IRS COVID-19 Relief Payment Deadlines Anchor Convincing Phish

covid-19 direct payment deadlines

The upcoming deadlines for applying for coronavirus relief are the lure for a phish that gets around email security gateways by using a legitimate SharePoint page for data-harvesting.

A credential-phishing email campaign is making the rounds, using the lure of coronavirus tax relief to scam people into giving up their personal information.

The data-harvesting cybercriminals are looking to take advantage of the Internal Revenue Service (IRS) deadlines that are approaching for consumers who haven’t received an Economic Impact Payment. While most Americans got their one-time $1,200 payment in the spring, those who don’t usually file tax returns (such as those on Social Security) weren’t automatically included in that payout. These individuals have until Nov. 21 to register for their assistance check. Meanwhile, taxpayers who requested an extension of time to file their 2019 tax return have a deadline of October 15.

The emails purport to contain an important document about COVID-19 relief funds from the IRS. Clicking the link in the email leads readers to a SharePoint form that they were told to complete before accessing the document, according to Chetan Anand, co-founder and architect at Armorblox.

Threatpost Webinar Promo Retail Security

Click to Register!

The SharePoint form asks for email credentials, Social Security numbers, driver license numbers and tax ID numbers.

The sneaky use of the SharePoint form as an interim step helped the emails get past email gateways, Anand noted, in a blog posted Wednesday.

“This email got past existing Office 365 email security controls because it didn’t follow the tenets of more traditional phishing attacks,” he wrote. “When victims clicked the link in the email, they were led to a SharePoint form that asked for email credentials along with a host of other personal information…Since the phishing link pointed to a legitimate SharePoint page, it got past any email security filters designed to block known bad domains. The familiar Microsoft branding on the page might also put victims’ minds at ease as they subconsciously buy into the legitimacy of the email. It’s worth noting the irony-laden footer asking people not to share passwords or give away personal information.”

The phishing page was in fact hosted on a compromised user’s SharePoint account, lending legitimacy. Closer inspection revealed that the SharePoint account belonged to an employee of the Reproductive Medicine Associates of Connecticut (RMACT).

The campaign, which hit multiple email inboxes in the Armorblox telemetry, also used better-than-average social engineering, Anand noted, with the email language and context including multiple emotional triggers.

For instance, the email subject line read “IRS Covid Relief Fund Update,” and the sender name was “IRS Covid Relief Funds.”

“Both [are] very specific and related to topics that elicit quick actions from victims,” the researcher wrote, noting that the use of the IRS is an “authority” trigger. “Discerning readers will stop short of sharing the wealth of personal information asked in this SharePoint form. However, given the context of the communication – IRS sharing COVID relief fund details – victims might rationalize the extent of personal information asked in the form.”

The email language also included urgency triggers by talking about “important updates,” and ends with a simple but effective request: asking victims to click the link if they want to view the document – this, along with the aforementioned boilerplate confidentiality footer, makes it seem more legitimate, according to Anand.

That’s not to say that the phish is perfect – as always, some red flags pop up.

“A closer look reveals some grammatical irregularities in the email, as well as a non-capitalized ‘Irs’ in the email sender name, both of which can be red flags to anyone who stops and reads the email closely,” he noted.

To avoid falling victim, users should remain vigilant, and be wary of entering any personal information – including Social Security numbers and the like – after clicking on a link in an email.

“Perform a second factor of authentication by calling or texting the email sender to confirm the requests are legitimate,” Anand pointed out. “Whenever possible, engage with emails related to money and data in a rational manner. Subject the email to an eye test that includes inspecting the sender name, sender email address, language within the email, and any logical inconsistencies within the email.”

On October 14 at 2 PM ET Get the latest information on the rising threats to retail e-commerce security and how to stop them. Register today for this FREE Threatpost webinar, “Retail Security: Magecart and the Rise of e-Commerce Threats.” Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this LIVE webinar.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.