Stimulus check scam can steal your info — avoid this now

(Image credit: Getty Images)

You've probably heard that there are millions of Americans who haven't yet received their coronavirus-crisis stimulus checks. Perhaps you're one of those people, in which case you need to fill out a form on the IRS website to get the money. 

But don't be fooled by a new phishing scam that pretends to contain important news from the IRS. It's really just trying to steal your password, Social Security number and other sensitive personal information.

Instead, please read our story explaining why up to 9 million people still have stimulus checks due. And here's the real link to the IRS form you need to fill out by Nov. 21 to get the money.

How the stimulus scam works

This news of the stimulus-check phishing scam comes to us from information-security firm Armorblox, whose co-founder Chetan Anand laid out the details in a company blog post yesterday (Oct. 7).

"The email language and context included multiple emotional triggers to induce the required response from victims," Anand wrote. "The email subject was 'IRS Covid Relief Fund Update' and the sender name was 'IRS Covid Relief Funds,' both very specific and related to topics that elicit quick actions from victims. Invoking the IRS is also an 'authority' trigger that will prompt quicker action from some."

The email message invites you to click on a link to "log in to the secure Message Center to review ... an important update on your Covid relief fund." 

That links takes you to a phishing page hosted from a genuine account on SharePoint, Microsoft's online document-collaboration platform.

"The SharePoint account belonged to an employee of the Reproductive Medicine Associates of Connecticut (RMACT)," Anand explained. "Adversaries likely compromised the employee's account and exploited their SharePoint account for the IRS COVID relief phishing attack."

The phishing page was labeled "Microsoft Online Irs [sic] Covid Relief Funds Form" and contained fields in which you were supposed to fill out your email address, the password to your email account, your Social Security number and taxpayer ID (often the same thing), your date of birth, your driver's-license number and finally your full name. 

One-stop identity theft

Taken all together, that information is more than enough to hijack your email account, take over other online accounts, open other accounts in your name, and even completely steal your identity.

The Armorblox blog post doesn't say whether the phishing page has been taken down, or whether the legitimate owner of the compromised SharePoint account had been notified. 

In any case, the phishing emails arrived just last week and millions of people are still waiting for their stimulus checks, so you can bet the crooks behind this scam are still trying to lure you in.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.