When investigators raided a strip mall store in Garden Grove, California, in December, they found a line of customers snaking around the parking lot and huge stacks of cash inside the store.
Orange County prosecutors say Nguyen Social Services was charging up to $700 a pop to file false unemployment claims for people who did not qualify to receive Covid-19 relief money.
The brazen fraud was part of an overall scheme that cost taxpayers an estimated $11 million, prosecutors say.
“This isn’t just an Orange County problem. It isn’t just a California problem,” said Orange County District Attorney Todd Spitzer. “This is a breakdown of catastrophic proportions that has failed the American taxpayer.”
Government aid programs have long been fertile ground for scammers. But the scale of the fraud in the unemployment program created by the CARES Act has reached a staggering level, state and federal officials say.
The Labor Department inspector general has yet to complete a full investigation but, based on previous programs, estimates at least $63 billion of the $630 billion in disbursements has been misspent. The full scope of the loss in taxpayer funds is likely many times higher, experts and officials say, soaring well beyond $100 billion.
A rush to release the funds put enormous strain on state workforce agencies, creating a bonanza for individual scam artists and international cybercrime rings. And the federal government was slow to act despite early red flags, according to interviews with more than two dozen fraud experts, senior law enforcement officials and state and federal officials.
The Justice Department has assembled a task force to root out fraud across all 50 states and U.S. territories. Only now is the extent of the theft of taxpayer funds starting to come into focus.
A senior federal law enforcement source familiar with the investigation said the fraud is so complex and multilayered that it will take months to develop a full accounting.
Full coverage of the coronavirus outbreak
“It just continues to kind of spiral out and connect to other types of fraudulent acts,” the source said.
Officials in California, one of the only states to launch a review of the Covid-19 relief program, said they have tallied $11 billion stolen from taxpayers so far, but the total figure could be as high as $30 billion, or 27 percent. An early review in Nebraska, which looked at all statewide payments through June, found roughly 66 percent of unemployment money was misspent.
"In California, this is unquestionably the largest fraud against public agencies in our history," said Vern Pierson, president of the California District Attorneys Association. "Increasingly we are learning there could be fraud of historic proportions nationwide. While we don’t know the exact price tag, we know the amount of the loss of taxpayers is staggering."
A tsunami of attacks
The CARES Act was supposed to be a lifeline for a U.S. economy in free fall. Seeking the most efficient way to get cash into the hands of millions of jobless Americans, Congress turned to state workforce agencies, which administer unemployment insurance programs.
One of the act’s mandates was a new initiative called the Pandemic Unemployment Assistance program, aimed at helping gig workers, caregivers and people who are self-employed, all of whom are not typically eligible for unemployment insurance.
The program was quickly flagged as high-risk by the Labor Department’s inspector general. There was no former employer to verify this category of claims, so states had to build the program around self-reported work history. On top of that, many states also relaxed internal controls amid pressure to quickly approve a crushing influx of claims, according to state and federal officials.
“Water is going to find the leak. The criminals are going to find the weakest link,” said Alyssa Levitz, who leads the unemployment team at U.S. Digital Response, a nonprofit that provides tech assistance to local governments responding to crises. “And as the Pandemic Unemployment Assistance was being stood up, it was the weakest link.”
NBC News asked all 50 state workforce agencies how much money they have lost to fraud, but the vast majority that responded said they did not yet know the full extent of the loss.
Early indications in some states point to massive problems.
In routine reviews of payments through last June, Nebraska’s auditor found two-thirds of unemployment funds were misspent, and Kentucky’s auditor found that the program’s internal controls were so weak that they violated federal law.
The former executive director of Kentucky’s state workforce agency wrote in an email to staff: “Keep in mind, the goal is to put money in people’s hands ASAP to help them survive,” according to the audit.
The nationwide theft of taxpayer dollars continued quietly until December when Congress mandated that states verify the identity of claimants.
ID.me, an identity verification company that has now been contracted by 21 states, told NBC News that it is holding the line against a “veritable tsunami” of fraudulent claims flooding into state systems, raising questions about what passed through unseen before they got there.
“It’s like looking at fire burning inside of a house, but no fire alarm is going off,” said Blake Hall, the chief executive officer of ID.me. “It really is a national crisis.”
A wide array of fraudsters
More than 100 defendants have been charged across 71 cases in connection with CARES Act unemployment fraud, according to the Department of Justice. Federal authorities have seized or frozen $65 million, which is close to half of the actual losses associated with the crimes.
Many more people have been charged in state courts in connection with defrauding the program.
Huy Duc Nguyen and Mai Dacsom Nguyen, the pair accused of forming Nguyen Social Services to steal taxpayer funds, have each been charged with multiple counts including perjury and conspiracy to defraud another of property. They were released from custody but have not yet entered a plea.
