Stimulus checks to help Americans weather the COVID-19 pandemic are quickly becoming a favorite target of scammers, who see the newly rolled out funds as an easy way to profit during the ongoing crisis.
The Internal Revenue Service (IRS) said Friday that the economic impact payments – up to $1,200 for individuals and $2,400 for married couples, along with $500 per child for those eligible – had reached over 88 million Americans during the past three weeks.
The agency has set up a website to enable Americans to claim and track their stimulus checks, and will mail or directly deposit the payments.
But the influx of funds being made available to those hurting during the economic slowdown caused by the pandemic has brought with it a wave of malicious scammers looking to cash in.
Many of these involve websites set up to either look like the IRS or banks, with hackers trying to trick individuals into disclosing their financial information.
IBM is among the cybersecurity and software groups tracking the spike in scams directed at gaining access to these payments, which often involve phishing emails that trick individuals into clicking on links to the fake websites.
A report released by IBM this week found a 6,000 percent increase in spam emails related to COVID-19 since early March, with many of these emails aimed at stealing the IRS checks. Examples included emails that seemed to be from Wells Fargo or American Express that prompted an individual to input login information for their accounts.
Ashkan Vila, a threat researcher with IBM X-Force, told The Hill that the efforts to impersonate financial institutions showed “additional effort” by hackers to target the relief funds.
“Before the COVID-19 pandemic, we were seeing spam campaigns that didn’t have much of a theme or focus and trying to lure as many people as possible,” Vila said. “Now, the pandemic has opened up a larger opportunity for cybercriminals to capitalize on people’s fears and uncertainty, and their desire for information on COVID-19 as things are rapidly changing.”
Software group Check Point said this week it had seen over 4,000 new websites related to the stimulus checks created since January. The company classified many of the domains as “malicious” and warned that individuals that visited them risked having payment information stolen.
Another study out this week from software company INKY identified a scam that created a website designed to trick individuals into thinking they could claim their government stimulus funds.
Dave Baggett, the CEO and co-founder of INKY, told The Hill that this website was likely put together by professional website designers to look as real as possible, a prospect he described as “terrifying.”
“This was the first one we saw that was quite this elaborate,” Baggett said. “I bet you, actually, this site is better looking than the real one.”
The IRS is aware of the potential for hackers to see the stimulus funds as easy prey. The agency pushed out an alert earlier this month warning Americans to be on their guard against malicious calls, texts, emails and social media posts that requested financial or other personal information.
“The IRS isn’t going to call you asking to verify or provide your financial information so you can get an economic impact payment or your refund faster,” IRS Commissioner Chuck Rettig said in a statement released with the alert. “That also applies to surprise emails that appear to be coming from the IRS. Remember, don’t open them or click on attachments or links. Go to IRS.gov for the most up-to-date information.”
The Justice Department has also taken notice of the surge in COVID-19 related websites, announcing this week that it had notified domain hosts of “hundreds” of websites attempting to scam Americans.
Among these websites were those related to the stimulus payments, with the FBI identifying a number of domains meant to resemble the real IRS website for tracking and requesting the payments.
Officials on Capitol Hill have also begun to take notice of the scams targeting the stimulus checks.
A group of Democratic senators on Friday sent a letter to the IRS urging it to strengthen its protections against fraud, highlighting the dangers of “criminals impersonating the IRS or suggesting that they can help get individuals their stimulus payments faster.”
“Properly authenticating Americans’ information is critical to ensuring that stimulus payments are not stolen from their intended recipients,” Democratic Sens. Maggie Hassan (N.H.), Tom Carper (Del.), and Ron Wyden (Ore.) wrote.
Sen. Chuck Grassley (R-Iowa) wrote to the Treasury Inspector General for Tax Administration (TIGTA), which serves as the watchdog for the IRS, earlier this month highlighting his concerns with fraud involving the stimulus checks.
Grassley asked that the organization “take every reasonable effort to educate Americans about the ways in which scammers and fraudsters might try to cheat them out of their money and their benefits during this time of unprecedented need.”
According to USA Today, the IRS planned to update its “Get My Payment” tool on its website over Friday and Saturday to make “critical system updates.”
Baggett said that he believed government systems overall were being “strained” by Americans moving online to claim a variety of payments, such as those for small business loans, or to file for unemployment. This left the door open for scammers to trick individuals into using more polished websites.
“They don’t rely on everyone being fooled, they rely on just some being fooled,” Baggett said.
He recommended that Americans always verify who is sending an email to them, and that they search online for the real websites of organizations before disclosing any personal information.
Cybersecurity threats in general have spiked during the COVID-19 pandemic, including hackers targeting hospitals and other groups involved in fighting the virus. Baggett described this as creating an easy lure for hackers, and emphasized the need to step up the focus on cybersecurity.
“We probably won’t ever go into another new year without stockpiles of personal protective equipment, I hope we won’t go into another new year without the ability to send electronic payments to Americans securely,” Baggett said.