What’s So Scary About My PPP Loan?

What’s So Scary About My PPP Loan?

By Rich Kenney

For many of us, the movie Friday the 13th was the beginning of a horror movie era where the special effects were designed to look real and to scare the daylights out of the audience. That movie is likely still on some people’s top 10 scariest flicks list. Over time, movie directors have figured out how to make the effects better and thus, scarier – such as the 2018 movie named “The Quiet Place”, which is considered the scariest movie of all time by many. That same logic can easily be applied to cyberthieves, who, over the years, have gotten better and better at their craft of digital trickery.

Recently, we began to see some very scary-looking phishing emails relating to the PPP loans acquired by small businesses near the beginning of the COVID pandemic. These scary-looking phishing emails are fake, but they are made to look EXACTLY like legitimate communications from YOUR ACTUAL BANK.

To understand the background here, we have to know that as part of the Trump Administration’s effort to provide transparency, the Small Business Administration released a complete list of companies that qualified for borrowing money from the federal government under the Payroll Protection Program. The SBA’s list included all companies in the United States that received money under the program and included details such as business name, principal officer names, number of employee jobs saved, loan amount, and the bank used to process the loan. As it turns out, that is everything the hackers need to produce VERY authentic-looking emails about your loan, sent to the exact person who would care about reading the latest news or instructions.

Phishing is something we talk about quite often with our clients and associates. It is basically a cyberthief’s attempt to trick an unsuspecting person into providing money or important information such as username/password, address, social security number, or any other piece of data that might be useful to steal money. The bad guys are always trying to improve their technique, and this latest “improvement” is sure to catch some business owners off-guard.

Just recently, it was announced that business owners could begin the process of applying for forgiveness of their PPP loans. This latest bad guy phishing technique is to send business owners very real looking emails with graphics from the actual bank used back in April to secure the PPP money. In the email, the hackers explain how to initiate the process of loan forgiveness by clicking the provided link. Once the link has been clicked, a browser window opens, and presents the business owner with a very real looking website page relating to PPP forgiveness that replicates the bank website almost exactly. After completing the requested text box fields on the website, the business owner unknowingly just gave his/her credentials and other important info to the cyberthieves. At the end of the process, the hackers would have the ability to access the business’s bank records, bank account, and money.

Pictured is an email that shows just how real the fake ones can look. After a long day at work, any business owner could easily fall for this. It’s so real, it’s scary.
Our advice is simple, when logging into your bank account, open a browser and enter the actual URL for your bank that you are used to using. Do not click on a supplied link from within an email. It will take a few more seconds, but your safety, your cybersecurity, and your bank account are worth it.

Also, we suggest you go back and watch Friday the 13th again even though the scenes are not very realistic by today’s standards. While you watch that 1980 horror flick, think about the idea of how movies keep getting more and more realistic to understand that so do the cyberthieves.