New Phishing Scam Uses Fake PPP Loans to Trick Victims into Giving Up Personal Information

Taking advantage of people’s need for financial assistance, these scammers pose as a bank offering “forgivable business loans to individuals impacted by the pandemic.”

Nothing says lowlife more than someone who purposely targets those who are already down and out. Those responsible for a new scam identified by the security researchers at Abnormal Security are the lowest of the low – running a scam essentially promising free money to those that are in need.

In this scam, thousands of potential victims were sent an email impersonating an SBA Lender “World Trade Finance” informing the recipient that the Paycheck Protection Program has been extended and they are now taking applications for new forgivable loans.

Those interested click a link that takes them to a legitimate Office 365 form that appears legitimate:

Victims are asked for every piece of personal information including name, birthdate, and social security number – along with other business details to make the form seem legitimate.

There were some telltale signs that this was a scam to begin with:

  • The email is sent to ‘payments@sba.pppgov.com’, a domain obviously not associated with the government.
  • It appears the actual recipient must have been blind cc’d
  • The link goes to an Office 365 form and not something embedded in the business’ actual website
  • While there is a ‘World Trade Finance’ that is an SBA lender, a quick look up of the lender and a comparison to the address provided in the email would result in a mismatch.

Users can easily avoid becoming the victim of such scams once they look at email and web content through a scrutinizing lens. This only comes through continual Security Awareness Training that educates users on what to look for, the types of scams that occur, and how to keep a vigilant mindset while working.

This blog originally appeared on the KnowBe4 website.

Stu Sjouwerman
About the Author
Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4 Inc, a provider of the most popular Security Awareness Training and Simulated Phishing platform. A serial entrepreneur and data security expert with more than 30 years in the IT industry, Sjouwerman is the author of four books, with his latest being “Cyberheist: The Biggest Financial Threat Facing American Businesses.” Along with his CEO duties, Stu is Editor-in-Chief of Cyberheist News, an e-zine tailored to deliver IT security news, technical updates, and social engineering alerts. Stu is a four-time Inc 500 award winner and EY Entrepreneur of the Year finalist.