Ohio opens criminal probe into pandemic unemployment fraud

Nigerian fraud ring active in Ohio since May?
Posted at 5:00 AM, Aug 20, 2020
and last updated 2020-08-20 18:31:19-04

CINCINNATI — The Ohio Department of Job and Family Services says it’s preventing up to $200 million in fraudulent payments per week with its suspension of about 270,000 accounts for Pandemic Unemployment Assistance.

The suspension began in mid-July.

“We are potentially looking at a figure of upwards of $800 million or so that we have safeguarded by not allowing those claims to move forward,” director Kimberly Hall told the I-Team in an Aug. 11 media briefing.

What Hall hasn’t said is how much was lost before the suspension was imposed.

“We’re still working on that figure,” she said.

A California-based cybersecurity expert says Ohio’s fraud losses could run into the hundreds of millions of dollars, based on details already disclosed by the state and his own research. It suggests the Nigerian fraud ring Scattered Canary has been actively pursuing PUA claims in Ohio since May.

“It’s a big number but it is believable when you consider that this is unprecedented,” said Armen Najarian, chief identity officer for Agari Inc. “The amount of funds that were made available in a very short time frame with known, light controls and in some cases no controls, it’s plausible.”

ODJFS declined to comment on Najarian’s observations because a criminal investigation is underway to determine who is responsible for the fraud.

“This is an active investigation,” said ODJFS spokesman Bret Crow. “We are limited in what we can say until that investigation is complete. We are working with various local, state and federal law enforcement agencies, including the FBI, the Secret Service, state and federal prosecutor offices, the Ohio Attorney General’s Office, the Ohio State Highway Patrol, and local law enforcement.”

Scattered Canary?

The I-Team has been tracking the potential for PUA fraud since early June, when the Labor Department’s Inspector General warned Congress that the program’s rules made it too easy for criminals to collect fraudulent payments. By that time, Ohio had already paid $1.1 billion in PUA claims and the state of Washington had already lost “hundreds of millions” of PUA dollars from “tens of thousands” of fraudulent claims.

Hall was aware of the Washington attack, but told the I-Team in a June 4 media briefing that Ohio was on guard.

“I just wouldn’t be surprised if people with nefarious intent are out there trying,” Hall said. “But we pride ourselves in our protocols. In Ohio, we do pretty well with our fraud detection methods.”

When Hall made those comments, Scattered Canary was already at work in the Buckeye State, according to Agari.

“We’ve seen a total of four verified attacks in the state of Ohio from Scattered Canary” between May and July, said Najarian, who has been tracking the group’s activities since 2018.

According to a 2019 research paper in which Agari named the group and first described its exploits, Scattered Canary caught Agari’s attention by spamming its chief financial officer.

“What followed was a series of engagements that resulted in our team gaining deep insight into this group,” said the 31-page report, “including its scattershot origins, how its actors fit together, and how it achieved its remarkable growth trajectory.”

As a result of its research, Najarian said his company “can see what email correspondence they have with certain victims.” Agari's research paper says it has linked Scattered Canary to 13 fraudulent U.S. tax returns, 11 fraudulent applications for Social Security benefits and at least four dozen credit card applications at four U.S.-based financial institutions. The report doesn't say if any of these cases were linked to Ohio.

Since April, Agari has also documented PUA fraud attempts by Scattered Canary in 14 states, including Washington, Michigan, Ohio and Indiana. The group uses “mules” to cash fraudulent PUA payments and transfer proceeds out of the country, Najarian said.

No fraud attempts were observed by Agari in Kentucky, Najarian said.

"Scattered Canary attempted to create unemployment accounts in Indiana starting around May 29. We have observed correspondence through June 11," Najarian added. “For the state of Ohio, we first detected Scattered Canary May 18. Our last known detection for the state of Ohio was July 13. Between that two-month window, there were perhaps other attempts that Agari did not have visibility into.”

