Revelations last week that this spring’s $576 million unemployment fraud, the largest in state history, started much earlier than previously acknowledged have spurred a storm of new questions over the handling of the crime.
Data released Aug. 3 by the state Employment Security Department (ESD) shows that criminals were filing fake claims in the first week of March. That’s more than two months before ESD publicly disclosed the fraud and temporarily froze benefit payments, in mid-May, by which time a staggering 56% of the weekly claims ESD was paying were from criminals, many of them reportedly overseas.
But even before Monday’s disclosures, some state lawmakers and others were questioning whether ESD had inadvertently abetted the scam by lowering fraud detection protocols to speed up legitimate claims by hundreds of thousands of Washingtonians left jobless by the pandemic.
Sen. Ann Rivers, R-La Center, told The Seattle Times that early in the pandemic, “a deliberate call was made to turn off the internal fraud detection” controls at ESD. Rivers said the decision, which she learned about from an ESD staffer, followed considerable internal debate over the fraud risks inherent in that change.
Sen. Reuven Carlyle, D-Seattle, who chairs the state technology committee, said he hasn’t seen hard evidence of specific changes to ESD systems. But conversations with the agency have left him with the “impression” that “there were some policy choices and some decisions that were … very important to that kind of balance between accessibility of the public and vulnerability to fraud.”
ESD Commissioner Suzi LeVine flatly rejects suggestions that the agency changed its fraud detection systems. Instead, she maintains that fraudsters, who also hit other states, succeeded largely by hiding beneath the “tsunami” of legitimate claims that overwhelmed ESD and other unemployment agencies. For example, Maryland recently reported foiling a scam involving $501 million in fake claims.
“I know a lot of people are going to try to Monday morning quarterback it,” LeVine said during a July 31 interview. “The minute that we knew of the magnitude of this, we took swift and decisive action.”
The state Auditor’s Office expects to complete five planned investigations into both the crime and the agency’s struggle to process legitimate claims, but not until next spring.
In the meantime, however, ongoing disclosures and criticism have already complicated ESD’s narrative about how the fraud unfolded and whether it might have been stopped earlier.
The perfect storm
Since disclosing the fraud, ESD officials have hewed to the same basic theory of why Washington was hit so hard by criminals, including, reportedly, a Nigerian-based fraud ring dubbed “Scattered Canary.”
Washington was among the first states to begin paying out expanded benefits enacted by Congress during the pandemic, including a $600 weekly payment. By late March, a Washingtonian — or someone impersonating one — could apply for as much as $1,390 a week in combined state and federal benefits.
And thanks to emergency federal guidance aimed at speeding relief to workers, Washington joined many states in eliminating the usual “waiting” week when claims would have been verified before being paid, typically by notifying employers.
But a critical factor, ESD officials have said, was the sophistication of the attack, which included using Social Security numbers and personal information obtained from earlier data breaches to make fraudulent claims virtually indistinguishable from legitimate ones.
That was especially true early in the pandemic, when criminals were testing ESD’s system with just a few claims — approximately 100, based on ESD data.
“Slip through the cracks”
But ESD’s narrative provokes questions. Although ESD officials have said they became aware of the fraud shortly before April 21, when they alerted federal investigators, outsiders had already seen earlier warnings.
The Seattle Fire Department, for example, got notification of the first of 145 claims filed in the names of staff who were still employed — including Fire Chief Harold Scoggins — on April 6.
Suspecting fraud, Dori Towler, the department’s senior personnel specialist, contacted law enforcement and on April 29 alerted ESD. That same day, Towler received an email response from the head of ESD’s fraud unit that seemed like an “under-reaction,” according to Helen Fitzpatrick, executive director of administration for the Fire Department, who shared the email with The Seattle Times.
“Thank you for bringing these cases to our attention,” said Patricia Trevino, director of ESD’s Office of Special Investigations, in the April 29 email. “We are running reports and cross matches to look for fraudulent claims. However, some do slip through the cracks.”
In fact, by the last week of April, ESD was averaging around 2,000 fraudulent claims a day, based on ESD’s weekly data.
In theory, ESD had systems that might have helped plug some of those cracks.
