phishing email (Abscent/

COVID relief phishing emails spoof SBA

Scammers are using particularly sophisticated phishing attacks to divert coronavirus relief funding from struggling Americans and companies.

Emails that appear to be from the Small Business Administration are being sent to business owners, CEOs and CFOs, enticing them to download malware and hand over personal banking information, according to new research from Malwarebytes Labs, which sells anti-malware software

According to Jérôme Segura, the company's director of threat intelligence, one such attack took place in April advised victims that their application for a disaster small business loan was complete, but they first needed to complete an attached form to finalize the deal. In reality the attachment, disguised as an image file, was actually an .exe file containing the GuLoader malware designed to bypass antivirus detection.

Another attack discovered by researchers in August was even more clever. Emails appearing to come from the same SBA address also attached PDF loan documents, and to anyone who didn't study the metadata closely or have their email settings configured correctly, both appeared to legitimately come from the federal government.

By checking the "received field," researchers found it came from a hostname that was already caught in a separate email scam. Anyone who attempted to reply to the email would find that they were actually responding to a new, unofficial email address hosted by a domain registered just days before the campaign kicked off.

The attached PDF looked identical to the version individuals could download on SBA's website, but an examination of the metadata revealed that the PDFs were created with different tools, another suspicious sign. Another red flag: The "agency" asked users to send their completed form back via email with relevant banking details, rather than printing it out and sending it through the mail.

"Most people aren't aware of email spoofing and believe that if the sender's email matches that of a legitimate organization, it must be real," wrote Segura in an Aug. 10 blog post detailing the research. "Unfortunately, that is not the case and there are additional checks that need to be performed to confirm the authenticity of a sender."

Taking similar precautions can help users sniff out similar scams in the future, but there are also steps the less technically inclined can take to protect themselves.

"Because we can't expect everyone to be checking for email headers and metadata, at least we can suggest double-checking the legitimacy of any communication with a friend or by phoning the government organization," Segura wrote. "For the latter we always recommend to never dial the number found in an email or left on a voice mail as it could be fake."

The federal government has distributed more than $3 trillion in relief funding tied to the COVID-19 pandemic since March, including small business and payroll loans disbursed by the SBA and Department of the Treasury and economic stimulus checks for American families processed by the IRS. Nearly all of those programs have been targeted relentlessly by scammers and cyber criminals.

This article was first posted to FCW, a sibling site to GCN.

About the Author

Derek B. Johnson is a former senior staff writer at FCW.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected