Cybercriminals have been taking advantage of the coronavirus outbreak with malware campaigns designed to trick people who are curious or anxious about the disease. One common mode of attack is the phishing email, which often spoofs legitimate companies and government agencies. A specific campaign spotted by INKY attempts to ensnare people who’ve been hurt economically by COVID-19. These emails claim to offer help on getting government funds but instead lead recipients to a web page that tries to capture their banking credentials.

SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium)

In a Friday report entitled “Exploting a Pandemic: Coronavirus Stimulus Package Economic Impact Payments,” INKY detailed the journey you would take if you fell for this particular scam. The initial phishing email claims to come from the Federal Reserve with a link promising payment under the Paycheck Protection Program, a real program from the Small Business Administration that provides loans to businesses impacted by COVID-19.

Clicking on the link takes you to a website with the domain name of, a name registered with Namecheap, a domain registrar known for its cheap prices. A button on the site proclaims: “Get Economic Impact Payment Now.” Clicking on that button triggers a dropdown menu with the names of well-known banks, such as Wells Fargo, Chase, Bank of America, and Citizens Bank.

Choosing your particular bank brings up a page with the bank’s actual logo prompting you to enter your account username and password. In response, the site tells you that you entered the wrong data. But behind the scenes, your banking credentials are now in the hands of the scammers.

Image: INKY

The scammers used HTML and CSS in a professional way to design a convincing phishing site, according to INKY. The dropdown menu of the banks, the bank logos, and the bank login pages all look legitimate. The scammers even took the FAQ from the real Economic Impact Payments site. All of the time and effort required to create this site was done to increase the odds of reeling in unsuspecting victims.

In its analysis, INKY found that Microsoft’s Office 365 Advanced Threat Protection (ATP) scans the initial phishing email and rewrites the link with to warn people about malicious URLs. But by itself, this may not be sufficient to prevent people from clicking on the link. As INKY points out, users would be better served if Microsoft ATP identified and blocked the email as a phishing attempt.

Image: Getty Images/iStockphoto