Phishing Campaigns Using Offer of Coronavirus Financial Relief as Lure

Governments around the world are developing financial relief packages to help citizens that have been unable to work due to the coronavirus and are facing extreme financial difficulties, and cybercriminals are taking advantage. Campaigns have been detected that use the offer of financial relief due to the coronavirus pandemic as a lure to trick people into disclosing sensitive information or installing malware.

Over the past few weeks, cybercrime activity has gone into overdrive. According to figures from Barracuda Networks, phishing attacks have increased by more than 600% since the end of February and Cloudflare reports that there has been a six-fold increase in online threats in the past month. Proofpoint has performed an analysis of the cybercrime landscape and reports that the 2019 Novel Coronavirus and COVID-19 now account for 80% of threats across the entire cybercrime landscape.

The latest social engineering lures offering financial relief leave a really bitter taste in the mouth. These campaigns target people who are experiencing incredible financial hardship. These phishing attacks impersonate government departments and financial institutions and use a combination of hyperlinks to malicious websites where credentials are harvested, malicious attachments that contain malware-downloading code, and links to websites where malicious files are downloaded.

Proofpoint intercepted emails that purport to be from payroll departments with the subject line of ‘General Payroll’. The campaign was geographically targeted on the United States and claims that President Trump is planning on helping U.S. workers by sending everyone a check for $1,000 to help stimulate the economy and help the millions of workers whose jobs have been disrupted by business closures due to the Coronavirus pandemic. Stimulus and financial relief packages such as that have been suggested as an option to help ease financial hardship so the lure may seem plausible to many individuals.

The intercepted email targets a higher education organization. The message appears to have been sent by the payroll department with the subject line: Re: General Payroll !.

All staff and students are told they need to verify their email account “for the new payroll directory and adjustment” to receive the March benefit payment. The link in the email is called “MARCH-BENEFIT” and directs the recipient to a phishing page where username, email address, and password are harvested.

A campaign has also been detected targeting Australians using a similarly themed lure that hides the phishing URL in a PDF file attached to the email. In that campaign, OneDrive credentials are sought. Similar campaigns have been detected targeting other countries.

The World Health Organization has been spoofed in many different COVID-19 phishing campaigns over the past three months with the emails offering information on new cases and advice on how to prevent infection. WHO is also now being spoofed in a coronavirus financial relief campaign, with the emails saying the recipient has been randomly selected to receive COVID-19 relief compensation. In this campaign the attackers seek OneDrive credentials.

It is unlikely that any government or organization would initiate contact with people via email in order to offer financial compensation. Any email received that offers compensation is likely to be fake and should be treated with extreme suspicion.

If a message is received offering COVID-19 compensation, visit the website of the organization or government department that the email purports to have been sent from to verify its authenticity. Never use the links or contact information supplied in the email. Navigate to the appropriate website directly by entering the correct URL in the browser.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of