'Not the right thing to do'

State and federal investigators are trying to keep pace with the fraudsters. Washington state announced in early July that it recovered $300 million in fraudulent payments, thanks to cooperation with banks and federal prosecutors.

On July 9, the U.S. Attorney for the Southern District of Indiana announced charges against a mother and daughter from the Evansville area. They’re accused of transferring unemployment benefits from Washington state through wire frauds to a third party, using Indiana bank accounts.

“This fraud network is believed to consist of hundreds, if not thousands, of money mules with potential losses in the millions of dollars,” said a press release. “The financial institutions targeted have been at all levels including local banks, credit unions and large national banks.”

On July 27, the U.S. Attorney for the Eastern District of Michigan announced charges against a contract employee for the Michigan Department of Labor. She allegedly “used her insider access to fraudulently release payment on hundreds of fraudulent claims” worth over $2 million, according to a press release.

Najarian said the rules of the PUA program made it easier for fraud rings to target state unemployment systems. That’s because states were directed by the U.S. Department of Labor to let claimants “self-certify” their eligibility. That meant bogus claims qualified for at least 21 days of minimum payments, or about $567 dollars in Ohio, before they ever had to submit documents to verify their eligibility.

“If the individual fails to provide documentation within 21 days, they are not rendered ineligible for PUA benefits,” wrote Elliott Lewis, an assistant inspector general for the Labor Department in a May 26 memo opposing the policy. “Consequently, an individual could continue to receive an average of $775 per week based solely on an initial undocumented self-certification.”

Najarian said he isn’t aware of any state that prohibited self-certification.

“It felt like the right decision in early days,” Najarian said, “to remove as many barriers as possible to get these funds in the hands of needy citizens as soon as possible. And, with that, with the law of unintended consequences, with the abuse which is certainly rampant, I think it would be easy to say right now that having minimal verification was not the right thing to do.”

Director Hall told the I-Team in an Aug. 4 media briefing that she was “acutely aware of the outcry around individuals who were not eligible for regular unemployment, who were impacted very deeply by the need for a temporary shutdown and closures in response to the pandemic.” The state was also facing criticism for not setting up its pandemic unemployment program quickly enough.

RELATED: Why did Ohio outsource jobless benefits?

“We erred on the side of Ohioans,” Hall said. “Self-certification was permitted, so we did not violate any law by allowing that. But we wanted to move as quickly as we could to get funds in the hands of those who were eligible.”

It’s now clear that PUA benefits also found their way to thousands who were not eligible. In her Aug. 11 briefing, Hall estimated at least 59,000 PUA accounts are likely “bogus claims.”

Of the roughly 270,000 suspended PUA claims, Hall said 56,000 have been released for payment because the department’s data analysts have deemed them to be legitimate. About 155,000 have entered a “fact-finding” process in which the department asks claimants to answer questions about their eligibility and provide additional documentation.

Another 59,000 are “red flag claims involving deceased individuals, fraudulent IP addresses, multiple versions of the same bogus email addresses and hundreds of claims that are sometimes tied back to one email address.”

Hall said ODJFS is “working with our law enforcement partners” on a “deeper evaluation and engagement” of the fraudulent activity it’s uncovered so far. She said the criminal investigation would involve “a smaller subset” of the 59,000 “red flag claims,” but declined to provide further detail.

Because 59,000 is 22% of all suspended claims in Ohio, Najarian said it’s reasonable to assume those accounts were receiving $44 million a week before the suspension. That’s 22% of the $200 million a week Ohio now claims it’s saving because it suspended accounts in mid-July. If the fraudulent accounts went undetected since May 18 — when Agari first documented fraud attempts in Ohio — ODJFS could have paid more than $350 million to criminals.

“It’s an alarming number, and I think there’s a lot of truth to these numbers,” Najarian said. “We’ve seen signals that would suggest that, based on the other states that we’ve looked at and just the high-profile nature of the abuse that is known to have happened.”

Find WCPO 9 everywhere you stream!

Let the I-Team investigate
Send us your story tips today to
Or call 513-852-4999