Cybercriminals used coronavirus relief for Phishing Campaign

October 17, 2020
coronavirus relief phishing campaign email

A genuine and rather heartless phishing campaign was just discovered by security researchers this week.

These cybercriminals saw an opportunity and targeted the Economic Stimulus checks from the Internal Revenue Services (IRS). These are the financial assistance payments for Americans during the Covid-19 pandemic.

Taxpaying Americans were paid a one-time $1,200 check. At the same time, those on Social Security or missed their tax-filings are instructed to register before the third week of November to get their corresponding financial assistance checks. These notices were provided via standard mail and electronic mail (E-mail).

According to security researchers, these e-mails provided the gateway for cybercriminals to do their thing. They immediately went to work and spoofed the e-mail about Covid-19 relief funds from the IRS. The e-mails were laced with a malware payload designed to harvest user data. Users are lured into thinking that it’s an actual e-mail coming from the Internal Revenue Services (IRS) about the Covid-19 financial assistance checks. Once clicked, an attachment redirects the user to a Sharepoint form, instructing them to complete all the required information (e-mail account details, social security information, driver’s license numbers, including tax identification).

Upon closer inspection, security researchers were able to determine the mystery of how these phishing e-mails got past security checks, including Office 365 security protocols. It’s because they were different from the usual phishing attacks. They used a legitimate Sharepoint form and page immediately authenticated by Office 365 and other security filters. It was also identified that the form came from a compromised employee user account from the RMACT (Reproductive Medicine Associates of Connecticut). Microsoft’s Form immediately eased out any worries from the users that it might have been a scam.

It was also notable in a ridiculous manner that the threat actors even placed a warning at the bottom of the page, saying – Please do not share your passwords or any personal information.

Of course, let’s not forget the most reassuring trigger of the hackers’ legitimacy and authority, the IRS. Combined with Covid-19 and essential updates on their stimulus checks, the IRS makes for an almost perfect and convincing package for the recipients. This gave them some sort of sense of security that the message was indeed accurate and was intended solely for them.


There were some minor setbacks, though. Some of the phishing campaign e-mails have obvious grammatical, spelling, and even punctuation errors.


These were observed by other users and the security researchers as well.

But then again, users anxious to get their stimulus packages are the most likely to fall victim first to this phishing campaign.

Researchers have always sent out warnings and advisories when it comes to these kinds of attacks. To avoid becoming a victim, set up additional security layers like 2FA (two-factor authentication). It doesn’t hurt to confirm from the sender or other people regarding the legitimacy of the information you receive. The above statement is essential, especially when it comes to money. It always helps to be extra vigilant.

About the author

Leave a Reply