Agari uncovers massive business email compromise (BEC) and COVID-19 fraud

Tech Intelligence Bulletin (HG Insights) – Agari, a leader in phishing defense solutions for the enterprise, has linked the cybercriminal organization dubbed Scattered Canary to massive fraudulent schemes related to the COVID-19 pandemic, targeting at least eight US states.

“We’ve observed that this is by far one of the most complex and prolific cybercriminal organizations we have uncovered to date. Scattered Canary perpetrates a range of fraudulent schemes, including business email compromise (BEC) scams, unemployment fraud, social security fraud, student aid fraud, and now COVID-19 related fraud,” said Armen L. Najarian, CMO and Chief Identity Officer, Agari.

Threat intelligence gathering

Observations and threat intelligence gathering from Agari Cyber Intelligence Division (ACID) indicates that in May 2020 the state of Hawaii became Scattered Canary’s latest unemployment fraud victim, joining Florida, Massachusetts, North Carolina, Oklahoma, Rhode Island, Washington, and Wyoming.

While it is too early to measure the full fraud dollar loss impact on Hawaii, an assessment of Scattered Canary’s fraudulent attacks on the state of Washington could be a bellwether. Since April 29, the group has filed at least 174 fraudulent claims for unemployment with Washington. This is consistent with public reporting of a recent U.S. Secret Service alert mentioning that Washington has been the primary target of fraudulent unemployment claims. Based on communications sent to Scattered Canary from the state of Washington, these claims were eligible to receive up to $790 a week for a total of $20,540 over a maximum of 26 weeks. Additionally, the CARES Act includes $600 in Federal Pandemic Unemployment Compensation each week through July 31. This adds up to a maximum potential loss of $4.9 million as a result of these fraudulent claims.

Payroll diversion BEC attacks

Agari analysis shows that Scattered Canary exploits Green Dot prepaid cards to “cash out” its fraudulent claims. Prepaid cards have previously been exploited to facilitate payroll diversion BEC attacks because the cards can be used to receive direct deposit payments. Green Dot cards are also advertised as being able to receive government benefits, such as unemployment payments, up to four days before they’re due to be paid, making them an attractive vehicle for groups like Scattered Canary to use in scams.

Scattered Canary organized itself more than 10 years ago and is based in Nigeria. Its long operating history hardened its methods and prowess for committing fraud and socially engineered attacks. Agari first alerted law enforcement to Scattered Canary in early 2019.

Send HG Insights your news

Have you got IT news you would like the HG Insights news team to cover? Maybe you have the inside track on a major IT news story or have heard something significant or of interest to the global IT sector. We value all contributions.

Email all press releases / information to and one of our journalists will get back to you.

Back to News Index