Pandemic Compensation Used as Lure to Steal Numerous Types of Data

Scammers are using the lure of pandemic compensation as a lure to steal close to a dozen different types of data from their victims.

At the beginning of July, Zix | AppRiver spotted an attack email that claimed to originate from the World Health Organization (WHO).

The email arrived with the subject line “pandemic grant compensation.” It used this premise to inform the recipient that they had supposedly won a lottery connected to Microsoft as a means of providing financial assistance to individuals affected by coronavirus 2019 (COVID-19). Specifically, the email told them that they had won 900,050 pounds sterling (worth about 1.13 million USD at the time of writing).

At that point, the email explained that a recipient could claim their prize by submitting some pieces of personal information to Microsoft as a means of verifying themselves.

So Much Wrong…So Little Time…

Let’s look at the most glaring errors that these email fraudsters made in their campaign.

Starting us off, the email is inconsistent in terms of which organization is sending out the email. Indeed, the message claimed to originate from the World Health Organization with the email address “whoconvid19grantsclaims@gmail[dot]com.” (It’s important here to note that employees of the specialized United Nations agency don’t use Gmail accounts to conduct official WHO business. Their email addresses almost certainly use the “” format, as gleaned from visiting the health organization’s contact page.)

Despite this WHO mask, the email listed “msfoundation4convid19@webmail[dot]co[dot]za” as its reply-to email, and it asked that all recipients send their information there. That’s a bizarre request considering the fact that the email lists Microsoft’s physical address in Washington at the beginning of its text. The attack email made no mention of South Africa, the owner of the country code top-level domain “.za.”

Speaking of that physical address, the email printed a fax number “086 667 2070” in connection with Microsoft’s Redmond location. The number is unlikely to be associated with the Redmond-based tech giant, as it is associated with the Country Calling Code for China.

So, whom were the attackers impersonating in their alleged Microsoft email?

They claimed that the email had originated from Paul Allen, an official at the “Microsoft /MSN Corporation.” A quick search on Google confirmed that Paul Gardner Allen was an American businessman who had indeed been involved with Microsoft. He had co-founded Microsoft with his childhood friend Bill Gates in 1975. But Allen then left the company in 1983. Even more than that, Allen passed away in 2018, so there’s no way that he would be the one sending out these emails.

The Microsoft /MSN Lottery Nomination

The attack email was unclear in exactly how the recipient came to allegedly win the pandemic grant compensation.

After addressing the recipient as “Microsoft Nominee,” (It’s clear that those responsible for this campaign were using spray-and-pray tactics and knew nothing about their recipients.) the attackers began their email with the following sentence: “We acknowledged receipt of your mail and the contents noted.” This sentence would imply that the recipient knew that they were applying for something and had submitted materials to that effect.

But just a few paragraphs later, the email explained that “you might be confused about how you were nominated or if actually this is true.” The email then clarified that a “computer balloting system from over 100,000 unions, associations, and corporate bodies that are listed online from Canada, Australia, United States, Asia, Europe, Middle East, Africa and Oceania” had selected the recipient’s email address randomly.

According to the email, this computer balloting system apparently operated under the ownership of the “Microsoft Corporation Lottery Nominee.” The fake Paul Allen described this entity as “an independent Internet Lottery organization that has been financially assisting people with its intention to change people’s life since 1998 and especially this Coronavirus (Convid19) Pandemic, so many people have benefited from it over the years.[sic]”

This is not the first time that some form of Microsoft lottery or promotion has appeared in a spam campaign. Indeed, back in January 2018, for instance, a user took to Microsoft’s community to share an email that they had received about a fake Microsoft International Awareness Program. The message claimed that yet another computer balloting system had been responsible for selecting the recipient as the winner of 200,000.00 pounds British pounds and a Microsoft Surface laptop. After indicating that the recipient’s documents had been approved, the email informed them that a delivery officer would be arriving at a nearby airport and would accompany them to a bank to complete the delivery and transfer of their winnings. Before that could happen, though, the individual would need to pay 10,300 INR (worth about $150 USD) in “government taxes.”

Since then, other users have shared similar scams, including notifications of having won the Microsoft Promotion Award 2018 Lottery and the 2019 Microsoft Techwin Promotion Award.

The issue with all of these emails is that Microsoft doesn’t operate a lottery organization. There’s therefore no computer balloting system selecting people for cash prizes. There are only malicious actors seeking to capitalize on unsuspecting people.

The Spoils of a COVID-19 Relief Scam

Malicious actors leverage Microsoft lottery scams to profit in various ways. As indicated in the scam shared in Microsoft’s Community, nefarious individuals attempted to trick a user into paying what they thought was government tax on an even larger cash prize, for instance.

But sometimes, they just want cold, hard data.

That was the case in the ruse that Zix | AppRiver recently discovered. This particular campaign asked the recipient to submit 10 different pieces of information. Much of that requested data included the usual personally identifiable information (PII) such as the recipient’s name, address and phone number. It also included the recipient’s email address, a detail which the “Microsoft Corporation Lottery Nominee” should already know if its computer balloting system had indeed selected them as a winner in the first place.

That being said, the email also requested that the user send over more sensitive details about themselves. Those requested data included the user’s nationality and occupation, date of birth and ID/passport/driver’s license number.

If they complied with this request, the user would have given the attackers all they needed to commit identity theft. They could have then used those details to open bank accounts, apply for mortgage and engage in other fraudulent activities under their victim’s name.

Defending Your Employees’ Data Against a Microsoft Lottery Scam

The scam campaign described above highlights the need for organizations to defend their employees’ passport details and other data against a Microsoft lottery scam. One of the ways they can do this is by strengthening their email security. Specifically, they should consider investing in a solution that’s capable of scanning incoming messages for IP addresses, malware signatures, campaign patterns and other indicators of known malware operations. That tool should analyze in emails in real-time, thus allowing legitimate pieces to reach their intended destination without disrupting the business.

Learn how Zix | AppRiver’s email threat protection can help your organization against Microsoft lottery scams.