domains Criminals Using Spoofed Unemployment Benefit Domains to Defraud US Public



The Federal Bureau of Investigation is issuing this announcement to alert and help the public recognize and avoid spoofed, or fake, unemployment benefit websites.

Cyber criminals have created these spoofed websites to collect personal and financial data from US victims. These spoofed websites imitate the appearance of and can be easily mistaken for legitimate websites offering unemployment benefits.

Cyber criminals register website domains and email addresses to appear like those which legitimately facilitate the processing of unemployment benefits. These domains and email addresses often will have misspelled words or will replace "[.]gov" with "[.]xyz." For example, one such domain is "illiform-gov[.]xyz." These domains lead victims to malign websites that are usually similar in appearance to legitimate counterparts. The fake websites prompt victims to enter sensitive personal and financial information. Cyber actors use this information to redirect unemployment benefits, harvest user credentials, collect personally identifiable information, and infect victim's devices with malware. In addition to a loss of benefits, victims of this activity can suffer a range of additional consequences, including ransomware infection and identity theft.

There were 385 identified domains hosted by the same IP address at, seven of which appear to impersonate government domains pertaining to unemployment benefits and are listed below.

Domain Status
employ-nv[.]xyz Active
employ-wiscon[.]xyz Inactive
gov2go[.]xyz Active
illiform-gov[.]xyz Active
mary-landgov[.]xyz Active
Marylandgov[.]xyz Inactive
newstate-nm[.]xyz Active
Newstatenm[.]xyz Inactive

read more (IC3 GOV)