Home / Industry

How to Avoid Phishing Campaigns Targeting CARES Act Recipients

Amid the spread of COVID-19, the world continues to suffer dire health and economic consequences. To help, national governments have released funds to support companies and laid-off employees. Instead of getting aid, however, some end up becoming the cybercrime victims of elaborated donation and financial typosquatting scams. Here are some examples of themed domain groups we found in our trackers recently.

Weathering the COVID-19 Crisis with the Help of the CARES Act

Apart from handing out stimulus checks to those affected by the pandemic, the U.S. federal government also sought to provide more aid to individuals and small businesses. On March 27 2020, the U.S. Congress passed the Coronavirus Aid, Relief, and Economic Security (CARES) Act.

This act involves releasing US$2.2 trillion for distribution to qualified recipients. One of the act’s most important directives is the Paycheck Protection Program (PPP), which aims to help small businesses continue paying their employees even as their establishments remain closed. Each company with less than 500 employees can secure a loan of up to US$10 million.

The amount of money that businesses can get hold of gained unwanted attention from cybercriminals, of course.

Rising Volume of CARES Act- and PPP-Related Domains

As with other coronavirus-related threats, cybercriminals immediately jumped on the CARES Act and PPP bandwagons as soon as the stimulus programs were launched. As early as March 30, a few days after the act was signed, we immediately saw a spike in the number of bulk domain registrations containing the term “cares” via Typosquatting Data Feed. And as you may already know, NRDs are likely hosts of malware and phishing pages. On March 30 only, the newly registered domains (NRDs) included:

  • caresactcompliance[.]biz
  • caresactcompliance[.]net
  • caresactcompliance[.]us
  • caresactloan[.]info
  • caresactloan[.]biz
  • caresactloan[.]site
  • caresactloan[.]online
  • caresloan[.]org
  • caresloan[.]biz
  • caresloan[.]app
  • caresloan[.]info

Details on the CARES Act are available on the U.S. Department of the Treasury website (https://home.treasury.gov/policy-issues/cares). That said, the 11 NRDs may have nothing official to do with the policy’s implementation. None of the domains were tagged “malicious” to date, and most remain parked. Still, it may be a good idea to avoid these and obtain information on how to avail of the package only via the official government website.

We also saw NRDs containing the term “paycheck” on the same day, which could figure in PPP-related attacks. These include:

  • paycheckprotectionloan[.]net
  • paycheckprotectionloan[.]info
  • paycheckprotectiongrant[.]com
  • paycheckprotection[.]org
  • paycheckprotection[.]law
  • paycheckprotectionact[.]org

While none are considered malicious to date, it’s best to err on the side of caution. More information on the PPP is best obtained from the official government website (https://home.treasury.gov/policy-issues/cares/assistance-for-small-businesses).

Other scams that may spread concerning the CARES Act implementation include those that involve domains containing the term “payroll.” Citizens who may be looking to avail of crisis subsidies could fall for ruses that use domains such as:

  • covidpayrollfunding[.]info
  • covidpayrollfunding[.]com
  • covidpayrollfunding[.]org
  • covidpayrollgrant[.]com
  • covidpayrollgrant[.]org
  • covidpayrollgrant[.]info
  • payrollprotectionloan[.]info
  • payrollprotectionloan[.]net
  • payrollprotectionloans[.]com
  • payrollprotectionloan[.]org
  • cwbpayrollfunding[.]org
  • cwbpayrollfunding[.]info
  • cwbpayrollfunding[.]com

Deeper dives into these domains using Threat Intelligence Platform (TIP) revealed that the following might have ties to phishing attacks:

  • covidpayrollfunding[.]info
  • covidpayrollfunding[.]com
  • covidpayrollfunding[.]org
  • covidpayrollgrant[.]com
  • covidpayrollgrant[.]org
  • covidpayrollgrant[.]info

While these domains are only being detected by one out of 84 security solution engines on VirusTotal, it may still be best to block access to them for additional protection.

With the number of pandemic-related attack vectors, the enterprise cybersecurity community can employ proactive solutions such as Typosquatting Data Feed to help prevent possible phishing attempts and attacks and set up web filtering measures. Doing so would allow them to avoid incurring additional financial strain that can result from becoming a typosquatting victim.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC


Sponsored byDNIB.com

Domain Names

Sponsored byVerisign


Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global