Phishing attacks target US Payroll Protection Program Loans

With hundreds of thousands of small businesses in the USA anxiously awaiting news about their submitted Payroll Protection Program SBA loans, threat actors are sending phishing emails that prey on their anxiety to steal email accounts.

On April 3rd, as part of the CARES act, the U.S. government launched the Payroll Protection Program (PPP) SBA loan program that allows small business owners to apply for a low-interest loan. For companies that utilize this loan for payroll, it will be forgiven by the US government.

With its launch, though, many banks were not able to get running quickly enough, and it left many small business owners unable to submit applications or receive loans before the initial $350 billion ran out.

On Thursday, the government approved another $310 billion to be allocated towards PPP loans. On that same day, a new phishing campaign was conducted that targets business owners who are anxiously awaiting word from their banks.

Using fear and anxiety to harvest email credentials

In a new phishing campaign discovered by Abnormal Security, attackers are sending out emails that pretend to be from a CARES act representative who needs a signature on a "PPP_CARES_SignaturePG1-2" document for the Payroll Protection Program.

Included in the email is a link titled 'Review File & Sign' that, when clicked on, will bring the recipient to a landing page that asks them to sign in to their Microsoft account.  Any entered credentials will be stolen by the attackers to use in BEC scams, potential network compromise, or further phishing scams.

While it's easy to say that no one would fall for a scam like this and enter their credentials in an unrelated web site, it is important to remember that this is a highly unusual time.

Small business owners are worried about losing their companies and having to lay off employees, employees are worried about losing their job, and those who are laid off want their job back.

Due to this increased anxiety and tension, it is possible for a small business owner to rush to learn about their loan application without paying close attention to what web site they are submitting their user name and password.

With that said, though it is a scary period we are going through, it is still important to remember that threat actors prey on times like this.

Therefore, everyone needs to be even more diligent on what links they click, what files they download, what pages they enter their credentials, and what programs they execute.

That extra second or two to look things over before acting can be all the difference you need to protect yourself, your business, and your network from malicious actors.