ names with no connection to the account holder.”

The out-of-state bank accounts should have been “a huge red flag” for ESD to scrutinize payments, said the senior fraud officer at an East Coast bank that received at least five electronic deposits from “UI Benefit WA ST.”

“Given our location, we don’t have a lot of people who are employed in the state of Washington,” said the banker, speaking on condition of anonymity to avoid disclosing his bank’s fraud prevention measures.

In the wake of the fraud, ESD is assessing and adjusting the “flags and checkpoints in the system,” Demerice said. “And part of figuring it out … for fraud claims that have made it through, what are the gates and checkpoints that would have caught those?”

But “we really can’t talk about the things we are going to put in place, the additional safeguards,” he said.

Washington may be the state hardest hit to date, but other states’ systems have been breached and defrauded as well, including Rhode Island, which also briefly paused payments, and Texas, which reported a huge spike in fraud in April.

Because Congress made the federal benefits retroactive to late March, several weeks before Washington was able to start paying them, many applicants – legitimate or otherwise – had retroactive claims for multiple weeks waiting in the ESD’s system.

As a result, the state was sometimes making unusually large payments – reportedly as much as $20,000 – on a single date, likely boosting the fraudsters’ theft before the scheme was detected.

Fast enterprises

Avoiding such a widespread fraud was on Washington’s mind when in 2017 it replaced its aging COBOL-based mainframe.

The Unemployment Tax and Benefits system was budgeted at $44 million and purchased from a Colorado company called Fast Enterprises. Among the promised benefits were “additional tools (especially data mining)” that would “help staff detect fraud,” according to the state consultant report on the UTAB project.

ESD declined to immediately provide a copy of the Fast Enterprises contract to the Seattle Times last week. But in other states where Fast Enterprises has been used – for everything from unemployment claims to tax collection – the system has been penetrated and mined for data or money, including the theft of nearly 800,000 hunting and fishing license records in Idaho in 2016.

In its 2017 proposal to sell the state of Nebraska software for vehicle title and registration, Fast Enterprises emphasized that its system gives states flexibility to adjust security settings, for everything from user authentication to fraud detection.

Michigan, for example, established a low threshold of fraud detection in its Fast Enterprises unemployment insurance software. Between October 2013 and August 2015, the system incorrectly flagged 20,000 unemployment insurance claimants’ cases as fraudulent, an error rate of 93%.

Washington made security choices with its own policy objectives in mind: getting money into the hands of desperate Washingtonians reeling from the sudden loss of income. To that end, the state erred on the side of distributing benefits first, and asked for employer verification that applicants qualified for unemployment benefits later.

In a statement, Fast Enterprises spokeswoman Megan Mooney said, “Our commercial off-the-shelf software has been implemented as the basis of the UTAB System and it does have fraud detection capabilities. Each agency decides the degree to which those capabilities should be used.”

Demerice declined to specify the stringency of the fraud detection chosen by ESD, which he said continuously seeks to balance security with ease of access. There can be “unintended consequences when we change the system,” he said.

Wreckage

By early May, signs of the vast scope of the theft were emerging, with the convergence of desperation, vulnerability and piles of money.

Employers were receiving notifications from ESD of claims filed in the names of workers still very much employed. Laid-off workers trying to file for unemployment insurance for the first time in their lives found ESD accounts already opened with their Social Security numbers.

And even as most of the rest of the nation was seeing a decline in new weekly unemployment claims, Washington was seeing a surge – including in sectors such as high-tech and finance, that hadn’t publicly announced many layoffs, but whose high salaries meant fraudsters would reap the largest possible weekly unemployment benefits.

As more employers and workers began receiving notifications of bogus claims, many tried to contact the ESD. Many could not, and began contacting local police.

Between May 13 and May 18, the King County Sheriff’s Office received 1,668 reports of unemployment fraud – 541 of them on May 18 alone, according to Sgt. Ryan Abbott. On the ESD’s online portal for submitting fraud complaints, the numbers were ballooning. Between May 15 and May 20, the number of fraud claims jumped from around 7,000 to nearly 75,000.

“What a mess,” said Venus Mills, executive director of a Bothell-based drug-testing company that received bogus notifications for three of its 17 employees.

In the meantime, workers, employers and politicians will push to put a price tag on what may be Washington state’s largest-ever fraud. But experts warn that it may be months before the full scope can be known.

“I think it is too early,” said Fowler of Darktrace, noting state authorities may not have detected all of the fraud or determined how much they’re likely to recover. “It’s a story that has certainly not been fully written.”