August 2020 Foodman website and JD Supra

Government officials are warning the public concerning  fraud schemes related to economic impact  disaster programs offered by the U.S. Small Business Administration (SBA) during the COVID-19 pandemic.  At the same time, Scammers/Fraudsters continue to “up their game” with respect to the SBA PPP (Payroll Protection Program) and EIDL (Economic Impact Disaster Loan) loan programs via phishing scams and other campaigns distributing malware.

Malwarebytes publishes a report highlighting three phishing email waves targeting the SBA

The three different phishing waves targeting applicants for Covid-19 relief loans described in the Report are:

  • First wave: “phishing emails were found containing malicious attachments with names such as “SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.img.” The emails used the SBA logo and branding and prompted recipients to complete a grant for small business disaster assistance”.
  • Second wave: “phishing emails appeared, complete with SBA logos and branding and claiming to be from the SBA’s Office of Disaster Assistance. Promising that the recipient’s SBA application has been approved, the message invited them to click a button to review the funding process. The link in that button took users to the phishing page, which attempted to obtain certain account credentials as a way to scam them in the future”.
  • Third wave: “phishing emails ask the recipient to fill out an attached form for disaster loan assistance. The user is prompted to provide both personal and financial information, specifically bank account details. As with the other campaigns, this one uses SBA branding and sender addresses that seem to come from the agency”.

Scammers/Fraudsters  use e-mail or text messages to trick individuals into giving them personal information

The Federal Trade Commission (FTC) published “How to Recognize and Avoid Phishing Scams”; which explains how scammers  try to steal passwords, account numbers, or Social Security numbers. Obtaining this information allows for scammers to gain access to an Individual’s email, bank account information, or other account information. Phishing emails and text messages usually look like they are from a company that an Individual knows or trusts. They could look like they are from a bank, a credit card company, a social networking site, an online payment website, an app  or an online store. The purpose of phishing emails and text messages is to dupe a victim into clicking on a link or opening an attachment. Some common messages included in a phishing email state that the “sender” has noticed some suspicious activity or log-in attempts and claims that there is a problem with the Individual’s account or  with the Individual’s payment information; asking the Individual to confirm  personal information.  

SBA is well aware of phishing emails

The SBA states that:

  • If you are in the process of applying for an SBA loan and receive email correspondence asking for personally identifiable information (PII), ensure that the referenced application number is consistent with the actual application number.
  • Look out for phishing attacks/scams utilizing the SBA logo.  These may be attempts to obtain your personally identifiable information PII, to obtain personal banking access, or to install ransomware/malware on your computer.
  • Any email communication from the SBA will come from accounts ending with sba.gov.
  • The presence of an SBA logo on a webpage does not guaranty the information is accurate or endorsed by SBA

Beware of the sender’s address

Because scammers are targeting small business owners during these economically difficult times, the US Department of Justice has warned the public to be extra vigilant when it comes to protecting their information and to keep an eye out for grant fraud, loan fraud, and phishing. The suggestion is to “double check” the legitimacy of any email communication with another Individual or by calling the government organization directly. It is recommended that an Individual never dials the number found in an email or left on a voicemail, as it could be fake.