Criminal underground thrived on states’ pandemic unemployment programs

Online actors specializing in financial fraud feasted on a widely used unemployment insurance program designed in response to the COVID-19 pandemic, making it one of the single biggest targets for cybercrime in 2020, according to a report published Thursday by the threat intelligence firm Recorded Future.

According to the research, the Pandemic Unemployment Assistance program — implemented to help freelance and gig workers through the health crisis’ economic shutdowns — quickly became one of the most widely mentioned targets on dark-web forums where criminals gather shortly after it was created last March. Efforts to scam state governments into paying out phony claims became so rampant, in fact, that data sets of real people’s identifying information and instructions on how to rip off specific states’ programs are now hot commodities in cybercriminal marketplaces.

Not long after PUA and other pandemic-related unemployment programs were implemented did states begin detecting that they had issued millions of dollars in illicit payments. The Washington Employment Security Department said last May it recovered $300 million. While there’s no publicly acknowledged count of how much unemployment fraud occurred over all of 2020, the phony claims continued to mount all year; last month, Bank of America estimated that California alone may have paid out $2 billion across 640,000 accounts.

A ‘welcoming atmosphere’ for crooks

That level of criminal activity puts the PUA program in the same category as credit cards, shopping sites and sports betting services, said Parker Crucq, a senior threat intelligence analyst at Recorded Future and the report’s author. Moreover, Crucq found that inside the forums and marketplaces, sellers of the personally identifiable information used to file fraudulent claims — often culled from previous data breaches — were often quite helpful to novice scammers.

“I was surprised how receptive some of the sellers were to tutoring the next generation of cybercriminals,” he said, noting that there was often a “welcoming atmosphere” on Telegram, an encrypted messaging platform often used for illicit activities, whenever a new batch of compromised PII was made available.

One message captured from a criminal forum shows instructions of how to apply for fraudulent claims in Washington and Massachusetts. The poster helpfully includes URLs for those states’ unemployment agencies, the pieces of personal information needed to file and how to get the money via direct deposit, including to prepaid debit cards. The post even tells would-be scammers how to describe their non-existent hardships.

“When they ask you what date was your activities affected by Corona Pandemic, tell them 25th March 2020,” it reads. “Once info is accepted, you get paid in 1-3 business days.”

An underground forum member describes how to file phony claims. (Recorded Future)

Unemployment fraud is also relatively easy to commit, Crucq said. According to his research, data sets of PII, organized by state, are sold on sites he described being “as simple as an online shop.” Another screenshot in the report shows one of these stores listing files called “Wisconson Random” on sale for $100 and “NY Random PUA” for $80. All an aspiring fraudster needs, Crucq said, is a browser that can access these underground markets and a cryptocurrency wallet. And the sellers of the stolen data can earn more by selling their expertise and taking a cut of the phony claims.

“To be able to conduct this fraud, you don’t need to have a high skill set,” Crucq said. “These actors understand they can generate revenue. They can talk to as many prospects as possible.”

‘Money mules’

But the rampant unemployment fraud also features an extensive physical element. While the U.S. Secret Service last year accused a well-known Nigerian criminal ring called Scattered Canary of being behind much of the online activity — including theft of personal information and social engineering techniques like targeted phishing emails — the fraud made heavy use of “money mules,” human actors who serve as intermediaries for the transactions.

“Mules are essential for fraudsters who require a commodity to be physically moved from one place to another, or when fraudulent funds need to be moved between accounts,” the Recorded Future report reads.

U.S. officials have said there are likely hundreds of mules involve in pandemic-related unemployment fraud. Crucq told StateScoop these individuals’ contributions to the schemes included intercepting physical mail, setting up email accounts for filing claims and creating phony driver’s licenses. One forum message featured in the report asks how to create a fake ID in Massachusetts in order to collect $15,000 in payments, in exchange for a $1,000 cut.

Other Telegram and forum messages alerted criminals about which states were cracking down on unemployment fraud and should be avoided.

‘Out to make money’

Several states have taken legal action beyond just recouping phony payments. Last September, Pennsylvania Attorney General Josh Shapiro filed charges against 20 people for operating unemployment fraud from state prisons. And other states have revamped their unemployment application systems, such as Colorado, which recently launched a new, cloud-based program that officials there said will be easier to protect from scams.

Crucq said states should also be more aggressive in requiring multi-factor authentication and ensuring that claims are not filed under the names of dead people, convicts and others who were not part of the pre-pandemic labor market. Still, he found that even as states uncover more phony activity, criminals’ interest continues to grow. One online forum devoted to unemployment fraud saw its membership grow from about 7,500 in November to more than 18,000 a month later, the report read.

“Whether it’s ransomware or unemployment fraud, these crews are out to make money,” Crucq said. “At the end of the day it’s about turning a profit.”