www.cisa.gov

For more information,

In March, Congress passed—and the President signed—the

Coronavirus Aid, Relief, and Economic Security (CARES) Act, a $2

trillion economic relief package intended to support American

businesses and individuals economically burdened by the coronavirus

pandemic. A provision of the law includes sending economic impact

payments to eligible Americans.

themselves—and for adversaries seeking to disrupt payment efforts.

For more information about economic impact payments, see the IRS Economic Impact Payments Information Center,

which includes answers to taxpayer questions about eligibility, payment amounts, what to expect, and when to expect it.

See the IRS’s article, Do Not Let Scammers Get Your COVID-19 Economic Impact Payment, for additional guidance.

To report an IRS-related coronavirus scam, visit the IRS Impersonation Scam Reporting webpage.

What are the threats?

COVID-related scams — The U.S. Government continues to encounter instances of criminals using stimulus-themed

emails and text messages to trick individuals into providing personally identifiable information and bank account

details. We recommend financial institutions to remind their customers about the importance of practices sound

https://www.secretservice.gov/contact/field-offices/.

Defrauding of government and financial institutions — We expect, at a minimum, criminals to use CARES Act-related

and/or -themed emails or websites to trick financial institutions and their customers into providing criminals with

personal or banking information or access to computer networks. Themes for these scams might include economic

stimulus, personal checks, loan and grant programs, or other subjects relevant to the CARES Act. These CARES Act-

related cybercriminal attempts could support a wide range of follow-on activities that would be harmful to the rollout of

the CARES Act.

On the most dangerous end of the spectrum, criminals and adversaries may pursue activities that go beyond stealing

information or funds and seek to disrupt the operations of the organizations responsible for implementing the CARES

Act, including through the use of ransomware to extort money from victims, steal personal information, or interrupt the

flow of CARES Act funds. We recommend federal, state, local, and tribal agencies and financial institutions initiate a

comprehensive security review of critical systems, especially those involved with banking, payments, and loan

processing. Further, please visit CISA's Ransomware page for information about this specific threat.

Countering these threats

• The U.S. Government and international partners have increased their distribution of threat intelligence and

best practices to industry and local governments to achieve the immediate effect of disrupting and deterring

this criminal activity. See the CISA and the United Kingdom’s National Cyber Security Centre (NCSC) alerts on

legitimate stimulus check.

Understand how the IRS communicates electronically with taxpayers

• The IRS does not initiate contact with taxpayers by email, text messages, or social media channels to request

personal or financial information.

• This includes requests for personal identification numbers (PINs), passwords, or similar access information for

credit cards, banks, or other financial accounts.

• The official website for the IRS is www.irs.gov though some stimulus recipients may also need to use this IRS-

run site, https://www.freefilefillableforms.com/. Beware of similar domain names and mismatched SSL

certificates. Navigate to the official site from https://www.irs.gov/coronavirus/non-filers-enter-payment-info-

suspicious or unusual activity.

Watch for any unexplainable charges to your financial accounts. If you believe your accounts may be compromised,

contact your financial institution immediately and close those accounts.

If you believe you might have revealed sensitive account information, immediately change the passwords to those

accounts. If you used the same password for multiple accounts, make sure to change the password for each account

and do not use that password in the future.

Report suspicious phishing communications

• Email: If you read an email claiming to be from the IRS, do not reply or click on attachments and/or links.

Forward the email as-is to phi[email protected], and delete the original email.

• Website: If you find a website that claims to be the IRS and suspect it is fraudulent, send the URL of the

report with the Treasury Inspector General for Tax Administration, the Federal Trade Commission, and the police. To

report a crime, contact your local Secret Service field office: https://www.secretservice.gov/contact/field-offices/.

For more information on phishing, other suspicious IRS-related communications, including phone or fax scams, or

additional guidance released by Treasury/IRS, CISA, and the Secret Service visit:

• Avoiding Social Engineering and Phishing Attacks

• Recognizing and Avoiding Email Scams

• Phishing and Other Schemes Using the IRS Name

• IRS Phone Scam Intensifies During Filing Season

• Report Phishing and Online Scams

Additional Reporting Activity

To report an intrusion and request technical assistance, contact CISA at [email protected] or 888-282-