If you run a small business that’s been in contact with the U.S. Small Business Administration, you should be aware of a phishing scam making the rounds.
In the wake of the COVID-19 pandemic, the SBA has been using the Economic Injury Disaster Loan Program to provide relief to struggling businesses. Some individuals have sought to take advantage of people’s confusion with the process by sending phishing emails that appear to be from the SBA, but are actually intended to acquire personal or financial information, with criminal intent.
The SBA sent a warning to loan applicants last week, noting that criminals have tended to impersonate their Office of Disaster Assistance.
This wave of phishing attempts comes on the heels of a similar string of incidents from July, in which emails went out to loan and grant recipients, along with proactive “offers” to businesses that had not previously corresponded with the SBA.
Small business owners have enough on their plates as is, so it’s best to avoid entanglements with scammers that, on average, cost victims millions of dollars.
How can you tell if an email is legitimate?
Don’t be fooled by a logo. The SBA warns that these recent attacks have been using their official logo.
And don’t give personal or financial information in third-party platforms or to third-party emails (like Gmail or Yahoo). All communication from the SBA will come from emails ending in sba.gov.
Also, keep in mind that the SBA does not reach out to businesses proactively about grants or loans. If someone contacts you claiming to be from the SBA, treat it as a phishing attempt, particularly if they ask for any upfront payment.
If you’re already in the process of applying for a loan, verify that the application number matches in each correspondence.
What are phishers after?
A few different things. PII — personally identifiable information, like birthdates and social security numbers — can be used for identity theft or to access bank accounts. Phishers may also seek to get your banking information from you directly.
Obviously, you should never divulge this information unless you’re sure it’s from the SBA or another governmental department. Cyber criminals may also seek to install ransomware or malware on your computer.
What to do if you’ve received a phishing attempt
It might be fun to consider ways to exact revenge on these criminals for your lost time or confusion, but it’s best to avoid contacting phishers under any circumstances. SBA guidelines suggest that “If you suspect an email is associated with a fraud scam targeting the SBA, report it to the Office of Inspector General’s Hotline at 800-767-0385 or online at https://www.sba.gov/COVIDfraudalert.”