Close

How a ProPublica Reporter Learned Scammers’ Secret Sauce

When reporter Cezary Podkul began investigating how unemployment insurance fraud exploded during the pandemic, he discovered an international web of scammers, stolen identities and “sauce.”

Creative Commons
(Cath Virginia, special to ProPublica)

When the federal government enacted the CARES Act in March 2020, it boosted jobless aid and expanded the benefits to include people who weren’t typically covered, like gig workers. The legislation was designed to cushion workers against the massive blow of a partial economic shutdown during the pandemic.

But if you haven’t already buried your memories of last year, you probably remember how difficult it was to get those unemployment benefits.

Horror stories circulated about people waiting on hold for weeks, trying to get the money they needed to stay afloat. Maybe you remember spending long hours on the phone or the computer yourself. Delays in unemployment benefits heightened feelings of uncertainty that characterized much of 2020, and made the experience of losing your job even more frightening.

But as Cezary Podkul reported for ProPublica this week, this expansion of benefits also attracted fraudsters from all over the world who sought to cash in on the CARES Act. In hindsight, the millions of phony unemployment insurance claims were a large part of what clogged states’ overtaxed computer systems, delaying payments to unemployed Americans filing legitimate claims.

We don’t have a full accounting yet of how much the fraud will end up costing taxpayers. The federal government says it will be at least tens of billions of dollars, but some experts fear it may end up in the hundreds of billions. And on the micro level, every stolen identity fraudsters use to cash in belongs to a real person. If that person tried to file for unemployment themselves, it could take months for them to convince state agencies they were a real person and receive necessary support.

We talked with Cezary about how he discovered the alternate universe of stolen identities and pseudonymous fraudsters selling how-to kits for scamming state unemployment agencies on the dark web. Here’s an inside look at a massive fraud wave.

I was really curious how you went about finding these online forums where scammers were swapping their trade secrets.

So I started off by reaching out to cybersecurity firms and asking them, “Hey, where are fraudsters trading tips and advice and talking about how to do this?” That pointed me to Telegram [an online messaging app]. I got the names of a few Telegram channels where this was happening, and I started looking at those. And then from there I did my own research and found lots and lots of additional ones; it certainly wasn’t hard, because there’s just so many of them.

Screengrab from Telegram’s website advertising the privacy they offer users. Cezary reached out to Telegram with detailed examples of some of the conversations he discovered, and the company did not respond to his queries. But shortly after he reached out, ten of the channels he had asked about went dark, with a message posted saying that they had violated Telegram’s terms of service. (ProPublica screengrab from Telegram)

Did you have a strategy worked out for how you would reach out to scammers?

To be honest, I didn’t know what to expect, because I have never been to any of these forums. I realized that they’re open, public forums. I’m sure there’s some that are private, or invitation-only. But the ones that we wrote about in our story, anyone who wants to view them or access them can enter them as if you were entering a public square in a city.

There was a big learning experience involved in this in the sense that there was a lot of unfamiliar language to me. It wasn’t as if you could just jump in and know exactly what’s being said. You had to see a lot of the traffic and read a lot of messages before you learned what certain acronyms were.

For example, what does it mean for a state to be “lit”? It’s paying out state claims.

At one point, I came across a message in one of the forums that actually had a dictionary, which was super helpful. That was kind of like the Rosetta Stone, and once I came across the dictionary I could translate a lot of this stuff into plain language.

The “dictionary” of terms scammers use that helped Cezary understand the world of online scams. (ProPublica screengrab from Telegram)

You quote one scammer’s response in the article that’s just two eye roll emojis. I was so curious what question you asked that prompted that response.

Yeah, the eye roll emoji! So that was the user who we cite in the story named “VerifiedFraud.” He was the admin for one of these channels where there was something like 1,300 participants, and he posted what’s called a “sauce.” Sauce, in the language of these forums, is the secret sauce for filing fake unemployment insurance claims in a particular state. He gave away a free sauce to his channel participants. And I asked him about that: Hey, tell me about the sauce. I noticed that you put it on your forum for participants along with the “new month prayer” wishing them luck.

When I messaged him about that I got the eye roll.

VerifiedFraud’s prayer for his followers wishing them luck scamming the U.S. government in July. (ProPublica screengrab from Telegram)

And I guess you told him you were a journalist?

Oh, yeah, absolutely. With all the people that I was contacting, I made it abundantly clear: “Hey, I’m a reporter, I'm writing a story about this. I noticed you said this or that and I wanted to talk to you more about it.” You know, “Tell me more about your ‘Fraud Bible.’ Does it work?”

Did you ever try a sauce to see if it worked? Or send it to a state agency?

No. As a journalist, I wanted to make sure I wasn’t doing anything illegal.

I did send a bunch of these sauces — the ones that name specific states that were publicly available — to the states. I sent them to Pennsylvania, New York and California, and I asked them for comments. The states declined to comment on the specifics of whether they worked or anything like that. But they did say generally that they’re aware of them, that they’re monitoring these types of messages with their law enforcement partners.

You have this quote from a scammer in the article: “Virtually all these wealthy entrepreneurs you see around 90% of them started with something illegal to make enough money to run their business.” It seems like some of these people consider themselves businesspeople, and they put some work into this. How different is what they’re doing from working an actual job?

There’s probably some people for whom this has become a full-time endeavor, where this is the main way they’re trying to make money right now because of the opportunity that has been opened up.

