Washington state acknowledged Thursday that it has lost "hundreds of millions of dollars" to a sophisticated unemployment fraud ring. Most of the money had come from the federal government, in the form of pandemic aid.
This does not appear to have been a case of hacking, or a data breach. Rather, scammers used names and Social Security numbers they already had, possibly from earlier data breaches, to pose as out-of-work Washingtonians.
In many cases — likely most cases — the real Washingtonians had not actually lost their jobs.
"At this point, we have tens of thousands of individuals whose stolen information has been used to file fraudulent claims," said the Commissioner of the Employment Security Department, Suzi LeVine.
Officials wouldn't share details about how they were fooled by so many fake applications, but outside investigators are pointing to weaknesses in the state's unemployment benefits system.
One vulnerability appears to have been the reliance on the mail during a pandemic lock down. When the Employment Security Department gets an unemployment claim through its website, it sends a letter to the claimant's employer to confirm the job loss. The letter gives the employer about a week to object to the claim or correct the record. If there's no response from the employer, the benefits may be paid out.
Many of those letters languished in piles of mail delivered to offices closed under emergency social distancing rules.
When employers found the letters in their accumulated mail and tried to notify the state of the potential fraud, they encountered long wait times on the phone.
Eventually, enough employer responses made it through to alert the department that something was amiss.
"It started out as a trickle, but it really became more of a flood early the week of [May] 11," says LeVine. "It was at that moment where, you know, 'Break glass and pull the alarm.'"
By that point, millions in fraudulent benefits had already gone out the door.
The state may also have made it harder for law enforcement to trace the stolen money, by paying benefits to pre-paid debit cards.
Investigators with the email security firm Agari say they've observed a major overseas cybercrime gang targeting Washington and other states for this kind of large-scale imposter unemployment fraud. They say the scammers' first step was to set up accounts with a pre-paid system called Green Dot, to receive the unemployment benefits.
Pre-paid cards allow states to send benefits quickly to unemployed people who may not have traditional bank accounts.
But Agari CEO Patrick Peterson says the accounts also make things much easier for scammers, especially those operating from overseas.
"You can apply online," he says. "And then, of course, once you get the funds, it's purely electronic. There's no bank branch. There's not even a camera on an A.T.M. You can simply move the money around electronically."
Washington's Employment Security Department would not confirm whether fraudulent claims had been paid to such cards, and Green Dot didn't respond to a request from NPR for comment.
Late Thursday, the Justice Department released a statement saying federal investigators were working to recover the stolen funds, and that "a diligent financial institution, with which agents were working, was able to prevent $120 million from being distributed to criminals." The statement did not say what type of financial institution it was.
In the meantime, the state says it is adding more security to its unemployment claims process.
"We have and will continue to make changes to our system that will require some customers to verify or provide certain information," Commissioner LeVine said Thursday. She wouldn't give details, saying she didn't want to give scammers insights into the system. But she lamented that the changes could add a day or two to the claims process.
"This makes me the most angry," she said. "That we need to delay payments to Washingtonians who need these benefits."
You won’t find a paywall here. Come as often as you like — we’re not counting. You’ve found a like-minded tribe that cherishes what a free press stands for. If you can spend another couple of minutes making a pledge of as little as $5, you’ll feel like a superhero defending democracy for less than the cost of a month of Netflix.