Washington State paid out “hundreds of millions” in bogus unemployment benefits to scammers, according to the state’s Employment Security Department. The scam has likely hit numerous other states including Florida, Massachusetts, North Carolina, Oklahoma, Rhode Island, Wyoming, and most recently, Hawaii.
And according to Agari, the cybersecurity firm that identified the scammer and identified the attack on Hawaii, the scammers used personal information from previous data breaches.
Authorities aren’t sharing many details, but cybersecurity firm Agari says at least one group of Nigerian scammers called Scattered Canary is behind the heist in Washington and seven other states. Agari has been tracking Scattered Canary for a year.
The fraud, which leveraged the quick and needed response to the economic fallout, was an advanced operation that utilized fake W-2 scams to get new information to create false unemployment claims, Agari CEO Patrick Peterson told Yahoo Finance. In W-2 scams, a bad actor pretends to be from an employee’s company and emails the employee asking for personal information to fill out an updated W-2 form, which includes key data like Social Security numbers.
But Peterson told Yahoo Finance that the group utilized previously stolen data from other sources, something that Washington State’s Employment Security Department's commissioner also said, citing breaches like the 2017 Equifax incident, in which 146.6 million Social Security numbers were breached.
“Our thesis is that the criminals are using data from previous hacks like Equifax, other large-scale hacks,” Peterson told Yahoo Finance.
Peterson was careful to say that they don’t yet have evidence that attributed the scam to one breach in particular, but Agari hopes to have more information on the source of the data the hackers used.
Scammers needed just four fields — Social Security number, name, address, and date of birth — for success, and previous breaches and swaths of data for sale on the dark web aided their operations. In the past few years, there have been many data breaches, compromising tons of consumer data, including LinkedIn in 2016 and Marriott in 2018.
Agari said that the scammers most likely used data that had already been breached and augmented it by other tactics like W-2 phishing to fill in missing information. And since the states waived verification, many people whose data was used by Scattered Canary were not even laid off.
This heist shows why data breaches are harmful
For the most part, hacks don’t directly affect people’s bank accounts, which is why most have trouble caring too much about the latest data breach. With breach after breach, consumers’ attitudes have dissolved into resignation.
With this heist, there’s a clear example of the damage that breaches can do besides the abstract possibilities of ID theft and credit card fraud. (Many judges in lawsuits against Equifax said consumers didn’t experience damages simply because they might be defrauded in the future). Because of this scam, Washington and other states are out a significant amount of taxpayer money, and more scams like this will likely emerge as the COVID crisis drags on.
Peterson said that it’s sad that we’ve become immune to breaches, and only pay attention if the number was a record — even though Equifax’s loss of info on almost half the country will probably stay a record.
“It feels like our data has been released so many times,” said Peterson. “Should we really care? Well, you can’t change your birthday, or your address unless you’re going to move, and changing your Social Security number is insanely difficult. When that info is out there, criminals really have the keys to the kingdom.”
Peterson hopes that this incident might be a wakeup call for people who have become numb to the breach du jour. Every time the data goes out there, the five to 10-year horizon for criminals to use it is extended, he said. Maybe this will be a wakeup call.