Messaging security for evolving threats

Watch Out for COVID-19 Stimulus Text Message Scams

As we head into 2021 we are continuing to see cybercriminals try and exploit the COVID-19 pandemic to trick victims into clicking on malicious content to steal user information and funds. Unfortunately, this social engineering trend also extends to text message scams that are attempting to cash in on peoples’ stress and worry as benefits from the original COVID-19 stimulus package expire at the end of December 2020—and as the new stimulus package rolls out.

In fact, this month the IRS issued an alert warning of a new text scam that lures potential victims into providing their bank account information by pretending to offer a $1,200 economic impact payment. We’ve also recently seen a significant increase in payday loans and holiday related fake brand mobile spam. To help mobile users identify stimulus-related scam attempts, below are some real-life examples and information on how to reduce risk.

Example #1: Emergency Relief Deposit

If a mobile user clicks on the URL above it leads to a fake payday loan website, which attempts to harvest your personal information.

Example #2: Stimulus Package Promise

If a mobile user clicks the link above they are taken to the landing page below, which again asks for their private information in exchange for a stimulus payment that will never come.

Example #3: Holiday-related Stimulus Scam

As with the previous examples, if a potential victim clicks on the URL above they are prompted to enter personal details. It’s important to note this type of attack has been used for years with payday loans and “homes for cash” scams. The lure however is new, designed to exploit financial distress linked to current events.

But enough of the bad news. Here are some steps you can take to steer clear of these text message scams.

1) Make sure you’re on the Do Not Call Registry. You may have signed up once but double-check. The Do Not Call Registry applies to text messages.

2) Use the spam reporting feature in your messaging client if it has one, or forward spam text messages to 7726.

3) Never click on links in text messages, no matter how realistic they look.

4) If you want to contact the purported vendor sending you a link, do so directly thru their website. For offer codes, type them directly into the site.

5) Do not respond to strange texts. Doing so will often confirm “you’re a real person” to future scammers.

6) Understand the IRS will never reach out to you directly via text message. If you receive a text message claiming to be from the IRS, it’s a scam. Be sure to capture the message with a screen shot and send it via email to phishing@irs.gov with details on the date/time/timezone when you received the message, the number that sent it, and the number that received it.

We urge mobile users to continue being vigilant for possible text scams. For more information on how to prevent stimulus-related fraud, please see our recent blog on Six Tips for COVID-19 Online Payment Fraud Prevention & Protection.