How a COVID-Inspired Cyber Fraud Cost Washington State Hundreds of Millions of Dollars

June 18, 2020
The recent influx of federal funding was a much-needed shot in the arm for millions of individuals and small businesses impacted by the COVID-19 economic crisis. Unfortunately, bad actors are benefiting from these stimulus packages at the same time by once again reaching into their bag of tricks.
 
Cybercriminals and hackers constantly follow the money. Currently, that trail is leading them to the front steps of the government agencies handling the various impacts of COVID-19.
 
The need to quickly implement COVID-19 programs and response means many government agencies have to loosen up some of their typical processes. It's exactly what cybercriminals count on. 
 
In recent months we've seen numerous attacks, from ransomware and phishing campaigns to massive fraud schemes, targeting governments all over the world.
 
This is likely only the tip of the iceberg. Bad actors seek to profit from the chaos of COVID-19 for months to come—and government agencies are a bigger target than ever before.

How Scammers Got Their Hands on Washington State Money

The state of Washington recently became the target of a sophisticated, international crime ring based in Nigeria, which orchestrated a massive unemployment fraud scheme that has cost the state hundreds of millions of dollars.
 
And the fraudsters didn't even have to launch a cyberattack.
 
Washington State capital building on a summer day with clouds in the sky.

What Happened?

Washington, like many other states, has been inundated by unemployment claims as businesses across the country have halted operations. Unfortunately, the state soon discovered that part of its surge was due to a well-organized fraud scheme.
 
While other states were also targeted, Washington was the biggest victim, paying out a much as $650 million in fake claims.

How Did the Scheme Succeed?

Cybersecurity researches believe this is the work of a group they've named Scattered Canary. The group opened the unemployment claims using personally identifiable information (PII) stolen from various data breaches—such as the major Equifax breach— and fake emails, likely mass-created Gmail accounts.
 
These cybercriminals directed the payments to prepaid bank cards or used unwitting individuals who help launder the money, so-called money mules. Reportedly, mules are typically recruited through tactics like online romance scams (similar to the famed Nigerian prince scam). The scammers befriend the victims and convince them to open bank accounts that are used for a short time to receive deposits. Then the victims forward the bulk of the money to the fraudsters.

What Will Happen Next?

Washington state has recovered $333 million in fraudulent payments so far. And the state says it has implemented new countermeasures to stop further fraud.
 
That's good news for Washington state. But many other states continue to struggle with the avalanche of unemployment claims, and are also a target.
 
Worse yet, unemployment fraud is not the group's only calling card. The same ring is suspected in other fraudulent claims related to COVID-19 relief as well as other schemes involving government agencies.
 
Given the group's versatility in applying similar tactics to a variety of plots, it's unlikely this is the last time we’ll hear from Scattered Canary.

Fraud is but One Feather in the Cybercriminals' Cap

This feat pulled by Scattered Canary demonstrates that cybercriminals don't have to rely on a current cyberattack to inflict damage—they can reap the rewards of those done long before. The situation in Washington state also reminds us that manipulating people is a favorite tactic of bad actors, and reinforces the fact that government agencies are an enticing target. In fact, agencies are even more appealing now that the coronavirus is forcing them to operate at limited capacity.
 
Other recent attacks across the world illustrate the wide-scale threats government face, from a local to a national level:
  • The U.S. Health and Human Services was hit with a distributed denial-of-service (DDoS) attack in March. Millions of hits over a few days overloaded the servers in an apparent attempt to undermine the agency's response to COVID-19.
  • A state in Germany lost tens of millions of euros in an elaborate phishing scheme in March and April. The cybercriminals created a fake website that appeared entirely authentic. They lured government aid applicants to the site via an email campaign, collected their PII, and used the data to file false claims on the victims' behalf.
  • City and county governments in North Carolina were hit with the Ryuk ransomware in March, which was distributed via phishing emails to employees. Durham County alone had to reimage 1,000 computers and rebuild about 100 servers from scratch. County services were interrupted as well.
Clearly an appealing target, state and local governments need to be on high alert. Their allure to cybercriminals, however, won't stop even when operations return to normal in a post-coronavirus world.
 
Cybercriminals will continue adapting to new trends—and will simply move on to the next plot.

Stay Protected

Cybercrime is increasingly rampant, especially as government organizations get stretched thin in terms of cybersecurity coverage as workforces adapt to new ways of doing business during a pandemic. That doesn’t mean they can’t do so while also staying safe from today’s growing threats.
 
Previous Article
COVID-19 Weekly Threat Roundup: June 19
COVID-19 Weekly Threat Roundup: June 19

A malicious phone app exploit, attacks on remote commerce, an FBI warning, and more in the June 19 COVID-19...

Next Article
COVID-19 Weekly Threat Roundup: June 12
COVID-19 Weekly Threat Roundup: June 12

The June 12 COVID-19 Weekly Threat Roundup features actionable insight on how to defend against some of the...

×

Get cybersecurity updates delivered to your inbox.

First Name
Last Name
Company
Country
Yes, I’d like to receive marketing emails from Arctic Wolf about solutions of interest to me.
I agree to the Website Terms of Use and Arctic Wolf Privacy Policy.
Thanks for subscribing!
Error - something went wrong!