The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding a new phishing scam targeting small businesses. A malicious entity has been discovered spoofing the SBA website and its firstname.lastname@example.org email address in order to steal login credentials and sensitive information from unsuspecting business owners. We urge all businesses to be on the lookout for emails like this one.
The CISA has released specific details about the discovered malicious email, but we urge our business customers to keep in mind that other similar forms of this email may exist:
Subject Line: SBA Application – Review and Proceed
Body: Contains a link purporting to be the SBA website, but which actually points to https://leanproconsulting.com.br/gov/covid19relief/sba[.]gov
Clicking the hyperlink in the email brings the recipient to a spoofed version of the SBA login page, which has been captured in the screenshot below:
This is just one of several recent scams targeting small businesses, and given the ongoing prevalence of such schemes BankFive would like to remind its business customers to stay vigilant and alert.
Here are some tips to help keep your business and its sensitive information safe:
Unfortunately, scammers are taking advantage of the chaos and uncertainty that COVID-19 has brought to our daily lives. It’s more important now than ever before for business owners and their employees to be on high alert. By taking a little extra time to examine things like emails and phone calls, you’ll be in a better position to identify fraud before it wreaks havoc on your business.
- Be wary of unsolicited phone calls, text messages, or emails and never provide sensitive information to a third-party unless you are absolutely sure that the recipient is who they purport to be.
- Be highly suspicious of anyone claiming that you’ve been approved for a grant or loan that you didn’t apply for.
- Don’t assume that every email you receive is legitimate. Remember that even sender email addresses can be spoofed. Check all email links by hovering over them before clicking on them. Whenever possible, visit a website directly by typing the address into your browser, rather than relying on email links. If you have any concerns about the legitimacy of an email you’ve received, call the sender directly using their publicly listed phone number.
- Be on the lookout for phony invoices. Have a system in place for verifying all requests for payment that your business receives.