phishing email (Abscent/

COVID relief phishing emails spoof SBA

Scammers are using particularly sophisticated phishing attacks to divert coronavirus relief funding from struggling Americans and companies.

Emails that appear to be from the Small Business Administration are being sent to business owners, CEOs and CFOs, enticing them to download malware and hand over personal banking information, according to new research from Malwarebytes Labs, which sells anti-malware software

According to Jérôme Segura, the company's director of threat intelligence, one such attack took place in April advised victims that their application for a disaster small business loan was complete, but they first needed to complete an attached form to finalize the deal. In reality the attachment, disguised as an image file, was actually an .exe file containing the GuLoader malware designed to bypass antivirus detection.

Another attack discovered by researchers in August was even more clever. Emails appearing to come from the same SBA address also attached PDF loan documents, and to anyone who didn't study the metadata closely or have their email settings configured correctly, both appeared to legitimately come from the federal government.

By checking the "received field," researchers found it came from a hostname that was already caught in a separate email scam. Anyone who attempted to reply to the email would find that they were actually responding to a new, unofficial email address hosted by a domain registered just days before the campaign kicked off.

The attached PDF looked identical to the version individuals could download on SBA's website, but an examination of the metadata revealed that the PDFs were created with different tools, another suspicious sign. Another red flag: The "agency" asked users to send their completed form back via email with relevant banking details, rather than printing it out and sending it through the mail.

"Most people aren't aware of email spoofing and believe that if the sender's email matches that of a legitimate organization, it must be real," wrote Segura in an Aug. 10 blog post detailing the research. "Unfortunately, that is not the case and there are additional checks that need to be performed to confirm the authenticity of a sender."

Taking similar precautions can help users sniff out similar scams in the future, but there are also steps the less technically inclined can take to protect themselves.

"Because we can't expect everyone to be checking for email headers and metadata, at least we can suggest double-checking the legitimacy of any communication with a friend or by phoning the government organization," Segura wrote. "For the latter we always recommend to never dial the number found in an email or left on a voice mail as it could be fake."

The federal government has distributed more than $3 trillion in relief funding tied to the COVID-19 pandemic since March, including small business and payroll loans disbursed by the SBA and Department of the Treasury and economic stimulus checks for American families processed by the IRS. Nearly all of those programs have been targeted relentlessly by scammers and cyber criminals.

This article was first posted to FCW, a sibling site to GCN.

About the Author

Derek B. Johnson is a former senior staff writer at FCW.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected