Breaking News

An email security firm found 645 potentially fraudulent PPP-related domains registered since the CARES Act was signed into law. Here's how you can protect your business from the theft of critical data.

phishing

  • Data provided to Business Insider by email security firm Tessian showed that 645 domain names related to the Paycheck Protection Program were registered since March 20.
  • Some of these fake accounts could launch phishing and other attacks on entrepreneurs applying for aid for their small businesses.
  • Hackers might ask for updates to your information for an unidentified problem, offer to expedite the process, or suggest a similar program to replace your PPP application.
  • To secure your business from being attacked, stay alert: Never share account information directly in an email, read what exactly the email is asking for, and always switch up passwords across your accounts.
  • Click here for more BI Prime stories.

While the pent-up demand of applicants for the second round of Paycheck Protection Program (PPP) funding crashed the Small Business Administration's application portal earlier this week, another group is already camped in cyberspace waiting to capitalize on funds from this program: fraudsters. 

Exclusive data provided to Business Insider by email security firm Tessian showed that at least 645 potentially misleading domain names related to the PPP were registered between March 30 and April 20, 2020 — URLs that could be used for phishing and other attacks on small businesses and entrepreneurs applying for assistance from the PPP.

"This is a time globally where people are more stressed than ever and are particularly vulnerable to falling for these scams. Attackers are simply taking advantage of that," London-based Tessian CEO Tim Sadler told Business Insider. 

According to Sadler, the scheme works like this: Cybercriminals use common search questions or keywords to lure people to websites and then extract information from them that could be used to compromise that individual or business. 

"They're really preying on that need for convenience that people have, and it means that attackers will see a high rate of success around these programs," Sadler said.

Tessian's analysis showed that more than a third of the domains are grouped together, meaning they redirect users to the same set of websites, and 28% were from different loan providers that have a separate PPP presence through an online form. The report advised that although these domains may not all be spammy, it's important for people to be wary of what they're signing up for, what information they're sharing, and any associated costs.

"These results show us how attackers are thinking cleverly about how people are expecting to interact with this government program," Sadler said.

According to Sadler, these domain names magnify the benefit of the doubt most business users give their email. 

"Attackers prey on trying to establish that initial point of reference and then use the technique of impersonation to trick people into trusting either a website or an email when it can't be trusted," Sadler told Business Insider. "If you send them a fake email around the Paycheck Protection Program, there's already that sense of relevance to them, so they let their guard down a little bit."

The most common PPP email scams are just like those you get every day

As a whole, these scams are very similar to those commonly found in consumers' personal inboxes and SMS streams that attempt to solicit credit card or other information via a query from a trusted merchant. 

Wilfrid Baptiste, principal of Financial Blind Spot, a business and insurance advisory based in Yonkers, New York, said the scam might look similar to previously seen fraud on Amazon in which the user receives a message asking them to log in and update payment information. 

"These scams might tell you that there's an issue with your application or they need one more thing from you, but then you have to go in and enter a whole bunch of other things and of course you're not on the SBA's website," Baptiste told Business Insider. 

Baptiste and his clients have seen email and text scams that fall into four basic categories.

1. Asking for updates to the recipient's application 'because there's a problem'

While these emails may contain the SBA logo and may look and sound official, they're phishing. First and foremost, the SBA categorically states on its website that it does not reach out to contact PPP — or EIDL — loan applicants. Regardless, if an email were to come from the SBA, it would come from the agency's official domain, sba.gov. 

The agency also acknowledged the existence of scams using its logo, stating on its website, "Look out for phishing attacks/scams utilizing the SBA logo. These may be attempts to obtain your personally identifiable information (PII), to obtain personal banking access, or to install ransomware/malware on your computer."

2. Offering to speed up the recipient's application for a fee

The SBA website uncategorically warns recipients to suspect fraud in this instance. Baptiste advised, however, that some of the addresses he's seen on these emails look very realistic. For example, they could use SBA in the email or web address, such as sba.pppapplication.com, he told Business Insider. 

Domain prefixes — that's the first part of a domain, where the "www" generally is — are totally unregulated, Tessian's Sadler pointed out, and bad actors can use them to attempt to further confuse unwitting recipients, for example, by putting "sba" there instead. 

