Federal agency warns ‘malicious cyber actor’ targeting coronavirus small business loan program

The Department of Homeland Security’s cyber agency warned Wednesday that a ‘malicious cyber actor’ is targeting a Small Business Administration (SBA) webpage used to funnel loans to businesses during the COVID-19 pandemic.

“The Cybersecurity and Infrastructure Security Agency (CISA) is currently tracking an unknown malicious cyber actor who is spoofing the Small Business Administration (SBA) COVID-19 loan relief webpage via phishing emails,” CISA wrote in an alert published Wednesday. “These emails include a malicious link to the spoofed SBA website that the cyber actor is using for malicious re-directs and credential stealing.”

CISA noted that the emails are being sent to “various Federal Civilian Executive Branch and state, local, tribal, and territorial government recipients” under the subject line of “SBA Application–Review and Proceed,” with the sender using an SBA email address. 

The malicious email directs the individual to click on a link that sends them to a fake login page for SBA’s Economic Disaster Loan Portal, with the hackers then able to steal the individual’s login credentials for the real page. 

In order to prevent this scam from impacting businesses, CISA recommended that business system owners and administrators take multiple steps to increase cybersecurity, including enforcing a strong password policy, using up-to-date antivirus software, and scanning for “suspicious” email attachments. 

In response to the alert, SBA Chief Information Officer Keith Bluestein told The Hill that “the SBA takes all fraud alerts seriously and has aggressively monitored related activity, in partnership with Cybersecurity and Infrastructure Security Agency, since the advent of the CARES Act.” 

Malicious cyber activity has spiked during the pandemic, and coronavirus stimulus funds have been a major target of hackers trying to cash in on federal funds meant for businesses. 

The CARES Act coronavirus stimulus package, signed into law by President Trump in March, included $650 million in loans for businesses with under 500 employees as part of the SBA’s Paycheck Protection Program.

Stimulus checks were also sent to certain individuals, with these payments also becoming a target of malicious actors. 

Software group Check Point reported in April that it had seen over 4,000 new website domains related to these stimulus funds created since January, while an FBI official said in April that it was receiving between 3,000 and 4,000 cybersecurity complaints per day, an increase from the usual average of 1,000 complaints per day.