Cyber Incident Victim: Landesregierung Nordrhein-Westfalen
Date:
Mar 2020
Location:
Germany
Summary
Cybercriminals executed a phishing campaign by cloning a government emergency aid website, collecting citizen details to submit fraudulent funding requests with altered bank information. The attack resulted in losses estimated between tens of millions to over a hundred million euros due to thousands of falsified applications. Officials suspended the portal after discovering the scheme and later reinstated it with enhanced identity verification requiring matching tax payment accounts. The incident was attributed to inadequate initial security measures, as the state lacked robust identity checks compared to others, facilitating the large-scale fraud. Authorities initiated investigations into the phishing domains while urging affected applicants to report missing payments.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In mid-March 2020, the German state of North Rhine-Westphalia (NRW) launched an online portal through its Ministry of Economic Affairs to distribute emergency financial aid to businesses and self-employed individuals impacted by COVID-19 lockdown measures. Cybercriminals swiftly exploited this system by creating counterfeit copies of the official government website. The attackers distributed phishing emails containing links to these fraudulent sites, which mimicked the legitimate portal's appearance and functionality. Unsuspecting citizens and business owners who clicked these links submitted personal and financial details through the fake platforms. Fraudsters then used the stolen information to file aid applications on behalf of the legitimate applicants, substituting their own bank account details to divert payments. This scheme persisted undetected for approximately four weeks until April 9, when NRW authorities suspended all payments and took the official portal offline following mounting reports of irregularities.
The incident resulted in substantial financial losses estimated between €31.5 million ($34.25 million) and €100 million ($109 million), based on analysis of 3,500 to 4,000 confirmed fraudulent applications among 360,000 approved payments. Each fraudulent payment ranged from €9,000 for individual applicants to €25,000 for larger businesses. NRW police documented 576 formal fraud reports related to the scam by mid-April. Investigators identified at least two phishing domains used in the attack, including wirtschaft-nrw.info. The attack succeeded primarily because NRW's original portal lacked identity verification protocols required by other German states, such as document uploads or mailed forms, relying solely on unverified online submissions. On April 17, NRW relaunched its aid portal with enhanced security measures requiring applicants' bank accounts to match prior tax payment records. Authorities urged affected citizens who hadn't received expected funds to file police reports while prosecutors continued investigating the phishing infrastructure. The incident represented one of the largest publicly disclosed financial frauds exploiting COVID-19 relief programs during the pandemic's initial phase.