"Although the Small Business Administration owns the sba.gov domain, it does not mean that they own all possible variations of the root (sba) or top-level domain (.gov in this instance)," Sadler told Business Insider. "Anyone can register a domain that isn't already in use, giving attackers the opportunity to impersonate legitimate root domains, such as SBA, with new top-level domains like .com or .biz or .org, if available." 

What this means, said Sadler, is that a scammer could register a domain using "sba" followed by a relevant phrase like "ppp" or "application" in hopes of intercepting people searching for information about the program.

Sadler also warned that close misspellings are another way that scammers try to take advantage of unwitting targets. One of the domain names on Tessian's list, for example, was paycheckprotecionprogram.com.

3. Promising faster or more flexible loans

Entities promising PPP loan approvals and offering high-interest bridge loans to "tide you over" are almost certainly a scam, according to Baptiste. This would look like someone offering a  short-term loan or bridge loan at a high-interest rate that they say can be rolled over into the PPP loan that you're "definitely" going to get. "People are desperate, so they jump at this kind of thing," Baptiste said. "And then they're stuck with a high-interest loan." 

This type of arrangement is also expressly tagged by the SBA as highly likely to be fraudulent.

4. Offering a product 'just like the PPP'

Baptiste said he has seen many emails advertising products purportedly similar to the PPP but without the long wait time or limits on the use of funds.

"Business owners see this and they think it's similar to the PPP, and next thing you know, they're involved in a similar situation with a loan that carries a super-high interest rate and it doesn't really help them," Baptiste said. 

Baptiste also noted that in this environment, with so many business owners so needy for money, the temptation is to pursue as many of these leads as possible.

"When you do this, you're putting a lot of your information out there and exposing yourself to a higher risk of identity theft," he said. "Even if they were all above board, you'd have a bunch of institutions holding your information as opposed to one or two, and you're exposing yourself to a greater risk of identity theft."

Howard Silverstone, a CPA and member of the Fraud Task Force at the American Institute of Certified Public Accountants (AICPA), said all these scams were very familiar, having received multiple emails every day at both his unlisted business address and his personal address purporting to lead to quick, low-interest loans.  

"I can't imagine what's happening to other people, especially if you have a lot of people who aren't used to working from home. They're probably using email more than ever before, as well as using a combination of business email and personal email," Silverstone told Business Insider. "If they start getting these emails that they can get funding without pushing the paperwork, those things look good, and whereas on a normal day you might dismiss these emails, these days you're clutching at straws — you might be particularly vulnerable."

Staying away from hoaxes means staying alert: practical tips to ensure email safety

In addition to recommending the use of email security products like those provided by his company, Sadler provided the following tips for avoiding PPP-related scams: 

  • Think twice before sharing any personal information online. If it doesn't look right, it probably isn't. 
  • Understand the call to action on these PPP-related sites and emails. Understand what they're asking you to do, or if they're asking you to click links, and make sure you understand where those links lead. 
  • Make sure any of the sites offering consultancy services are legitimate before sharing any information or money. Check the URL, and you can also create another line of verification by trying to call the company or establish another point of contact outside of that email channel. 
  • Never share direct deposit details or social security numbers on an unfamiliar website. When in doubt, just don't share your most sensitive personally-identifiable information.
  • Always use different passwords when setting up new accounts on websites. And enable two-factor authentication on all the services that you use.

If you run a small business and haven't seen one of these scams yet, chances are you will soon. Use these tips to protect yourself and you'll be able to stay out of what Sadler described as a very tempting environment for bad actors.

"It's never been easier [to launch these scams], or easier to be anonymous when doing these kinds of things," Sadler said. "If you get a million people to either visit your fake website or open your fake email and the conversion rate is 1% of those people will fall for the scam, you've managed to get yourself a lot of people."  

SEE ALSO: The action plan employers should follow to secure protective equipment for staff ASAP as they consider reopening their offices

NOW READ: Getting your paperwork in order can give you a leg up when applying to the Paycheck Protection Program. Here's all the information you should have on hand.

Join the conversation about this story »

NOW WATCH: Tax Day is now July 15 — this is what it's like to do your own taxes for the very first time



* This article was originally published here Press Release Distribution

No comments