Sophisticated threat actors are leveraging phishing kits, back-end source code packages used by scammers to launch phishing attacks, to defraud both citizens and government agencies out of unemployment payments. WMC Global has specifically seen an increase in unemployment phishing targeting citizens of Hawaii. Exploiting pandemic-related stress and financial concern, remote work, and government “brand” trust, threat actors are preying on the vulnerabilities of millions of Hawaiians.

WMC global is beginning to see the unemployment fraud phishing attacks morph once the original attack has become less successful and, therefore, the attack continues to be effective long after the original scam has been taken down. Some of the attributes of these campaigns are: 

  • Methods / Tools: Threat actors are utilizing JOTforms and Google forms / Gmail to get past blocklist filters. Most consumers and organizations have safe listed. It becomes harder to block a site when threat actors are using something well-known site to execute a campaign. 
  • Delivery Mechanism: varied 
  • Consistency of Tactics, Techniques, and Procedures (TTPs): These attackers always use Gmail, static lure texts, and common hosting companies. Each phishing kit is basically the same except for the Gmail address. 
  • Small Number of Actors: Many of these attacks are likely perpetrated by one threat actor gang because of the consistency of TTPs. 
  • Tools’ Ease of Use: Gmail accounts can have zero ties to the threat actor.  
  • Speed: The functionality of the attack allows for speed which makes it easier to be successful. 
  • Switching Identifiers Frequently: Threat actors often change their email accounts to avoid becoming compromised. 
  • Playing on Emotions: The scams are generic and play on the vulnerability of people during the pandemic and the impaired judgment that comes under stressful situations. 


If organizations were to switch to a no password / text-message-code style of security, the kits would morph again to puppeteer-style kits, and dynamic kits that can bypass multi-factor authentication. Often these threat operations are solely for laundering money. 

Threat analysts deal with customer credential phishing as a daily occurrence; however, in the past, they have lacked actionable intelligence solutions that allow for attribution of these attacks. Phishing kits are an untapped resource. The hidden code elements and vital clues they contain offer the opportunity to attribute mass campaigns back to the responsible threat actor(s). The ultimate solution for stopping unemployment fraud phishing is investing in phishing kit intelligence research at scale so that law enforcement has the direct intelligence needed to find and arrest threat actors, stopping phishing at the source.