To help those encountering economic hardship due to the coronavirus pandemic (COVID-19), President Trump and the U.S. Congress passed a $2 trillion stimulus package, known as the CARES Act. While the distribution timing of the direct payments may vary from area to area, the stimulus package takes effect the week of April 13, 2020.
Many Americans will benefit from a direct payment due to this legislation, but it is critically important that you understand the eligibility requirements, how the payments will be transmitted and the new COVID-19 scams cropping up.
Notably, scammers are taking this opportunity to confuse Americans about the payments, and potentially access their personal information through social engineering and phishing attempts.
The Internal Revenue Service (IRS) will not call you or email you about your stimulus payment. If you are contacted by someone claiming to be the IRS, hang up immediately and notify email@example.com.
How do I make sure I get my stimulus check?
- No action is needed for qualified individuals to receive the direct payment benefit. This is important because scammers will say otherwise.
How will the stimulus be received?
- The IRS will use the information you provided on your 2018 or 2019 tax filing to process your stimulus payment.
- So, if you registered to receive your tax refund via direct deposit, the bank account the IRS has on record is the account which your stimulus payment will be sent.
- If you were mailed your last tax refund, or did not include bank account information in your last filing, you will be mailed your stimulus check. Note: it may take weeks or months for mailed checks to be processed fully.
How are cybercriminals trying to trick you?
During this pandemic, cybercriminals began by targeting victims using realistic looking online messages that appeared to come from the Centers for Disease Control (CDC), World Health Organization (WHO) and even your company human resources team. Then, these scams evolved to include COVID-19 insurance, recent air and hotel travel alerts and Health and Human Services malicious map application online messages.
Now, there are new types of coronavirus-related phishing attacks, specifically surrounding economic stimulus checks.
It’s important to be mindful of messages like the above that are looking to upload malware to your device, or to gain access to your device or system login credentials. Key signs that the above is a phishing email are explained below:
- Never trust a message you didn’t request – The sender’s email address appears to be from a well-known credit card company. However, it is actually a fake email address not affiliated with the company.
- Be wary of who is really sending a message – The email is not addressed to an actual recipient and instead to “Valued Member,” which is a red flag.
- Think before you click – When you mouse over a link (without clicking), it should reflect a real URL for an actual webpage vs. a fraudulent source:
- If it seems too good to be true, it probably is – The email promises double the amount of the expected stimulus payment
- Any sense of urgency is suspicious – In this email, it states an urgent 48-hour notice to take advantage of the offer because the scammers hope for a quick—and impulsive—reply.
- Don’t trust caller ID –Be wary of providing any personal or financial data in response to unsolicited online messages and phone calls. You don’t know who might be on the other end.
- Mobile phone threats – Malicious text messages‡ are circulating, many of which are promising to track the spread of coronavirus in real time, or may suggest you need to do something to receive your stimulus payment. Do not click these messages. If you do, scammers could listen to you through your microphone, watch you through your smartphone camera and read your personal messages.
During this already challenging time, it’s very important to protect yourself and do your research before clicking links in messages – especially related to COVID-19, the stimulus relief package, charitable donations, product purchases or anything that asks for your personal data.
United States Attorney General William Barr has asked the public to report COVID-19 fraud to the National Center for Disaster Fraud at firstname.lastname@example.org.
For more information, visit:
- UMB and the CARES Act: a brief summary
- White House, CDC and FEMA COVID-19 update page‡
- Staying ahead of COVID-19 financial scams‡
This article was also featured in AZ Big Media‡. Stay up-to-date on UMB’s approach to information security by visiting our website.
When you click links marked with the “‡” symbol, you will leave UMB’s website and go to websites that are not controlled by or affiliated with UMB. We have provided these links for your convenience. However, we do not endorse or guarantee any products or services you may view on other sites. Other websites may not follow the same privacy policies and security procedures that UMB does, so please review their policies and procedures carefully.