A phishing campaign has been detected which is targeting U.S. businesses that are struggling to stay in operation during the pandemic. The emails attempt to get business owners to apply for a fake PPP loan and disclose sensitive data.
The Paycheck Protection Program (PPP) is part of the U.S. CARES Act, which was launched by the Trump Administration on April 3, 2020 to provide financial assistance to businesses that have been adversely affected by the COVID-19 pandemic.
Under the PPP program, small business owners can apply for low-interest loans to help them through the pandemic and keep their workforce employed. If the loans are used for payroll, recipients of the loans may qualify for full loan forgiveness.
The phishing emails, detected by researchers at Abnormal Security, appear to have been sent by World Trade Finance, which the emails claim is a delegated SBA lender that helps businesses by providing loans ranging from $500,000 to $5,000,000. The emails explain that Congress has extended the PPP under the CARES Act and is allowing businesses impacted by the pandemic to apply for a second forgivable loan. To make the scam believable, the email address used for the scam spoofs the small business administration – payments[@]sba.pppgov.com.
The emails include a hyperlink to a Microsoft Forms survey which appears to be a registration form to apply for a PPP loan. If the recipient clicks the link, the form asks for a range of sensitive business information to be entered for the application process, such as the business trading name, details of operational costs, cost of goods, and gross revenue for the 12 months prior to the start of the pandemic. The forms also ask for the business owner’s name, address, date of birth, and Social Security number.
The data collected by the scammers could be used for identity theft and defraud the business. Abnormal Security said large numbers of emails have been sent by the scammers and the believability of the lure could see many businesses fall for the scam.
Previous phishing campaigns have been conducted using offers of SBA PPP loans as a lure to get businesses to disclose sensitive information, with one campaign conducted in April aimed at obtaining Microsoft 365 credentials for use in Business Email Compromise (BEC) attacks. Other campaigns have been identified that attempt to obtain login credentials for Small Business Administration COVID-19 loan relief accounts.