Washington state acknowledged this week that it has lost hundreds of millions of dollars to a sophisticated unemployment fraud ring. Most of the money had come from the federal government in the form of pandemic aid.
It does not appear to have been a case of hacking, or a data breach. Rather, scammers used names and Social Security numbers they already had, possibly from earlier data breaches, to pose as out-of-work Washingtonians, security experts said.
In many cases — likely most cases — the real Washingtonians had not actually lost their jobs.
"At this point, we have tens of thousands of individuals whose stolen information has been used to file fraudulent claims," said Suzi LeVine, commissioner of the state's Employment Security Department.
Officials wouldn't share details about how they were fooled by so many fake applications, but outside investigators are pointing to weaknesses in the state's unemployment benefits system.
One vulnerability appears to have been the reliance on the mail during a pandemic lockdown. When the Employment Security Department gets an unemployment claim through its website, it sends a letter to the claimant's employer to confirm the job loss. The letter gives the employer about a week to object to the claim or correct the record. If there's no response from the employer, the benefits may be paid out.
Many of those letters languished in piles of mail delivered to offices closed under emergency social distancing rules.
When employers found the letters in their accumulated mail and tried to notify the state of the potential fraud, they encountered long wait times on the phone.
Eventually, enough employer responses made it through to alert the department that something was amiss.
"It started out as a trickle, but it really became more of a flood early the week of [May] 11," LeVine said. "It was at that moment where, you know, 'Break glass and pull the alarm.' "
By that point, millions in fraudulent benefits had already gone out the door.
The state may also have made it harder for law enforcement to trace the stolen money, by paying benefits to prepaid debit cards.
Investigators with the email security firm Agari said they've observed a major overseas cybercrime gang targeting Washington and other states for this kind of large-scale imposter unemployment fraud. They said the scammers' first step was to set up accounts with a prepaid system called Green Dot to receive the unemployment benefits.
Prepaid cards allow states to send benefits quickly to unemployed people who may not have traditional bank accounts.
But Agari CEO Patrick Peterson said the accounts also make things much easier for scammers, especially those operating from overseas.
"You can apply online," he said. "And then, of course, once you get the funds, it's purely electronic. There's no bank branch. There's not even a camera on an ATM. You can simply move the money around electronically."
Washington's Employment Security Department would not confirm whether fraudulent claims had been paid to such cards, and Green Dot didn't respond to a request from NPR for comment.
Late Thursday, the Justice Department released a statement saying that federal investigators were working to recover the stolen funds and that "a diligent financial institution, with which agents were working, was able to prevent $120 million from being distributed to criminals." The statement did not say what type of financial institution it was.
In the meantime, the state said it is adding more security to its unemployment claims process.
"We have and will continue to make changes to our system that will require some customers to verify or provide certain information," LeVine said Thursday. She wouldn't give details, saying she didn't want to give scammers insights into the system.
But she lamented that the changes could add a day or two to the claims process.
"This makes me the most angry," she said. "That we need to delay payments to Washingtonians who need these benefits."