German State Lost Millions in Fake COVID-19 Financial Relief Requests

• Phishing actors have managed to trick a German state into giving them COVID-19 financial aids.
• The actors used stolen credentials from businesses and citizens and only changed the IBANs.
• The amount of damage done to the state is at least EUR 31.5 million, but it is most probably much higher.

According to multiple reports from local media outlets, the German state of the North Rhine-Westphalia (NRW) has lost tens of millions of Euros by approving emergency financial aid requests submitted by fraudsters. When the NRW state realized the scam, they took down the online aid request submission portal and went on to implement additional identity confirmation measures. The financial directors of the German state told Handelsblatt that they already approved 360,000 applications and that at least 3,500 of them are now thought to be fraudulent. The size of the aids ranges from EUR 9,000 to EUR 25,000, so the resulting damage is at least EUR 31,500,000.

Right now, the NRW cyber-crime division is carrying out an investigation, and from its first findings, it looks like the perpetrators had set up a phishing page on “wirtschaft-nrw.info”. Through this portal, they stole real PII from local citizens so that the info in their requests matched that of the NRW’s systems. The phished citizens were even requested to upload scans of their sensitive documents, download a form, fill it out, and send it to the actors. The fraudsters then only changed the bank account where the aid would be deposited and filled out the rest on the online application form.

Heise now reports that the real application portal is online and operational again, and it resides on “soforthilfe-corona.nrw.de”. To prevent losing tens of millions of Euros again, the IBANs that are entered in the form are now compared with those declared in the tax authorities. Those who have fallen victims to the initial phishing campaign will also remain eligible for financial relief, as the mistake is solely attributed to the NRW and the lack of proper identity verification measures on its systems.

🔴#Corona: UPDATE zum vorläufigen Stopp der NRW-Soforthilfe 2020 // Hintergründe zum aktuellen Ermittlungsstand und alles, was Antragsteller nun wissen müssen ▶️https://t.co/mfCd2vboW8 @IM_NRW pic.twitter.com/GaubKg25EH

— Wirtschaft.NRW (@WirtschaftNRW) April 9, 2020

As for the actors, the investigators are still after them, but it will be particularly hard to track them down now. The money that was sent to their now-closed accounts was immediately converted to cryptocurrency and passed through crypto-exchange platforms. There is a large number of people who filled out their data on the phishing site and who are still waiting for the funds to reach them, so the estimated number of fraudulent applications may actually be a lot bigger.