Kingsley Nwezeh in Abuja with agency report
Washington State in the United States, paid out “hundreds of millions” of dollars in bogus unemployment benefits to scammers, including a Nigerian scam group, Scattered Canary, according to the state’s Employment Security Department.
The scam hit numerous other states including Florida, Massachusetts, North Carolina, Oklahoma, Rhode Island, Wyoming, and most recently, Hawaii, according to Agari, the cybersecurity firm that identified the scammer and the attack on Hawaii.
It said the scammers used personal information from previous data breaches.
The cybersecurity firm, Agari, said at least one group of Nigerian scammers called Scattered Canary was behind the heist in Washington and seven other states.
Agari has been tracking Scattered Canary for a year.
Yahoo Finance said the fraud, which leveraged the quick and needed response to the economic fallout of COVID-19 pandemic was an advanced operation that utilised fake W-2 scams to get new information to create false unemployment claims, Agari CEO, Patrick Peterson told Yahoo Finance.
In W-2 scams, a bad actor pretends to be from an employee’s company and emails the employee asking for personal information to fill out an updated W-2 form, which includes key data like social security numbers.
But Peterson told Yahoo Finance that the group utilised previously stolen data from other sources, something that Washington State’s Employment Security Department’s commissioner also said, citing breaches like the 2017 Equifax incident, in which 146.6 million social security numbers were breached.
“Our thesis is that the criminals are using data from previous hacks like Equifax, other large-scale hacks,” Peterson told Yahoo Finance.
Peterson was careful to say that they don’t yet have evidence that attributed the scam to one breach in particular, but Agari hopes to have more information on the source of the data the hackers used.
The report said scammers needed just four fields notably social security number, name, address, and date of birth for success and previous breaches and swaths of data for sale on the dark web aided their operations.
In the past few years, there have been many data breaches, compromising tons of consumer data, including LinkedIn in 2016 and Marriott in 2018.
Agari said that the scammers most likely used data that had already been breached and augmented it by other tactics like W-2 phishing to fill in missing information.
He said since the states waived verification, many people whose data was used by Scattered Canary were not even laid off, saying the heist showed why data breaches were harmful.
Because of this scam, Washington and other states are losing a significant amount of taxpayer money, and more scams like this will likely emerge as the COVID crisis drags on.
With this heist, there’s a clear example of the damage that breaches can do besides the abstract possibilities of ID theft and credit card fraud.
The report noted that for the most part, hacks don’t directly affect people’s bank accounts, which is why most have trouble caring too much about the latest data breach.
With breach after breach, consumers’ attitudes have dissolved into resignation.
With this heist, there’s a clear example of the damage that breaches can do besides the abstract possibilities of ID theft and credit card fraud.
Because of this scam, Washington and other states are out a significant amount of taxpayer money, and more scams like this will likely emerge as the COVID crisis drags on.
Peterson said that it’s sad that we’ve become immune to breaches, and only pay attention if the number was a record — even though Equifax’s loss of info on almost half the country will probably stay a record.
Peterson hopes that this incident might be a wakeup call for people who have become numb to the breach du jour. Every time the data goes out there, the five to 10-year horizon for criminals to use it is extended, he said. Maybe this will be a wakeup call.
