How phishing attacks have exploited the US Small Business Administration

  • Technology
  • How phishing attacks have exploited the US Small Business Administration

Such attacks have tried to capitalize on the loans provided by the SBA in the wake of the coronavirus pandemic.

Image: GrafVishenka, Getty Images/iStockPhotos

COVID-19 has proved to be a field day for cybercriminals who have used the outbreak to create malware associated with the virus and its various repercussions. One popular tactic is to spoof organizations involved in relief efforts, whether medical or financial.

The US Small Business Administration has been offering loans to businesses and other groups affected by the pandemic and lockdown, turning it into a target ripe for impersonation in phishing attacks. A report published Monday by security firm Malwarebytes tracks some of the different phishing campaigns that have sought to exploit the SBA.

SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium) 

First wave

April saw the first round of coronavirus-related attacks designed to deploy malware. Phishing emails were found containing malicious attachments with names such as “SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.img.” The emails used the SBA logo and branding and prompted recipients to complete a grant for small business disaster assistance. One piece of malware hidden in the attached files was GuLoader, which is used to download the payload of your choice at the same time it attempts to evade antivirus detection.


Image: Malwarebytes

Second wave

Following the April campaign, a second wave of phishing emails appeared, complete with SBA logos and branding and claiming to be from the SBA’s Office of Disaster Assistance. Promising that the recipient’s SBA application has been approved, the message invited them to click a button to review the funding process. The link in that button took users to the phishing page, which attempted to obtain certain account credentials as a way to scam them in the future. The main tipoff comes from the URL that pops up when you hover over the button as the address has no connection with the SBA.


Image: Malwarebytes

Third wave

Spotted by Malwarebytes in early August, a third wave of phishing emails ask the recipient to fill out an attached form for disaster loan assistance. The user is prompted to provide both personal and financial information, specifically bank account details. As with the other campaigns, this one uses SBA branding and sender addresses that seem to come from the agency. However, the domain for the phishing page was registered just a few days prior to the campaign and clearly doesn’t belong to the government, according to Malwarebytes.

Digging into these emails can also reveal clues as to their legitimacy, or lack thereof. Depending on your email client, you can often view the header information for each specific message. For example, in Microsoft Outlook, you’d click the File menu and then select Properties. In the Internet headers section, the Received address displays a host name. With these latest phishing emails, the host name showed a URL that looked suspicious to Malwarebytes and was actually described in another scam campaign.


Image: Malwarebytes

Beyond digging deeper into the emails, Malwarebytes offers other advice on how to protect yourself against these phishing attacks.

Check the DOJ and SBA websites. Both the Department of Justice and the Small Business Administration have warned of scams pertaining to loans. Their respective sites provide tips on how to steer clear of malicious schemes.

Beware the sender’s address. Perhaps the biggest takeaway, especially when it comes to phishing emails is that the sender’s address can easily be spoofed and is in no way a solid guarantee, even if it looks exactly the same.

Double-check the information. Double-check the legitimacy of any suspicious email by phoning the organization. Never dial the number found in an email or left on a voice mail as it could be fake.

How phishing attacks have exploited the US Small Business Administration

Cybersecurity Insider Newsletter

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays

Sign up today

Also see


Here's the latest news

The type of friend everyone wishes to have. It's been nearly three months since Naya Rivera tragically passed away at just 33 years old, but her memory lives on in the hearts of her family members, friends and co-stars, including Glee's Chris Colfer....

Chris Colfer Remembers Naya Rivera Had This "Incredible" Hidden Talent

FILE PHOTO: A street sign is seen in front of the New York Stock Exchange on Wall Street in New York, February 10, 2009. REUTERS/Eric Thayer/September 30, 2020By Caroline ValetkevitchNEW YORK (Reuters) – U.S. stocks are set to close out...

U.S. stocks set for sharp quarterly gain, but recent caution not over

Google made its newest smartphones official today, unveiling the much-leaked Pixel 4a 5g and Pixel 5. Both smartphones will get the same, improved cameras, despite a $200 price different between the models, which is great news for people who are...

Pixel 5 and 4a 5g get the same, improved cameras with rear ultrawide lens, Night Sight portraits and more

Bolstering other researchers’ findings, a new study found that an estimated nine in 10 recovered COVID-19 patients have experienced side effects of the disease.The preliminary South Korean study found that more than 90% of respondents to an online survey reported...

Most recovered coronavirus patients experience side effects of disease: study

Photography by Vai Yu Law."Joy was a big word for me when I was designing this collection." By Odessa Paloma Parker Date September 30, 2020 icon-facebook icon-twitter When Sammi Smith, founder of the Toronto-based loungewear label Soft Focus, began designing...

The New Pieces From Toronto Brand Soft Focus Are a WFH Dream
Load More