Published: August 10, 2021 on our newsletter Security Fraud News & Alerts Newsletter.
More money! Yes, the U.S. government has passed more legislation that makes the IRS our favorite government institution. The recently passed American Rescue Plan Act (ARPA) doles out more financial payments to those families with children and as a result, dozens or more malicious sites have been popping up taking advantage of this situation.
DomainTools reported that cybercriminals have created massive numbers of websites intending to get personal information out of unsuspecting people that qualify for the child tax credit payments within the ARPA. But don’t be fooled. Those payments are sent automatically from the IRS and do not require any sort of registration or signing up. It just appears to those who are eligible. Bam! More money, indeed!
DomainTools analyzed historical information from WHOIS and open source intelligence information and found out that this specific scam, that harvests credentials, links back to a company called GoldenWaves Innovations in Nigeria.
The imposter websites are under a plethora of names and look exactly, or very close to government websites. They often have an “apply now” option for users to choose, but don’t do it. Remember, you don’t have to apply for this tax credit.
Information these sites ask for include, but definitely is not limited to:
Social Security Numbers
Driver’s license photos
Mother’s maiden name
This scam likely will arrive in email, so keep those peepers wide open for phishing lures. Many of the websites were accessed from links in email messages. Remember don’t click those. Often, the sites were shortened using a service like bit.ly which allowed these scoundrels to name the link something believable like “Unemployment Insurance Relief During COVID-19 Outbreak | American Rescue Plan Act.” If you hover your mouse pointer over a link and shows that name, you can bet it’s not where you want to go. If you have a mobile device, you can check links by holding down on the link for a few seconds. It’ll show it its entirety giving you the option not to follow it.
DomainTools has reported the suspect websites to Google Safe Browsing and hopefully, they will soon be blocked on all major browses. Until then DomainTools and other security experts recommend that users take the following actions, should a suspicious site appear:
Report it to Google Safe Browsing
Report it to your organization’s security team, sending the original email message as well
Don’t provide personal information on any site unless you are 100% certain it is secure, but particularly don’t provide it on a site for government related information if it doesn’t end in .gov.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at firstname.lastname@example.org