Spam and phishing

Spam Money Lenders: data theft, Trojans and other special features of ‘cheap’ loans

Nowadays banks and other credit institutions make big money from offering cheap loans. Millions of people worldwide prefer to buy goods and services on credit, agreeing to pay considerable sums in interest to various money lenders.

But is not always easy to get a loan – potential borrowers must confirm their ability to meet the established monthly payment. Other terms and conditions may vary by country or the specific requirements of a financial institution. As a rule, the toughest conditions are imposed by the big banks. Small organizations and private money lenders often have fewer restrictions, and use higher interest rates to compensate for accepting higher-risk clients. However, since they struggle to compete with the scale of marketing campaigns available to big multi-national banks, they resort to electronic mailings. Quite often, these messages serve as a cloak for unscrupulous organizations whose services turn out to be far more expensive than advertised, as well as typical Internet scams.


The dangers of loans offered in spam mailings

Any attempt to take advantage of a credit offer contained in a spam mailing may prove costly – and the problems can start as soon as you read the initial offer. Let’s have a closer look at the threats that unsolicited credit-related emails may pose.

  1. Phishing is an attempt to steal user’s financial data with the help of fake web pages imitating official application forms from well-known banks. Whenever a user enters personal information on a phishing site that data ends up in the hands of the fraudsters. The latter, in turn, use it to take out a loan in the name of the victim. The fraud is only uncovered much later, when the lender starts legal proceedings over the default in loan repayments.
  2. Voluntary provision of personal data to third parties. In this case, in order to collect information about the victim, the scammers use various plausible excuses (for example, offer their assistance in obtaining a loan) rather than fake pages. As a result, they may wangle important data – including financial information – out of the user. Even without a password to the online banking system or a three-digit card verification value (CVV), the user’s passport or contact details can be enough for fraudulent use such as drawing up false documents.
  3. Malware attachments. Quite often the scammers spread malware which imitate credit application forms or approved credit agreements. Typically, malicious programs are zipped and masked under harmless files, for example, using a double extension. Any attempt to open the “contract” may lead to system infection and the loss of data stored on the hard drive.
  4. Spamming the email box. A response to a spam email, even made without any intention to use the services offered in the advertisement, tells the spammers that the email address really exists and is actively used (some spammers send messages to randomly generated address lists). As a result, the number of advertising messages sent to the ‘exposed’ email box will increase significantly.

In this article we will describe typical spam messages containing credit offers and analyze their main components.


Main characteristics of the emails

Credit spam is distributed worldwide. Regardless of the language, messages of this type are very similar. Of course, there are some variations from country to country, but these are mostly related to the economic situation and credit legislation in these places.

The subject of the email

The heading of the email containing a credit offer is usually a clear indication of its content. In fact, it is a business proposition so the subject of the message gives a brief account of the key information.

The most common English-language headings contain the phrases urgent loan, get a loan and the loan offer, very often featuring the interest rate. German-language headings have even fewer words; everything is clear and concrete without any unnecessary details: Darlehen / Kredit / Finanzierung Angebot.


The From field

Credit spam mainly arrives from addresses registered on free email services. Spammers can hack users’ mailboxes and substitute hacked addresses in the From field as well as automatically generating them in large quantities without worrying about the possible disclosure of their identity or addresses being blocked by anti-spam filters.

The From field may contain an individual name – which most likely is unknown to the recipient (Paul) – or a name and a surname (Jerry Brown, Kim James) or the name of the financial organization which allegedly sent the email. Quite often the sender’s name is substituted by the word “credit” or a phrase containing this word (LOAN SERVICE, KREDIT). Sometimes the From field contains a random selection of letters and numbers generated automatically which is one of the common features of all spam.


The content of the email

The text of the credit message can be both informative and detailed and very short just asking to send a reply to the indicated address if the recipient is interested in the offer.


All the emails have common features that are typical both for this type of unsolicited correspondence and spam in general.

The form of address

Credit spam almost never addresses itself to an individual reader. Instead spammers use brief impersonal greetings such as “Good day”, “Guten Tag”, “Hallo”, “Ich grüße euch”. Another common trick is to address the recipient as a potential client: “Dear Client”, “Dear Valued Client”, “Sehr geehrter Kunde”. The use of the recipient’s real name is highly unlikely.

The promises

Credit spammers want to attract potential clients by promising them large sums of money (sometimes up to several million in cash) which can be granted in a short period of time (from several hours to a couple of days) without any pledge or guarantors, or any certificate of income and a minimum number of documents. Some creditors even claim that there is no problem if previous attempts to get a loan from a well-known bank ended in failure.

Spammers like to use aggressive advertising. They often highlight important phrases visually (in a different font or color) for heightened psychological impact: for example, to make recipients believe that they badly need a loan and have to get one immediately. Previous unsuccessful applications are explained away as unfair errors, whereas now everyone is happy to help.


The authors of spam messages do not always give out money themselves. Sometimes they act as intermediaries. They promise to forward the user’s application to several banks, suggesting strong competition will lead to highly favorable terms even if the sum of money is merely enough to buy a new sofa.

Spammers offer not only cash loans but also credit cards with generous credit limits, backed up by well-known banks. However, such offers often conceal a phishing attack.


