German government might have lost tens of millions of euros in COVID-19 phishing attack

German state of North Rhine-Westphalia failed to put in place a citizen verification procedure and allowed fraudsters to steal millions of euros.
Written by Catalin Cimpanu, Contributor
Image: Robert Anasch

The government of North Rhine-Westphalia, a province in western Germany, is believed to have lost tens of millions of euros after it failed to build a secure website for distributing coronavirus emergency aid funding.

The funds were lost following a classic phishing operation.

Cybercriminals created copies of an official website that the NRW Ministry of Economic Affairs had set up to distribute COVID-19 financial aid.

Crooks distributed links to their sites using email campaigns, lured users on the sites, and collected details from locals. They then filed requests for government aid on behalf of the real users but they replaced the bank account where funds were to be wired.

Losses in the tens of millions of euros

The scheme lasted from mid-March to April 9, when the NRW government suspended payments and took down its website.

Before taking down the website, NRW police said it received 576 official reports of fraud in relation to this scam, German tech news site Heise said this week.

German newspaper Handelsblatt also reported that the government had received more than 380,000 requests for coronavirus government aid, agreeing to make payments in 360,000 cases.

NRW officials said that between 3,500 and 4,000 requests for funding are believed to have been made fraudulently, German TV station Tagesschau reported on Wednesday.

Payments varied between €9,000, for self-employed professionals, to €25,000, for companies with more than 50 employees that had their activity disrupted by the current pandemic.

Based on a rough estimate, the NRW government is currently believed to have lost between a minimum of €31.5 million ($34.25 million) and up to a maximum of €100 million ($109 million), money representing fraudulent payments made to the wrong accounts.

Blame falls on NRW officials

An investigation is currently ongoing. Tagesschau reports that NRW prosecutors are currently looking into two phishing websites used in the scheme, one of which is wirtschaft-nrw.info.

The blame in this incident falls solely on NRW officials who had not come up with a secure method of distributing funds.

While other German state governments were asking users to upload scanned documents to prove their identity or were asking users to download a form and mail it, NRW was only requiring local residents and companies to fill a form on its site, without any additional verification of their identity.

The NRW government has re-enabled its coronavirus emergency aid funding website today, and it said that payments will be honored going forward only if the requester's bank account number matches the bank account number used in the past to pay taxes.

Jan G. (pseudonym), a Cologne-based C programmer, told ZDNet today that he would have also fallen for the phishing campaign if he had received the scammer's email.

"We users can detect phishing sites if we are familiar with the cloned site," Jan told ZDNet in a phone call today. "This was a new site that nobody had seen before and we wouldn't have been able to tell if it was the real one or not. It explains why so many fell for it and entered personal data."

NRW police is now asking users who have filed for coronavirus relief funds but not received funds yet to file a police report.

Europol’s top hacking ring takedowns

Editorial standards