publishing date icon
November 12, 2021
read time icon
5 min. read

Funds transfer phishing attacks work better with a crisis

Since the dawn of email attacks, one of the most effective ways to grab attention in a scam has been by using the word: “Funds!” While promises of free cash and prizes often fall into the “too-good-to-be-true” waste basket, the term “funds” sounds more official, and can intrigue some people enough to read further and get hooked.

Author image
Patrik Sulander
Junior Threat Analyst
Post hero image

Table of contents

share this post

Since the dawn of email attacks, one of the most effective ways to grab attention in a scam has been by using the word: “Funds!” While promises of free cash and prizes often fall into the “too-good-to-be-true” waste basket, the term “funds” sounds more official, and can intrigue some people enough to read further and get hooked.

Traditionally, funding scam emails have a bogus big-wig at a major institution asking victims to help execute a major funds transfer by contributing a comparatively minimal amount for a big payout. Then they try to set up a meeting to discuss options for an important partnership with the bank or political entity connected to the big transfer of funds. This attack is so popular that attack email templates containing the word “funds” are usually filtered by email services directly to the spam box. You might have seen the example below:

This is a real phishing email sent from a Gmail account. It’s a good example of a typical fund-themed phish that’s often blocked by your email service. In these cases, attackers are presenting themselves as high level representatives of a public foundation like the WHO (World Health Organization), or a foreign financial institution or government, to gain recipients’ trust for a fund transfer. If you are contacted out of the blue by a representative of a major organization, it’s almost certainly a scam. Be absolutely certain to verify their authenticity on another platform before responding.

Funds transfer spear phish are a much more dangerous sign of the times

A targeted, well-crafted funds transfer phishing attack that’s relevant to a current crisis or major situation can bypass the spam filters and cause real damage. Remember, malicious actors have no shame. Catastrophes are gold mines to them; crises are raw material for their phishing emails. As such, attackers have developed new ways to succeed with the tried-and-true funds phishing attack by using the coronavirus disease (COVID-19) pandemic as the phishing hook.

Below is a good example of a funds-themed spear attack we’re seeing. The subject mentions covid-19, and the email promises COVID-19 relief “bonus funds.” But the real intent is to harvest sensitive personal information via the enclosed attachment, which redirects the victim to a portal service where the victim is asked to fill in their credentials.

In the below spear phish attack, the attacker is impersonating the recipient’s coworker by spoofing the sender in the email header. This heightens the email’s potency as an internal communication promising funds as a corporate bonus sounds plausible. When people receive these types of emails in their work email account, they might find themselves trying to quickly take care of it and fail to notice the phishing email indicators.

How funds transfer phishes work

It’s usually a volume play. Because phishing attacks are usually extremely cheap to execute and sent out in huge numbers, a campaign’s success rate doesn’t need be too high to be worth the criminal’s time. In this case, It is not hard for attackers to spoof official notifications of targeted companies, as real examples are widely available. But such reproductions take more effort than a traditional simple, generic attack. Because company-specific targeted attacks are still less common, they might have an outsized success rate, as people are unprepared for them.

Two classic social engineering tactics are always in the body of messages: manipulating user curiosity and creating a false sense of hope. The user’s curiosity is raised with the message’s vagueness. Because the message reveals little information beyond potential funds to the user, it is much more likely the user will open the attachment to learn more. This type of attack works because the recipient is not forced to act in a certain way, but is invited to explore a possible new source of significant income.

Social engineers try to push buttons and pressure people into hasty clicks on malicious links or attachments. Always approach a request for your personal information with caution, and validate whether the request is appropriate.


  • Check domains the alleged company is using from their official sites, does the domain match with the sender?
  • Contact the sender directly in another platform. If legit, the user validates the message. If it’s a scam, the information passes on to authorities; they will know about attacks making the rounds with their name on it, so they can act accordingly.
  • Pay particular care to shortened links (services like or for example)
  • Always be cautious with opening attachments, especially if they contain macros
  • Trust your instincts if you are in doubt, specially be careful with too good to be true offers!

Hoxhunt response

Our Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. Working together with our powerful machine learning model, they cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Read more to learn how to equip your employees with the awareness training that will protect your company from phishing scams.

Explore more phishing trends

Subscribe to Threat Feed

Subscribe to Hoxhunt's Threat Feed to get the latest phishing threats delivered to your inbox, every Friday.

Form CTA

Hoxhunt needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.