Nigerian BEC Gang Targeting COVID-19 Unemployment Benefits and CARES Act Payments

A Nigerian cybercriminal organization known as Scattered Canary has submitted hundreds of fraudulent claims for unemployment benefits and COVID-19 relief fund payments that have been made available under the CARES Act in the United States.

Scattered Canary is one of the most prolific business email compromise (BEC) gangs operating out of Nigeria and employs dozens of individuals to conduct email scams. The scammers have submitted at least 200 fraudulent claims for payments through the IRS website and websites used by state departments to provide funds to support individuals who have been unable to work due to the COVID-19 pandemic. According to a recent alert issued by the U.S. Secret Service, the scammers have targeted unemployment benefits sites used by Florida, Massachusetts, North Carolina, Oklahoma, Rhode Island, Washington and Wyoming. The gang has also previously applied for CARES Act Economic Impact Payments. At least 82 claims for CARES Act Economic Impact Payments were submitted by Scattered Canary, of which at least 30 were paid.

Agari discovered found the gang is also targeting an unemployment benefit scheme in Hawaii and identified the method being used by the attackers to submit large numbers of claims. The scammers use what Agari calls “Google dot accounts” to submit multiple claims. Google dot accounts are variants of a legitimate Gmail email address. When a user sets up a Gmail account, they also own all dotted versions of that email address. For example, if the following email address was set up: becscammer2020[@], any emails sent to b.e.c.scammer2020, bec.scammer2020, or any other dotted versions of that email address would all be sent to the same account.

Google will treat all of these email addresses as the same account, but most internet sites treat each email address as a separate account. This allows multiple email addresses to be used on fraudulent claims and all responses will be directed to the same email account. Agari identified 259 variations of a single email address were used to submit fraudulent claims under the Pandemic Unemployment Assistance Program in Massachusetts.

17 fraudulent claims were submitted with the state of Massachusetts, which pay out weekly benefits payments at a maximum of $823 per week for 26 weeks. These claims alone would allow the attackers to obtain up to $500,000. The maximum potential losses through the unemployment program in Washington was calculated to be $4.7 million.

Agari has suggested the scammers are obtaining the data they need to submit fraudulent claims from W-2 forms stolen in W-2 phishing attacks. Agari notes there has been a spike in W-2 attacks after April 15, 2020, which is the first spike in W-2 attacks that Agari has seen in more than a year. In these attacks, the scammers fool businesses into emailing the W-2 forms of their employees. W-2 forms contain all the data required to conduct tax fraud and apply for unemployment benefits.

The bank account information supplied by the attackers to receive the unemployment benefit payments are legitimate U.S. bank accounts under the control of the attackers, oftentimes the bank accounts of mules that have been recruited to receive the funds in exchange for a percentage of the money received. Many accounts used in these benefits scams are the bank accounts of victims of romance scams. The scammers are also using Green Dot prepaid cards to cash out. Green Dot cards can receive direct deposits including government benefits. Agari has identified 47 Green Dot cards used by the scammers. In each case they have been set up in the name of the person due to receive the unemployment benefit so as not to arouse suspicion.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of