Attempts to reach them were not successful. A spokesman for Orange County Superior Court said the court has not been notified that they have hired an attorney. The Nguyens are due back in court next month.
But for the overwhelming majority of phony unemployment claims, the culprits have not been caught.
The most common tactic used to fraudulently obtain cash meant for newly unemployed people is not especially sophisticated, experts say.
Identity thieves, who use Social Security numbers and other personal information stolen in data breaches and available on the dark web, account for 20 percent of the phony claims identified by ID.me, according to a company report.
“It’s so widespread and indiscriminate that they even target people who are heads of law enforcement agencies,” said Illinois Attorney General Kwame Raoul, who told NBC News that a scammer used his personal information to illegally obtain funds.
High-profile politicians such as Sen. Dianne Feinstein, D-Calif., and Ohio Gov. Mike DeWine were also victimized in this way.
Many identity theft victims may have no idea that benefits were filed in their name. But in recent weeks, millions of Americans began receiving 1099 tax forms from the IRS for benefits they never got.
Michael Webb, a 41-year-old former business owner from Lexington, Kentucky, was dumbfounded when he received a 1099 that showed $13,000 in benefits was filed in his name.
Webb had filed for unemployment benefits in March — and followed up repeatedly since then — but never got his claim approved. He now suspects it may have been because someone had already made a claim using his personal information.
“We're this close to losing everything,” said Webb, a father of three.
Another 10 percent of fraud comes from more elaborate “social engineering” attacks where an attacker tricks a victim into sharing personal data or otherwise cooperating in the fraud.
These attacks have played out in the form of multistage romance schemes, in which scammers try to woo victims and then convince them to hand over personal information, and even mass scam texts purporting to be from government agencies. To pass facial recognition checks, some criminals have even used 3-D printers to create masks of identity theft victims’ faces, according to ID.me.
In one chat transcript shared with NBC News, a victim thought he was getting hired by a German packaging company. Whoever was behind “Mr. Chapin Floyd, Materials and Quality” succeeded in convincing the victim to send his government ID, credit score and wireless carrier, among other details.
The opportunities have attracted garden-variety criminals, jail and prison inmates and at least a few desperate first-time offenders. But the most prolific offenders appear to be transnational organized crime groups out of West Africa, Asia and Eastern Europe, law enforcement officials say.
Cybersecurity firm Agari issued a report last May detailing how Scattered Canary, a Nigerian cybercrime ring that specializes in online scams, was targeting CARES Act unemployment insurance.
Researchers say it didn’t take long for playbooks on how to target unemployment agencies to pass through the dark web to like-minded scammers in places like Dubai, Hong Kong and Moscow.
“They are seeing essentially trillions of dollars that is up for grabs,” said Crane Hasshold, Agari’s senior director of threat research. “This is their World Series. This is their Super Bowl.”
A slow government response
There were early red flags that unemployment insurance was being targeted heavily by criminals.
Over the first few months of the program, Washington state announced hundreds of millions lost to fraud, and law enforcement agencies including the FBI and the Secret Service issued warnings. Meanwhile, some economists puzzled over why data showed there were more people collecting benefits than were actually unemployed.
The Labor Department’s inspector general has issued several public reports, including a June report to Congress that warned “the volume of UI investigative matters currently under review is unprecedented in the DOL-OIG’s history” and warned of losses higher than $36 billion.
The previous administration issued guidance to states and provided funding to combat fraud but took little public action other than that. In a November report, the Labor Department inspector general noted the department has “made efforts to focus on program integrity” but needed to develop better oversight of state unemployment claims.
A senior Labor Department official under the Biden administration told NBC News, “There was not enough focus from this agency and others, that was swift enough and focused specifically on the evolving type of fraud that it was seeing.”
Download the NBC News app for full coverage of the coronavirus outbreak
A Labor Department spokesperson said in a statement to NBC News: “We are working on a comprehensive approach to partnering with states to minimize fraud, waste and abuse, while making sure Americans who have lost their jobs through no fault of their own are able to receive the benefits they deserve and desperately need.”
The embattled state agencies are likely to face further strain — at even higher stakes for taxpayers — with the next round of federal stimulus. The situation is “extremely serious,” in the words of the senior official at the Labor Department.
Criminals continue to flood the system, bouncing between states. ID.me recently caught 2.2 billion server requests out of Hong Kong in a single day and four major distributed denial-of-service attacks — attempts to overwhelm the server — originating from Nigeria in a single morning.
“It’s going to take a while to figure out the scope of this thing,” said Mason Wilder, a senior research specialist at the Association of Certified Fraud Examiners. “But the scale of it just dwarfs anything else.”