The agency processes claims on its Unemployment Tax and Benefits system (UTAB), which launched in 2017. That system, budgeted at $44 million and based on off-the-shelf software from Colorado-based Fast Enterprises, reportedly came with fraud-control features that allowed ESD to scan incoming claims for characteristics that might indicate fraud.
LeVine appears to refer to that capability in a June 5 letter about the fraud to U.S. Labor Secretary Eugene Scalia, noting that ESD “runs a daily discovery report against initial claims and weekly claims filed, analyzing claims that are most likely fraud.”
ESD also used an identity verification service, by LexisNexis, that can check applicants’ information against numerous online databases and other data, according to Carlyle.
ESD has provided few details about its fraud detection; the agency doesn’t want to provide a “road map” to criminals, LeVine has said.
But some of that process has changed since LeVine’s arrival in the summer of 2018. The LexisNexis service was discontinued in the third quarter of 2018, in part due to its high cost, according to Carlyle.
(As of Friday evening, ESD spokesman Nick Demerice was unable to confirm how or whether ESD replaced the identity verification capabilities of the LexisNexis service.)
In theory, the more aggressively a system scans for the fraud, the more likely claims are to be flagged for additional review, which might have further delayed payments of legitimate claims.
And by late March, ESD was slammed by pandemic layoffs. In the week ending March 28, the agency received 181,975 unemployment claims — or more than 30 times as much as the same week in 2019. The system was so swamped that many claimants couldn’t even file a claim, and payment delays were growing.
LeVine and other ESD officials say that flood of claims made it virtually impossible to know whether any early increases in fraud were merely commensurate with the jump in overall claims — some small percentage of fraud is normal — or whether it was evidence of a serious threat.
“Testing the fence”
Yet it was during those early weeks that criminals “were testing the fence to see if it was hot,” said Rivers.
Whatever technological fences ESD had in place, they weren’t adequate. When ESD finally became aware of the nature of the attack, around April 21, it wasn’t because of UTAB or other technologies, LeVine has said, but because of reports by employers and others, including local and federal law enforcement.
And in many cases, those alerts represented almost the antithesis of high-tech: Employers would receive an ESD notification, up to a week after criminals had filed the bogus initial claim, and would then have to contact ESD, Demerice says.
As a result, when criminals sharply escalated their attack in the first week of May—bogus claims filed that week and subsequently paid by ESD accounted for $409.8 million, or 71% of the multi-week fraud–employer reports regarding those bogus claims might not have reached the agency until the following week, says Demerice.
On May 13, ESD temporally stopped all payments. Two days later, the agency flagged nearly 200,000 claims as suspicious and suspended payments on them while they were reviewed. The agency eventually confirmed that a total of 86,449 claims, representing $576 million in payments, had been fraudulent.
In the months since the attack, $340 million of the stolen money has been recovered. ESD has beefed up its anti-fraud efforts, in large part based on lessons gleaned from the attack. The goal, which even critics like Rivers share, is to ensure the state never suffers a similar attack.
But important questions remain for the state Auditor’s Office. Among them, did the state miss red flags, such as an uptick in traffic from offshore internet addresses or in the frequency of claims using out-of-state bank accounts? And were there changes in state systems that made those easier to miss?
Carlyle, who has a background in the tech industry, thinks the episode provides an opportunity to rethink the state’s entire approach to cybersecurity, which he says is currently fragmented among different agencies. He plans to hold a public work session on the fraud in September.
Carlyle also wants to avoid second-guessing the decisions LeVine and other ESD officials made under extreme circumstances. “I want to be super clear: I am not critical of the policy decisions that were made in real-time on the field,” Carlyle said.
But he questions the agency’s reluctance to share a complete picture of the fraud.
For example, although ESD sent an email on May 11 to Carlyle and other state lawmakers and leaders noting “a dramatic rise in impostor fraud,” Carlyle says, additional details were slow to come.
On May 13, the day before ESD disclosed the fraud to the public, Carlyle says he had a call with LeVine and her senior leadership to discuss technical issues with UTAB that were contributing to delayed payments to workers.
During that call, Carlyle says, LeVine and her team didn’t raise the subject of the fraud, an omission Carlyle says he found “unsettling.”
“And maybe there was an intentional decision not to express to me what … they thought might be going on,” Carlyle says. “But I’m just saying I was on a call with most of the senior executives and it didn’t come up.”