Sometimes the user receives a message like this: “Your loan has been approved, the assigned number is ***, you may pick up the money by sending us the details of your bank account to which the sum will be transferred.” The authors’ idea is simple: recipients will be interested in a loan (even though they probably never applied for a loan in the first place) which is offered without going through the standard paperwork, and will send their bank account information to the fraudsters.


Geographical peculiarities

German-language credit spam has a very specific feature. Germany has a specialized financial institution called SCHUFA. It is one of the world’s largest credit bureaus, and it accumulates information about every bank account in the country as well as loans and other debts. SCHUFA uses this data to assess the reliability of any individual, and it is here that German institutions seek advice before deciding whether to grant a loan. Therefore, if a person already has a large unpaid loan, he stands little chance of getting a new one.


Officially, all decisions on loans, all inquiries and inspections must pass through this organization. However, the German-language credit spam offers the borrower any sum without a SCHUFA certificate, i.e. bypassing the reliability test. It means that any person can get a loan, even someone who was earlier turned down by the bank. These offers usually come from foreign companies and rely on the fact that the loan will be drawn up outside of Germany in compliance with different, less rigorous laws.


Spammers often try to hide offers made without the SCHUFA certificate. For example, the email may be designed to look like a newsletter in which one piece of news describes the consequences of obtaining credits without the SCHUFA certificate. The message contains a link to a story which resembles a small analytical article. However, below it on the same page is a link leading to credit offers without SCHUFA approval.


These messages often contain short links to the pages where the recipient can fill in a credit application form. The email promises that soon after the manager will call the potential client on a number submitted via the application form, and the process will continue in person. Typically, these links vary from email to email and redirect the user to the sites specifically created for promotional purposes.


The links may also lead to popular online services visited by many users. Sites like YouTube contain huge numbers of adverts like this. When ordering spam mass mailings, companies often make commercials to promote their services and upload them onto YouTube. Then they send emails containing the link to the video to a large number of users. This example (see below) introduces a loan company and provides the details of its favorable credit terms.



To get in touch with the lenders and find out more about the services the recipient is usually invited to choose between the following options:

  • to reply to the message;
  • to reply to a different address (supposedly personal and with a free email service such as Yahoo Mail, Hotmail, Gmail, etc.);
  • to fill in an online application form with a contact phone number (and sometimes passport data);
  • to call a number (often mobile) specified in the email.

The second point on the list does not inspire great confidence in the email address, while the last suggests that the lender does not have an office which casts doubt on the quality of its services.


Credit emails often include additional attachments. This can be an Adobe PDF or Microsoft Word file containing an advert about the credit organization on behalf of which the email was sent, a detailed description of the offer and the terms of the loan as well as contact information. Sometimes these attachments just contain a credit application form where recipients are asked to enter their personal information such as their phone number, their email address and even their passport details.


Please remember that opening text documents from an unfamiliar sender is risky because they may contain a virus that is launched with the help of macros (so-called macro viruses). Therefore, we strongly recommend users perform an antivirus scan of any unknown file before opening it, even if it is a text document.

An attached ZIP archive is even less trustworthy as it often contains malicious software imitating a text or a graphic document. Especially suspicious are the emails which do not contain anything at all (not even advertising text) but an attached archive. Here the only thing that identifies the credit offer is the heading of the email. The authors of such messages just hope the recipient will open the attachment for more information.


The above example shows an email with an attached archive containing a malicious program detected by Kaspersky Lab as Trojan-PSW.Win32.Tepfer.pate. It is designed to steal confidential information, specifically the data for managing bank accounts. During startup of the computer this malicious program searches for the necessary information in the system files and the registry and, if successful, sends the harvested data to its “owner.”

Who offers the credit?

Credit spam is sent on behalf of several categories of lenders:

  1. An allegedly official credit institution

These messages contain eye-catching adverts with a company logo. The lenders provide their contact details – a registered address, phone numbers, an e-mail address (often registered on a hosting from a fly-by-night domain). The email often has an attached brochure duplicating the company’s contact information and offering more details about the services on offer. The recipient can apply for a loan by calling the indicated phone number or sending an email to the specified address (which may not be the same as the address of the sender of the initial email).


  1. Credit brokers

The senders of unsolicited emails often introduce themselves as mediators who can help the recipient secure a loan. These organizations undertake all the paperwork and usually have a working relationship with certain creditors. They are actively looking for potential clients for their partners and work for a commission which is typically included in the credit rates. In this case the client risks being lured into a disadvantageous dealing and overpaying for the loan.


  1. Individuals

As a rule, a credit offer from a private person begins with the introduction of the sender and looks something like this: “I ​​am Mr. So-and-So, a private investor. I give out loans at a low interest rate. If you are interested in my offer, contact me via email, provide your personal information and specify the sum of the loan and the interest rate”. This is one of the most common types of credit spam, but regardless of the language in which it is written, the creators of the emails adhere to the above template.


Private lenders send their offers around the world duplicating the text of the email in different languages. The text of the email is usually translated from English using Google Translate or similar services. As a result, the words and sentences in the text do not agree grammatically and stylistically but the meaning can be understood by the phrases like “the loan to anyone who needs it“.  The means of contacting the potential lender is also clear from the context: “Send your request to

Spam Money Lenders: data theft, Trojans and other special features of ‘cheap’ loans

Your email address will not be published. Required fields are marked *



APT trends report Q1 2024

The report features the most significant developments relating to APT groups in Q1 2024, including the new malware campaigns DuneQuixote and Durian, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox