author photo
By Clare O’Gara
Wed | May 20, 2020 | 1:39 PM PDT

At the start of COVID-19, much of cybersecurity focused on a rise in attacks against the healthcare industry.

From an insider threat case that delayed the shipment of PPE to a Romanian ransomware group targeting public health, attacks kept going after the medical sector.

Now another significant cybercrime target is emerging: state unemployment benefit systems.

Hackers and cybercriminals are taking advantage of the sudden spike in unemployed Americans, expanded benefits being offered, and data stolen in previous cyber attacks.

And according to a United States Secret Service alert to its field offices, Washington State appears to the be epicenter of these attacks along with several other states.

The problem is so significant that Washington halted unemployment payments for two days at a time when unemployment is at its highest level in decades.

Hackers scam Washington State's unemployment insurance

"This is a gut punch."

That's how Suzi LeVine, Commissioner of Washington's Employment Security Department, described the recent cyber attack on the state's unemployment system.

According to The New York Times, hackers used a kind of "throwback method" to commit fraud on unsuspecting citizens and state taxpayers.

"The attackers have used detailed information about U.S. citizens, such as social security numbers that may have been obtained from cyber hacks of years past, to file claims on behalf of people who have not been laid off, officials said."

The Seattle Times revealed the scope of the problem which has been growing:

"In recent weeks, school districts, universities, municipal governments and private employers have told The Seattle Times that they have identified hundreds of suspect claims filed on behalf of employees who are still working. On Wednesday, a single employer—Western Washington University—told The Times that 410 of its 2,463-person staff had been targeted by fraudulent claims."

Recent updates from Katu2 have also revealed 1,008 unemployment fraud cases reported by the The Bellevue Police Department and 2,109 reports from the King County Sheriff's Department between May 1 and May 18. 

How were these fraudulent claims discovered? Some people received confirmation notices of their unemployment benefits even though they were still employed.

And some people who lost jobs filed for benefits and were told they were already receiving them.

And then there was the money being transferred from Washington State to banks in other places, such as Oklahoma. 

Cybersecurity journalist Brian Krebs covered that part of the story:

Elaine Dodd, executive vice president of the fraud division at the Oklahoma Bankers Association, said financial institutions in her state earlier this week started seeing a flood of high-dollar transfers tied to employment claims filed for people in Washington, with many transfers in the $9,000 to $20,000 range.

"It's been unbelievable to see the huge number of bogus filings here, and in such large amounts," Dodd said, noting that one fraudulent claim sent to a mule in Oklahoma was for more than $29,000. "I'm proud of our bankers because they've managed to stop a lot of these transfers, but some are already gone. Most mules seem to have [been involved in] romance scams."

And while Washington State is the epicenter of the attacks, the federal government revealed evidence of attacks in Florida, Massachusetts, North Carolina, Oklahoma, Rhode Island, and Wyoming.

The alert issued by the Secret Service indicates that the scheme is coming from a well-organized Nigerian fraud ring.

But "well-organized" seems to put it mildly, given how successful the group has been:

"A group of international fraudsters appears to have mounted an immense, sophisticated attack on U.S. unemployment systems, creating a network that has already siphoned millions of dollars in payments that were intended to avert an economic collapse."

Cybercriminals will rarely miss an opportunity like this.

Washington cyberattack: are poor cybersecurity practices to blame? 

A series of cyberattacks of this scale begs the question: how can this happen?

The U.S. Attorney in Seattle has some opinions on the problems in Washington State.

In a recent statement, U.S. Attorney Brian Moran urged the state to "address and fix the vulnerabilities" that allowed this hack to take place.

"Chasing these reprehensible criminals is just one part of the equation. The other part is for the state to address and fix the vulnerabilities in their system, and I am advised that they are working to address that part of the problem."

But other Washington officials pushed back against Moran's allegations.

If Moran knew of vulnerabilities in the unemployment system, other government officials are wondering why he never alerted anyone about his findings.

LeVine explained that she was "surprised, and really frankly disappointed" with the Attorney's statement.

"You know, as somebody who comes from the technology industry, I have a deep appreciation that you don't talk about your issues and errors, if you know of them, until after you've got them fixed."

David Postman, Chief of Staff for Governor Jay Inslee, expressed a similar sentiment:

"I'm really beside myself trying to understand why a law enforcement official who believes there's a vulnerability, so far unnamed, wouldn't tell us what they thought that was and offer to help," he said.

[RELATED: Researchers at Agari have linked these attacks to a Nigerian crime group dubbed "Scattered Canary."