Financial Payment Scams

Millions of people continue to seek financial payments as a result of the ongoing pandemic and the upcoming tax season. Threat actors take advantage of these opportunities to employ social engineering tactics through phishing, vishing, and SMiShing campaigns in attempts to convince users to divulge sensitive information. This information can be subsequently used in fraudulent activity and financial payment scams, such as unemployment benefit scams, economic impact (or stimulus) payment scams, and tax refund payment scams. We provide examples and recommendations to educate users on these continuing threats and tactics in order to reduce victimization.

Unemployment Benefit Scams

Financially-motivated threat actors are attempting to engage in fraudulent activity via phishing emails, fraudulent or spoofed websites, and robocalls. They use these attack vectors to target the unemployed in order to steal their identities and intercept their payments for unemployment benefits via the identification verification process, application filing, or information updates. The NJCCIC continues to receive reports regarding unemployment fraud. For example, a victim’s information was used to submit a fraudulent claim. This ongoing threat of fraudulent claims for unemployment benefits reportedly accounted for almost 40 percent of new applications in some states. This threat is also expected to grow as the pandemic continues to endure and unemployment benefits may be extended and/or increased.  

Economic Impact (or Stimulus) Payment Scams

As a result of the pandemic over the past year, the Internal Revenue Service (IRS) and the Treasury Department distributed rounds of economic impact (or stimulus) payments and threat actors are trying to cash in. Through email, text messages, and robocalls, threat actors are claiming that individuals need to provide personal or financial account information and/or pay processing fees to receive the stimulus payments. Messages may include language such as “Further action is required to accept this payment into your account. Continue here to accept this payment…” and include a link that directs users to a fraudulent website to capture sensitive information. Instead, eligible users do not need to take any action to receive their stimulus payments and can track their economic impact payment status on the official IRS Get My Payment website.

Tax Refund Payment Scams

Tax season is approaching, and threat actors seek to target individuals’ W-2 information and personally identifiable information (PII), such as Social Security numbers, dates of birth, bank account or credit card numbers, and drivers’ license numbers. Threat actors then use this information to file fraudulent tax returns electronically, typically claiming a low income with high deductions to maximize the amount of the tax refund payment. W-2 email phishing scams are another example in which threat actors impersonate a CEO or other executive and email payroll or human resources to request W-2 information. The threat actors will then use this information to file fraudulent tax returns or sell the data online. Threat actors will also send phishing emails to track the status of tax refunds. These emails contain links that, if clicked, direct users to spoofed IRS websites to collect sensitive information or install malware. Instead, users can track their IRS refund status on the official IRS Where’s My Refund website. The IRS will never contact individuals by email, text message, or phone to solicit information or money. Instead, the IRS communicates through postal mail.

Recommendations

The NJCCIC recommends users practice good cyber hygiene to protect their personal and financial information.

• Use unique, complex passwords for all accounts. Unique passwords for each account prevent password reuse attacks, in which threat actors obtain your password for one account and use it to compromise an additional account using the same credentials.
• Enable multi-factor authentication (MFA) where available. MFA is the use of two or more factors to authenticate to an account or service. This significantly reduces the risk of account compromise via credential theft in which your password has been exposed. Even if a threat actor obtains a user’s username and password, they will be unable to access that user’s account without their second factor. The NJCCIC encourages users to choose authentication apps, hardware tokens, or biometrics as a second factor over SMS-based authentication due to the risk of SIM-swapping, though using any form of MFA is beneficial. The website TwoFactorAuth.org maintains a comprehensive list of websites that offer MFA.
• Refrain from sharing login credentials or other sensitive information. Login credentials and other sensitive information should not be shared with anyone or saved on your computer or other platforms.
• Exercise caution with communications.  Before providing sensitive information, confirm the legitimacy of the message or request via a separate means of communication—such as telephone—obtained directly from official websites or welcome emails.
• Navigate directly to websites. Navigate directly to authentic or official websites by typing the legitimate URL into the browser instead of clicking on links in messages, and refrain from entering login credentials on websites visited via links delivered in messages.
• Use secure websites. When sharing personal or financial information, ensure you are using verified, secure, and encrypted websites.
• Update passwords immediately following a data breach or potential compromise. Use a resource, such as haveibeenpwned.com, to determine if your information, such as an account password, has been revealed in a public data breach. Change exposed passwords for every account that uses it to protect against account compromise.
• Keep devices up to date. Stay informed about publicly-disclosed vulnerabilities and update devices—including firmware—to the latest version to ensure they are patched against known vulnerabilities that could be exploited by threat actors to gain unauthorized access to your device and/or data. If a device is unable to receive updates from the vendor, consider not purchasing or discontinuing use of the device.
• Secure physical devices. Safeguard devices and ensure a password/passcode is enabled for all devices to prevent unauthorized access in the event a device is lost or stolen, or USB or external device is inserted.
• Check privacy and security settings. Checking these settings will help manage your cyber risk and limit how and with whom you share information. This will help safeguard information or resources if an unauthorized user gains access. 
• Backup devices. Protect your information from malware, hardware failure, damage, loss, or theft by making multiple copies and storing them offline.
• Invest in security awareness training. Invest the time, money, and resources to ensure users understand risks, the latest cyber threats, and best practices. 
• Review accounts and report suspicious activity. 
• Review account transactions and activity and report any suspicious activity, identity theft, and/or fraud to your financial institution, local police department, and/or the Federal Trade Commission (FTC).
• Report unemployment fraud if there is suspicion that someone is claiming NJ unemployment benefits illegally.
• Cyber-related incidents may be reported to the NJCCIC via the Cyber Incident Report form.

Resources

• NJCCIC Cybersecurity Best Practices
• NJCCIC Don’t Take the Bait! Phishing and Other Social Engineering Attacks
• NJCCIC Compromised PII: Facilitating Malicious Targeting and Fraudulent Activity
• FTC IdentityTheft.gov
• NJ Division of Unemployment Insurance Reporting Unemployment Fraud
• NJCCIC Tax Scams and Identity Theft: What You Need to Know