But there’s certainly people for whom they might have a day job doing something else. For example, one case involved a Nigerian national who ran an online shoe store. He was also accused of participating in a scheme to defraud states of unemployment insurance funds. And I think the total in that case was something like $489,000 across 15 states. [He’s pleaded not guilty to charges in the case.]

So there’s certainly people who do other things, but there’s others who I’m sure have made this sort of their full-time path. I think it does kind of run the gamut.

Did you get a sense of what percentage of people were working from outside the United States?

There’s no way to tell what percentage. But in reading the messages in these Telegram channels, I definitely got the feel that this was a very international crowd, because you do see messages from people, for example, looking to meet up to do deals in Lagos, Nigeria.

The statistic that really put a period on this for me came from one of the cybersecurity firms that we talked with. They said that one state they work with saw unemployment insurance applications coming from nearly 170 countries around the world.

So these are supposedly state residents applying for unemployment insurance, but when you trace the internet traffic, you see this application is coming from … gosh, they had countries all over the world. It was like the United Nations.

Normal people trying to get unemployment checks in the middle of the pandemic were really struggling, waiting on the line for days at a time and getting disconnected when they were trying to get their unemployment checks. Did you get any sense of if and how fraudsters were better at getting unemployment checks than real humans?

One of the things that I think maybe hasn’t been talked about as much is the interplay between this huge wave of fraudulent claims that we saw and legitimate claimants. Because the information technology on which states are running their unemployment insurance systems is, in many cases, very dated.

Like with North Dakota, they had to actually bring in computer programmers from Latvia ​​to help them run their unemployment insurance computer system last year, because it’s so hard to find anyone who can service the technology. It’s been around for decades.

When you’re dealing with very dated technology, it doesn’t scale well. It can’t handle such huge volumes that we were seeing there during the pandemic. So when you had this huge influx of fraudulent claims, I think it did a few things.

One is it definitely slowed down processing of legitimate claims, because you just end up with backlogs of applications that the states are still struggling to get through because there’s so many people who have applied. There are legitimate claimants mixed in with fraudulent claimants and you have to kind of triage those, and figure out which ones are high-risk, which ones look like they're very likely to be fraudulent, versus which ones are medium-risk and which ones are low-risk — and you put those through.

The other thing that it spikes is the call volumes. When I asked [Texas officials], why was it so hard for an individual that we profiled in the story to get through to Texas, it was just because they had such a massive call volume. There’s so many people calling the fraud line reporting fraud, there’s so many people calling for help, so many people seeking states’ attention, they just become overwhelmed. That has an impact on legitimate claims.

And then finally, you have legitimate claimants who are collecting unemployment insurance payments, and those payments either stop or are frozen because of suspected fraud. So someone else just stole your identity and used it to file a claim in another state, and all of a sudden you might see your benefits stop, which is what happened to Philip Payton, the individual we profiled in our story.

By flooding the system with so many fake claims, not only did fraudsters, in some cases, get away with pocketing those fraudulent payments, it really caused a lot of hardship for legitimate claimants.

The fraudsters are also probably working with the advantage of being able to send out 40 applications to 40 different states, and if they only get paid by 18 and get stuck in backlogs in the others, it doesn’t cost them very much.

Exactly. It basically comes down to a game of numbers.

Let’s say you go onto a dark web forum and you purchase some stolen identities. You pay $50, $70 for a stolen profile of someone. If you’ve got it, then it makes sense for you to file in all the different states where you think it might pay off, to all the different programs, to all the different government benefits you think that individual might be entitled to. If you don’t, you might be leaving money on the table.

One of the most shocking statistics that I came across, just on a micro level, was in one of the Department of Labor’s Office of Inspector General reports. They mentioned that one person used a single Social Security number to file fake unemployment insurance claims in 40 states, and 29 states paid up. They got something like $222,000.

A message on Telegram encouraging fraudsters that they only need one lucky day to be “successful.” (ProPublica screengrab from Telegram)

I think we’re now at that point where we’re starting to realize that this has been a huge problem. And to be fair, it wasn’t just unemployment insurance. You’ve seen our coverage of people creating fake farms in places that wouldn’t even have a farm, like farms on beaches or people claiming they had an orange farm in Minnesota, to apply for PPP loans.

I’ll be curious to see if cybersecurity surrounding these leaks that led to IDs and social security numbers getting out are wrapped up in reform bills too.

If I can put in a plug: If anyone knows where all of the leaked data came from, I would love to talk with anyone who’s got information on that.

One of the terms that you see being used on these telegram chat rooms is the word “fullz.” Fullz is slang for the full suite of personally identifiable information like someone’s name, address, Social Security, driver’s license, the whole thing.

If you’re going to be filling out an unemployment insurance claim form in someone’s name, if you just know their name and their address — okay, that’s one thing. But if you have a full suite of information on a person it just makes it so much easier for you to file a claim that has a significantly higher chance of getting through the system.

So one of the questions that I was asking is: Where did all the fullz come from? This is a question that I became obsessed with in the reporting of this project, and I just couldn’t get a good answer to it. So if anyone reading this has a good answer for that, or a good theory, reach out to me and I’ll be more than happy to talk to you.

Filed under:

Brooke Stephenson

Brooke Stephenson was a Scripps Howard Audience/Newsletter Fellow at ProPublica.

Latest Stories from ProPublica

Current site Current page