Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //


10:00 AM
Tom Pendergast
Tom Pendergast
Connect Directly
E-Mail vvv

Make Sure That Stimulus Check Lands in the Right Bank Account

If you haven't already, it's time to build trust relationships with your financial institutions, using strong security, privacy protections and secure, unique user credentials.

When Congress passed a $900 billion economic relief package in December 2020, it wasn't just unemployed Americans and those with low to moderate incomes who were happy: Scammers rejoiced as well. Just like back in May 2020, these vultures see a river of money flowing from the federal government to regular Americans and they are eager to grab some of it for themselves.

And the economic relief and associated scamming aren't over yet: President Biden's relief plan promises more stimulus soon, and California just passed its own relief package, with $600 for low-income residents. Luckily, there are some ways to ensure that the government money goes into the right hands. 

Related Content:

Stimulus Payments Are Popular Leverage for Cyberattacks

Special Report: 2020 State of Cybersecurity Operations and Incident Response

New From The Edge: Security + Fraud Protection: Your One-Two Punch Against Cyberattacks

If scams related to stimulus checks and unemployment payments give you a strong sense of déjà vu, you're not alone. After all, we've been here before, back in May when the first coronavirus relief package was passed and there was massive fraud aimed at state government agencies charged with distributing the unemployment relief. In fact, the Office of the Inspector General of the Department of Labor estimated that fraud claimed $36 billion of the $360 billion available in the CARES Act. 

I had a pretty strong sense of déjà vu myself, since I was the victim of such a scam in my home state of Washington. But on Jan. 11 — some seven months after I filed my initial fraud report — I got an official verification that my Social Security number was mine (really!) and is now officially connected to my account at the Employment Security Department. Now that I have established claim to my ESD account, nobody can present a fraud claim on my behalf.

That doesn't mean there aren't other ways from criminals to profit off my data, because in late January, the Washington State Auditor revealed that the personal data of 1.4 million state residents may have been stolen in a hack of third-party software provider Accellion. I'll add this to the long list of data breaches my data has been involved in!

This Problem Is Mostly Solved by Trust
But I don't despair all that much about this stuff, because there are things you and I can do to keep ourselves safe. Claiming your account — whether it's at your state employment services agency or with the IRS or with any other entity that you do business with, really — allows you to establish a channel for trusted interactions. For example, because I have a trust relationship with the Department of the Treasury, any government stimulus check or tax refund can be deposited directly in my bank account — and I don't have risk a check being lost or stolen, or receiving one of the new, more secure debit cards that are also used to make payments to people who don't have direct deposit. These trust relationships are built off strong security and privacy protections on part of the agency and the use of secure, unique credentials on the part of the user, but they work far better than the other means. Of course, they still need to protect the data I trust them with.

For people who are receiving the stimulus payment via debit card, the US Treasury is doing its best to ensure that the process of getting paid is clear and secure, including showing recipients exactly what they should look for in the mail, including what the cards look like

For all this effort, it's easy to imagine that a scammer could emulate this mailing and ask a user to phone into a call center and provide some essential information — perhaps even a bank account — and run a scam that way. Both Forbes and CNBC have provided good guides for using these cards safely and without fees. 

Whether you're waiting for this stimulus check or the next, bigger one promised by the Biden administration, or seeking to avoid any entanglement in an unemployment scheme, there are some tried and true methods for ensuring that your interactions with government agencies of all sorts are handled securely and privately.

Protect Your Credentials
Protecting credentials — usernames and especially passwords — is one of the best and most basic things you can do to stay safe from hackers. Using unique passwords everywhere is easy when you use a password manager, and adding multifactor authentication adds another level of protection. 

Own Your Accounts
Establishing a secure account with state and federal agencies is the best way to take advantage of the security protections they provide, and this protection generally outweighs whatever risk you have of this agency being breached, though that risk does exist. I'd suggest that people establish an account with their state employment agency (or broader state government) now, and also verify that you have accounts at the major federal agencies you deal with — which will likely include the Social Security Administration and the IRS at a minimum.

While I understand that some people may not believe that they can enter into a trust relationship with the government, I'd suggest that it's better that you control the terms of that relationship than to allow that relationship to be established by someone else. 

Take Quick Action
The moment you suspect fraud, act as quickly as you can to report it.

Many major government agencies and financial institutions have dedicated fraud hotlines or online services, and they may also suggest that you make a report to your local law enforcement agency. If you take quick action, you might be able to avoid the nightmare of full-blown identity theft.

Protect Your Credit
Freezing your credit at all three credit agencies is a simple (and free) act that can prevent anyone with access to your personal information from opening up an account in your name. You'll need to learn a few tricks to unfreeze your account when needed, but it's well worth your time.

Apply Healthy Skepticism
Even if you do all of the above, you can still fall prey to a scam if you allow people to convince to give away information or credentials you shouldn't. That's why you've got to be skeptical of any phone calls, emails, or letters that ask you to divulge financial information or passwords. Your healthy skepticism is your best defense.

Tom Pendergast is MediaPRO's Chief Learning Officer. He believes that every person cares about protecting data, they just don't know it yet. That's why he's constantly trying to devise new and easy ways to help awareness program managers educate their employees. Whether it's ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-23
Vulnerability in OpenGrok (component: Web App). Versions that are affected are 1.6.7 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok. Successful attacks of this vulnerability can result in takeover of OpenGrok. CVSS 3.1 ...
PUBLISHED: 2021-06-23
A vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted HTTP request, this can potentially lead to an internal sensitive data disclosure vulnerability.
PUBLISHED: 2021-06-23
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.