Government cash stimulus payments used as a social engineering lure by cybercriminals

Email warning
(Image credit: Shutterstock)

New research from Proofpoint has revealed that cybercriminals are using social engineering lures related to various coronavirus stimulus packages around the world to trick users into clicking on malicious links or downloading files with malware.

One such campaign is targeting US healthcare and higher education organizations as well as companies in the technology industry with emails that contain a message claiming that the Trump administration is considering sending American adults a check to help stimulate the economy. The email asks recipients to verify their email account through a malicious link that directs them to a phishing page.

Another campaign discovered by Proofpoint claims to be sent by a major Australian newspaper and uses the subject line “Government announces increased tax benefits in response to the Coronavirus” in its emails. However, the message contains a PDF attachment with an embedded URL that leads to a OneDrive credential phishing page.

Proofpoint also observed a small email campaign that targets technology and IT organizations with the subject line “COVID 19 : Relief Compensation”. The campaign claims to come from the WHO and IMF and says the recipient has “been randomly selected to be compensated financially due to the outbreak of the COVID-19 Epidemic outbreak”. Once again though, the email contains a malicious Microsoft Excel branded attachment that steals users' emails and passwords.

Credit card attacks

In addition to the other campaigns Proofpoint discovered, the cybersecurity firm also found two that try and steal users' credit card numbers.

The first one is a small email campaign that tries to steal user IDs, passwords and credit card numbers. It targets information security and technology organizations with the subject line “Claim Your Covid-19 Cash”. To help increase its credibility, the campaign claims to come from a major US credit card company and promises to waive late fees and issue a credit of up to $5,000. The emails sent in the campaign also contain a “Claim Now” link that takes recipients to a spoofed page for the credit card company that attempts to steal their ID, password, email credit card and other details.

The second email campaign is much larger and primarily targets the manufacturing, technology and transportation industries as well as healthcare, aerospace, retail, energy, business services and hospitality companies. The campaign claims to be from a major UK bank with global customers and also spoofs their branding. The emails sent out by the cybercriminals behind it have a subject line which reads “COVID-19 Relief Measures : FINANCIAL SUPPORT WITH” and names the bank.

To trick users into clicking on a malicious link, the email offers 300 Singapore dollars and tells the recipient to “Start Here” to claim the money. However, the link then takes users to a spoofed page for the bank that asks for their name, address and credit card number.

In a blog post detailing these various campaigns, the Proofpoint Research Team explains that we will likely see the cybercriminals behind them continue to modify their strategies, saying:

“The ongoing shift to coronavirus-themed messages and campaigns is truly social engineering at scale and these recent payment-related lures underscore that threat actors are paying attention to new developments. We anticipate threat actors will continue modifying their strategies as the news surrounding COVID-19 shifts.”

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.