Phishing Campaign Spoofs SBA Loan Offer

A newly discovered phishing campaign is spoofing a U.S. Small Business Administration loan offer in an attempt to steal banking credentials and other personal data.

This campaign appears to have started in early August. This follows a different phishing attack in April that also used spoofed SBA messages, but unlike the current scam, that one was created to distribute malware.

Fake Loan Applications
In the phishing campaign, the victims are asked to fill out an attached “disaster loan assistance” form that asks for personal and banking details. The document spoofs legitimate SBA loan applications.

Since the COVID-19 pandemic began, the SBA has been overseeing the Payroll Protection Program to help funnel loans to U.S. small businesses that have been disrupted. Fraudsters have used the agency’s images and logos as part of fraud campaigns designed to harvest victims’ credentials or steal financial information.

The spoofed messages have a legitimate SBA email address embedded in the body of the email. But if the victim hits the reply button, they see a slightly different, malicious address. The domain associated with this fraudulent email address, gov-sba[.]us, was registered on July 31 and is not associated with the SBA.

To create the attached fake PDF loan application, the criminals appear to have downloaded the legitimate loan documents from the official SBA government site and then created their own version. The original form was created with Adobe Acrobat, while the spoofed version was designed with an application called Skia – a graphics library for Chrome.

The goal of the scam is simply to gather information via the loan form that they can then use to commit fraud.

Because this phishing scam closely spoofs the SBA email address and loan application, it could prove difficult to detect that it’s fraudulent. Anyone who receives an email about a loan application should call the SBA to check its legitimacy. The U.S. Department of Justice and the SBA have published notices warning about such schemes.

If you have questions about phishing scams or other threats to your IT security, call ITPAC today.