The coronavirus recession has made life tough on small businesses. But a new high-level cyber scam has hackers hoping to make things even worse by stealing your passwords, gaining access to your computers, or tricking you into disclosing your bank account login credentials.
Anyone who’s applied for a Small Business Association COVID-19 Disaster Loan could be susceptible to this suddenly prevalent scam. A respected security blog called Malwarebytes recently uncovered a highly sophisticated security scam designed to steal your passwords or place malware on your computer if you’ve applied for a disaster loan from the Small Business Association (SBA).
The SBA acknowledged the scheme is a legitimate cyber threat. Three days after Malwarebytes published its findings, the SBA released an official alert declaring “malicious actors are impersonating the SBA and its Office of Disaster Assistance to collect personally identifiable information (PII) for fraudulent purposes.”
The Department of Homeland Security also said this was a major threat. The department’s Cybersecurity and Infrastructure Security Agency made an emergency announcement that it was “tracking an unknown malicious cyber actor who is spoofing the Small Business Administration (SBA) COVID-19 loan relief webpage via phishing emails.”
Hackers Targeting COVID-19 Disaster Loan Applicants
These particular cybercriminals are not going after people who’ve applied for PPP loans, as that program ended on August 8, 2020. (Though Congress may pass another relief package with more PPP loans in the future.) They’re going after business owners who’ve applied for the broader SBA Disaster Loans to access people’s computers and bank account credentials.
The SBA did not “get hacked”—they are being cleverly impersonated by criminals. The scammers’ emails use the official SBA Logo, but the email text sometimes has spelling inconsistencies and grammatical errors. There are 2 different online scams targeting small businesses that security experts have encountered at different times during the pandemic. But here’s how you can spot both of them.
The Fraudulent SBA Malware Attachment
This one goes way back to April. Emails that appeared to be from the SBA, mimicking their appearance very well, were sent to loan applicants with the title “SBA Grant/Testing Centre Vouchers.” (Notice the “Centre” spelling, a giveaway that these may come from a sender outside the United States.) The emails said, “Please sign attached completed Request for Transcript of Tax Returns.”
The attachment looked like an image but was actually a “.exe” executable file, a malicious program designed to record and steal passwords. Researchers found there was no application form but instead a popular password download called GuLoader.
PCRisk has an excellent explanation of what GuLoader does and how to get rid of it.
Phishing Scam From a Fake SBA Email
By late July, the hackers had developed a new strategy. They figured out how to “spoof” the SBA’s email—that is, they made their email appear to be from the official email address [email protected], but a closer look at the email settings showed it was from a much shadier source.
But the real swindle came when the recipient clicked on a “Review and Proceed” button within the email. That button went to a scam website that asked for bank account numbers and other sensitive information. Anyone who gave up that information might easily find their funds cleaned out at the worst possible time.
The Department of Homeland Security found another version where the attachment leads to a “malicious hyperlink” for a site calling itself LeanPro Consulting, with the URL “leanproconsulting.com.br.” Notice how it does not end in “.com”—it really ends in “.br,” a Brazilian domain. The “.com” in the middle is there to fool you.
How to Protect Yourself From SBA Phishing Scams
The most important thing we can stress is to never give your bank account login credentials to anyone other than your bank.
There are also some simple ways to test whether an email is legitimate. You can tell if it’s a fake email if you hit Reply but the reply email address is different from the original address. In terms of suspicious attachments, you can hover your cursor over the attachment. If the URL that appears is not the same as the website sending the email, that’s a sign of a likely scam.
Some security pros advise being even more cautious.“If you get an email saying, ‘Hey, about your SBA loan …’ or something like that, and even if it looks like it came from SBA, don’t open it up,” trucking industry security director Doug Morris told the trade publication Land Line. “Don’t open up any attachments. Call the SBA themselves and go that route. Do not open up anything right now because this looks like a pretty sophisticated attack here.”
These attacks are mostly impersonating the SBA right now (as far as we know), but if the tactics prove successful, the hackers will try it again in different ways. Hackers are changing how they attack small businesses during COVID-19, so smart businesses need to be careful of viruses other than just the coronavirus.