Stimulus check and Covid vaccine scams running rampant — what to look for

Stimulus check coronavirus
(Image credit: Shutterstock)

Scammers are using media coverage of stimulus checks and COVID-19 vaccines to gain access to bank and email accounts, two new reports say.

A report from Virginia-based email-security firm Cofense details an elaborate scam that impersonates the IRS in an effort to install the Dridex banking Trojan on your PC. The lure is the Biden stimulus bill that just starting putting $1,400 checks in people's bank accounts.

Meanwhile, Boston-area email-security firm GreatHorn says that phishing campaigns with the word "vaccine" in the subject doubled from January to March. It gives the example of a generic phishing email as something to watch out for.

Such malignant efforts should serve as reminders that you should be very wary of offers or news delivered via email, social media or instant messages, especially if the offer seems too good to be true.

$4,000, free meals and jumping the vaccine line

The Cofense example certainly fits the "too good" bill. The email message, titled "President's Rescue Plan Paper," promises you a "$4,000 stimulus check" from the IRS as well as an increase in the minimum wage, an ability to skip the queue for vaccinations and "free meals." 

It references the real American Rescue Plan Act and cheerily signs off with the words, "With concern for America's future, US FEDERAL GOVERNMENT."

All you have to do is fill out a form online, which you can do by clicking a button in the body of the email message.

Click that button, though, and you'll end up downloading an Excel spreadsheet, which looks like an application form. But you can't actually write in the form just yet — a dialogue box appears instructing you to "Click 'Enable content' for review."

Oh, you really shouldn't do that. "Enable content" unlocks hidden macros in the Excel spreadsheet, which in turn abuse built-in Windows processes to download and install the Dridex banking Trojan. That's a piece of malware designed to, among other things, get into your online bank accounts and clean it out.

Eagle-eyed email recipients may be wise to this scheme if they look at the sending email address: "". That's got a numeral "1" where the "L" should be in "federal," and a lower-case letter "L" where the "I" should be in "IRS." 

If you've been following our excellent stimulus-check coverage here on Tom's Guide, you'll know that the real stimulus checks are for $1,400 per person, not $4,000; that the minimum-wage provision did not make it into the final bill; and that the American Rescue Plan Act can't guarantee you a better place in the vaccine line or get you a free meal.

Fake information about vaccinations and tests

GreatHorn's example of a vaccine-related phishing email isn't the real thing, but a generic approximation of what you can expect to see. The example starts off by promising information about "Covid-19 Vaccination and Testing" in the form of a linked PDF. 

Click the links, and you're taken to what looks like a Microsoft Office 365 login window — except it really isn't. The login windows is meant to steal your Microsoft login credentials, giving the crooks access to your Microsoft account. 

In a bit of security theater, the login window even has you do one of those "click on the image containing a car" puzzles to prove you're a human being and not a computer algorithm.

But by that point, the damage will have been done. As you try to figure which images contain a car, a mountain or a traffic light, the bad guys will be breaking into your accounts and reading your email.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.