Cybersecurity experts warn of scams targeting coronavirus stimulus checks

Cybercriminals are already looking for ways to steal government assistance designed to help those struggling because of the COVID-19 pandemic.

Coronavirus: Hackers are exploiting the COVID-19 outbreak to steal your information
5:59

Millions of Americans and businesses rejoiced when the $2 trillion Coronavirus Aid, Relief, and Economic Security Act was signed into law March 18. The law is part of a larger effort by the US government to help people and businesses that have been harmed by efforts to stop the spread of the coronavirus pandemic. 

One of the most notable and well-publicized parts of the law are the "stimulus checks" that will be coming to average Americans. According to the IRS, tax filers with adjusted gross income up to $75,000 for individuals and up to $150,000 for married couples filing joint returns will automatically receive an economic impact payment of up to $1,200 for individuals or $2,400 for married couples, and up to $500 for each qualifying child. 

For anyone with income above those amounts, the payment amount is reduced by $5 for each $100 above the $75,000/$150,000 thresholds, and single filers with income exceeding $99,000 and $198,000 for joint filers with no children are not eligible. Social Security recipients and railroad retirees who are otherwise not required to file a tax return are also eligible and will not be required to file a return. 

While this move by the government was lauded by many, cybersecurity experts noticed that almost immediately, cybercriminals kickstarted efforts to either steal the money coming to people or set up scams using potential stimulus checks as ways to steal people's information. 

"Everyone is covering it extensively, saying 'you're gonna get money!' but a lot of folks haven't informed themselves as to what that mechanism for getting that money looks like," said Logan Kipp, director of sales engineering at cybersecurity company SiteLock.

"As a result, you have a lot of people who are very vulnerable to attacks in this vector. You're seeing targeted phishing, widespread phishing scams over text, over email, and we're seeing random phone calls from those overseas call centers. It's widespread, and it's across basically every communication spectrum or medium. They're trying to specifically target those that are most vulnerable, which typically are the elderly population."

SEE: Secure your data with two-factor authentication (free PDF) (TechRepublic) 

Kipp added that these scams will be effective because of the dire financial straits many people are in right now due to the state of the economy. 

"So much of the population is worried and may not be acting 100% rationally. It's in situations like these where we find ourselves vulnerable to making mistakes," he said. 

Stimulus scams will resemble tax scams

Millions were thrown into extreme financial distress because of the coronavirus pandemic, which essentially shut down the travel and hotel industries while crippling restaurants and other businesses that require in-person contact. Even companies not involved in those industries have been forced to furlough or lay off millions of workers, leaving many in desperate need for financial help. 

A number of cybersecurity experts said the scams will resemble the typical IRS and tax season scams that have become increasingly common over the past decade. 

Criminals have long sought to steal tax returns and other government assistance through a variety of methods, but with the coronavirus pandemic putting millions in financially stressful situations, people are particularly susceptible to falling for a variety of scams designed to lure people into either handing over personal information or gaining access to bank accounts. 

The IRS, FBI, and other government agencies have already put out notices warning people to be on the lookout for schemes designed to steal their money.

IntSights cyber threat analyst Charity Wright and chief security officer Etay Maor both said people should be ready for stimulus check-related scams in the coming weeks and months. 

"It's going to look a lot like normal tax season phishing emails and watering hole campaigns where they set up fake websites to try to get people to input their bank information or to look like the IRS website. They'll say things like 'update your direct deposit information here' and then try to reroute those funds," Wright said. 

Maor noted that many people are getting communications from the government right now because it also happens to be tax season and the 2020 Census is being held as well.

SEE: COVID-19 demonstrates the need for disaster recovery and business continuity plans (TechRepublic Premium)

With the deluge of government-related content coming people's way, Maor said he wouldn't be surprised if these kinds of scams come in through the physical mail as well as in emails. 

"I'm going to be surprised if they don't start talking about this. I've talked to one financial company, and I know there are now scams especially because it's still tax season. There are already all kinds of W2 scams going on right now, so I'd be surprised if we don't see stuff like this starting to happen," Maor said.

Abnormal Security recently explained the scams in greater detail in a blog post, writing that cybercriminals are "impersonating a major financial institution claiming to have received the recipient's stimulus check, but needing the recipient to verify their account to release the funds. The attackers have created a full landing page to attempt to steal the recipient's banking credentials."

Most cybersecurity experts said it was unclear who or what kind of groups were behind these scams but it was clear that they were very successful.

Ken Liao, vice president of cybersecurity strategy for Abnormal Security, said criminals continue to use tax and W2 scams year after year because they do manage to find victims who fall for the attacks. The stimulus check scams bring on an additional level of engagement because so many people have a time critical need for the stimulus checks. Anytime you introduce a sense of urgency, we let our guard down, he said.

"The goal of these attacks isn't necessarily to steal or intercept the stimulus checks. Threat actors are leveraging the expected arrival of the checks to send their attacks. The goals that we've seen include credential phishing, impersonated email from your bank asking for account verification before the stimulus check can be processed," Liao said in an interview.

"If the attackers are successful at stealing your credentials, they have direct access to financial accounts. Attackers may also go after personal information by claiming that you can get your money faster if you provide additional forms for identification such as Social Security numbers." 

How to keep safe

The key thing every expert said people should be aware of is that the IRS will almost never contact you directly about the stimulus checks. On March 30, the Treasury Department and the Internal Revenue Service announced that "distribution of economic impact payments will begin in the next three weeks and will be distributed automatically, with no action required for most people."

Because of this, Kipp said people should never give out personal information. While it may seem obvious not to give out sensitive information like Social Security numbers and bank account information, even basic information like emails and passwords can be valuable for cybercriminals looking for ways into your accounts.

"The fact of the matter is, the vast majority of people don't need to take any action at all. The IRS is going to be using information already on file, but if you're unsure that they have the correct information or if you think there may be some discrepancy anywhere, don't fall victim to these calls or emails. Just go to IRS.gov/coronavirus. They set up a page specifically for this in an effort to help protect citizens who are vulnerable to these scams," Kipp said.

"Every person should be taking it upon themselves to understand what phishing is and understand what it is they need to do if they have been compromised. For those that have already been compromised, you can go to identitytheft.gov, and there are a variety of pathways for recommended best steps for what you can do to help protect yourself going forward," he added, noting that website owners should also be wary that cybercriminals don't take control of their legitimate websites as well.

Also see

Coronavirus

Image: Getty Images/iStockphoto