Many SBA loan phishing scams discovered in recent weeks that pretend to be the U.S. Small Business Administration in order to obtain personally identifiable information and login details for fraudulent aims.

As a result of the hardships suffered by companies due to the COVID-19 pandemic, the SBA’s Office of Disaster Assistance is making loans and grants available to small companies to help them weather the storm.

Hundreds of millions of dollars has been made available by the U.S government under the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) to help struggling individuals and firms during the pandemic. Hackers have been quick to develop campaigns to fraudulently obtain those funds, raid bank accounts, steal sensitive information, and spread malware and ransomware.

Many phishing campaigns have been initiated since April 2020 targeting businesses that are considering or have already applied for loans under the SBA’s Economic Injury Disaster Loan Program.

Phishing emails have been shared encouraging small businesses to apply for a loan. One such campaign confirms that the company is eligible for a loan and the loan has been pre-approved. The purpose of the scam is to obtain business information that allows the hackers to apply for a loan on behalf of the business and pocket the funds.

Another scam pretends the SBA and claims an application for a loan is complete and payment will be made once supporting documents have been submitted. The emails include an attached form that must be completed and submitted to the SBA website. The email attachment seems to be a .img file but has a hidden double extension and is actually a .exe executable. Double clicking and running the file will see GuLoader malware installed, which is a downloader that can deliver a variety of different malicious payloads.

The same email address used for that campaign was used in a different attack that featured a PDF form that requested bank account information and other sensitive data, which needed to be completed and installed to a spoofed SBA website.

In recent days, yet another SBA loan phishing scam has come to light. Phishing emails were sent to Federal Executive Branch, and state, local, tribal, and territorial government bodies. The phishing scam relates to an SBA application for a loan with the subject line “SBA Application – Review and Proceed.” The emails links to a cleverly spoofed SBA web page that indistinguishable from the authentic login page apart from the URL that attempts to steal details. The scam lead to the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) to releasing an emergency alert warning of the scam.

These SBA loan phishing scams use a range of lures and have multiple aims, but they can be avoided by following good cybersecurity best practices.

First and chiefly, you should have an advanced spam filtering solution configured such as SpamTitan. SpamTitan checks email headers and message content for the signs of spam, phishing and scams and uses DMARC and sender policy framework (SPF) to identify and prevent email impersonation attacks.

Dual antivirus engines spotted 100% of known malware and sandboxing is used to subject attachments to deep analysis to spot malicious code and malware that has not been seen before. Machine learning technology is also used to discover new phishing scams, along with multiple threat intelligence feeds to identify known phishing scams.

Before opening any downloaded document or file it should be reviewed using antivirus software that has up to date virus definitions. Check the properties of files to make sure they are what they claim to be and do not have a double extension.

Care should be applied opening any email or email attachment, even emails that are expected. Steps should be taken to prove the legitimacy of any request received via email, especially one that requires the provision of personally identifiable information or requests bank account and other highly sensitive data.

Emails and websites may look legitimate and have SBA logos, but that does not guarantee they are real. Always carefully review the sender of the email – Genuine SBA accounts end with The display name can simply be spoofed so click reply and carefully check the email address is the proper one. Care should be taken when visiting any website included in an email. Review the full URL of any website to make sure it is the proper domain.

CISA also recommends tracking users’ web browsing habits and restricting access to potentially malicious websites. The easiest way to do this is by using a web filtering solution such like WebTitan. WebTitan allows businesses to monitor Internet activity in real-time, send automatic alerts, block downloads of certain file types, and carefully control the types of website that can be accessed by staff members.

For additional details on spam filtering and web filtering solutions to protect your business from phishing and other cyberattacks, give the SpamTitan team a call now.