Attackers used a phishing campaign to lure people to a fake website impersonating a German state’s coronavirus relief funding website. Up to 100 million euros could have been lost by the German state of North Rhine-Westphalia (NRW) in this classic phishing attack.
How Did it Happen
The German state of NRW built a website to distribute coronavirus relief funding. However, unlike other German states that required proof of identity before making funding payments, the NRW did not do this.
Some German states who have created similar websites, have asked users to download a form and mail it in with documents to prove their identity. Other states have asked users to upload scanned documents to their website to prove their identity. The NRW website, on the other hand, was just asking users to complete an online form requesting funding relief.
Consequently, cybercriminals created websites mimicking the official website, which was setup by NRW’s Ministry of Economic Affairs to distribute Covid19 financial aid. Next, cybercriminals sent out phishing emails impersonating the Ministry of Economic Affairs, providing fake links for requesting financial aid. These links connected to the cybercriminals’ fake websites where they collected locals’ details. These details were then used by the attackers to file for government aid on behalf of the real users. However, the bank account details were swapped from the real users’ account details to that of the attackers.
How Much Money was Stolen?
German TV station Tagesschau reported on Wednesday that two phishing websites were involved in the phishing campaign. One of these two phishing websites was wirtschaft-nrw.info. The attack lasted from mid-March to April 9, when NRW took down its website and stopped payments.
Tagesschau also reported that between 3,500 and 4,000 fraudulent requests had been made. To help counter disruptions faced by businesses due to the pandemic, payments were being made by the NRW government ranging from €9,000 for self-employed individuals to 25,000 for companies. Consequently, the NRW government is likely to have lost between € 31.5 million to € 100 million.
Nonetheless, the NRW government re-enabled its coronavirus emergency funding website over the weekend. However, it has stated that going forward payments will only be made to individuals where their bank account number matches the account number on their last tax return.
Not the First and Certainly not the Last
The attack involving the NRW government is just the latest in a long list of such scams that have spread since the pandemic began. Coronavirus scams have taken many forms. They have taken advantage of people’s compassion and have involved fake news and advertising scams, for example.
As always, people are warned to look out for suspicious unsolicited emails. Things to look out for when deciding whether an email is legitimate or not are:
- The message is sent from a public email domain – no legitimate organization would use a gmail account, for example
- The domain name is misspelt – in the NRW scam the domain name used was wirtschaft-nrw whereas the real domain name is wirtschaft.nrw
- The email is poorly written and has spelling and grammatical errors
- The email includes suspicious attachments or links
- The message creates a sense of urgency
If in doubt, do not click on any links. Go to the organization’s official website by searching for them on the internet. Then contact the organization through their website. For more information on phishing scams, see information provided on this site under this link.