Phishing Scams Target SMBs Seeking COVID Aid

Phishing Scams Target SMBs Seeking COVID Aid

The COVID-19 pandemic, like other disasters, has created a playground for cybercriminals.

BleepingComputer.com reports that the Coronavirus Aid, Relief and Economic Security (CARES) Act has triggered the latest round of scams. 

The information security and technology news publication said tricksters, trying to take advantage of vulnerable Americans, have been sending out emails impersonating the Small Business Association’s (SBA) Payment Protection Program (PPP).

The fraudsters’ mission is to lure recipients with financial relief options. The phishing expedition, as explained by AbnormalSecurity.com, requests the recipient’s signature for PPP documents. Clicking on the link directs users to a page that looks like the authentic Microsoft Office 365 login web page and tries to pilfer the recipient’s corporate credentials. Victims who provide their email login information would be put their sensitive information at risk, the report said.

IBM X-Force has released a study showing that since the World Health Organization (WHO) declared the COVID-19 pandemic last month, there has been a more than 6,000 percent increase in coronavirus-related spam, according to SecurityIntelligence.com. The survey said that 35 percent of respondents expect to hear communication from the IRS by email, despite years of warnings from the IRS and law enforcement agencies that the tax agency will never email an individual about their tax filing.

Only 14 percent of small business owners say they are very knowledgeable about how to access the SBA’s loan relief program, despite continuous guidance offered by government officials.

More than half of respondents said they would click on links or open attachments in emails about their stimulus check eligibility or COVID-19 testing. 

Another scam attempts to collect online banking account information. Recipients are asked to click a link displaying the Federal Emergency Management Agency (FEMA) and Centers for Disease Control and Preventio‌n (CDC) logos. These convincing sites promise stimulus payments of up to $1,200 or $2,400 for couples, plus $500 per child for parents, just like the real government program provides, the report said.

If recipients choose to get the “economic impact payment,” they see a drop-down menu with a list of two dozen banks, and then enter their banking info, which is sent to the attacker.

Anti-phishing company INKY said these schemes are among the most sophisticated-looking they’ve seen. BleepingComputer.com said that given the pandemic, these threats will not soon disappear, and that users should exercise caution when receiving messages that promise economic relief.