A phishing campaign has been identified that uses spoofed unemployment benefits websites to trick people into disclosing sensitive personal and financial information. These websites have been designed to closely resemble official U.S. government websites that are used to apply for unemployment benefits.

Individuals arriving on the websites are prompted to enter personal and financial information as part of the claims process. The information provided can be used by the scammers to file fraudulent unemployment benefits claims and have payments directed to their accounts. The credentials and information harvested through the sites can also be used or sold to other cybercriminals to commit identity theft and fraud, with some of the sites used for installing malware onto victims’ devices, including ransomware.

The U.S. Federal Bureau of Investigation (FBI) has received an increased number of complaints about these scams through its Internet Crime Complaints Center in recent weeks, prompting the FBI to issue an alert about the scams. At the time of issuing the alert, the FBI had identified 385 domains hosted on the same IP address, 8 of which impersonated official government websites that host unemployment benefit platforms. Those sites have an .xyz top-level domain (TLD) rather than .gov, and mostly impersonate state-level websites.

The malicious websites include employ-nv[.]xyz, gov2go[.]xyz, illiform-gov[.]xyz, mary-landgov[.]xyz, and newstate-nm[.]xyz, which were all still active at the time of the alert, along with employ-wiscon[.]xyz, marylandgov[.]xyz, and newstatenm[.]xyz which are no longer active.

Campaigns such as this are nothing new, but the number of complaints received about the scams is increasing, as are the number of reported cases of identity theft. Figures from the U.S. Federal Trade Commission show identity theft reports doubled between 2019 and 2020, with more than 1.4 million reports received last year.

Several steps can be taken to avoid becoming a victim of these scams. It is important to exercise caution when visiting any website and ensure that the spelling of the web address is correct, and the website has a .gov TLD. The U.S. government does not use .xyx TLDs on its websites.

Anti-Phishing Demo
Protect your MSP clients with the newest zero-day threat protection and intelligence against anti-phishing, business email compromise and zero-day attacks with PhishTitan.
Free Demo

While the padlock icon next to a URL is a sign that the site has an SSL certificate and the connection between the website and the browser is secure, it does not indicate the website is genuine. Cybercriminals often obtain SSL certificates for their websites to make them appear to be legitimate. The padlock should be present before any sensitive data is disclosed to avoid interception of that information, but other checks should be performed to make sure the site is genuine.

Malware downloads can be blocked by using antivirus software, which should be set to update automatically. Any security updates should be applied promptly, and browsers and plugins regularly updated to the latest version. To prevent stolen credentials from being used to access accounts, multi-factor authentication should be implemented and strong passwords should be set on accounts.

It is important to stop and think before taking any action suggested on a website or in an email. In the case of the latter, never open attachments in emails or click links to websites in messages from unknown individuals. Even if an email appears to have been sent by a trusted individual, checks should be performed on the email header information, especially in unsolicited messages.

Many of these campaigns target individuals, but employees are often targeted in phishing attacks that seek email credentials and other sensitive business information. In addition to providing security awareness training to the workforce and implementing an advanced email security solution such as SpamTitan, businesses should consider implementing a web filter.

WebTitan is a powerful DNS-based web filtering solution that is used by many businesses and Managed Service Providers to improve Internet security. Web filters are used to control the content that users can access over wired and wireless networks. They block attempts to visit known malicious websites, can be configured to block access to risky categories of websites, and also block malware downloads. They serve as an important extra layer of security to block phishing attacks and provide greater protection than email security solutions alone.

If you want to improve protection against phishing and web-based attacks, give the TitanHQ team a call today to find out more about SpamTitan Email Security and WebTitan Web Filtering.

If you already have email and web security solutions in place, you might be surprised to find out that you can get the same or better protection and a much-reduced price with TitanHQ solutions.