Skip to content

Phishing Campaign Offering Fake PPP Loans Targets US Businesses

Posted by Trevagh Stankard on Tue, Apr 20th, 2021

Cyber attackers target victims with fake PPP Loans with phishing scam.

In the wake of the pandemic and COVID-19 lockdowns for many businesses, US businesses were offered a way to stay afloat in the form of a PPP loan. Banks and other lenders gave businesses money based on their revenue, size, and employee headcount. Even small businesses were able to get a PPP loan to help cover payroll and other expenses. To prey on the desperate, phishing attackers created a campaign that promised PPP loan money to people who clicked a link where attackers could collect sensitive information from victims.

How the Fake PPP Loan Phishing Scam Worked

Because many small businesses needed the PPP loans to cover expenses, attackers could choose from millions of targets. Even freelancers with small businesses would qualify for loans provided they had the revenue and paperwork to file. It’s common for phishing attacks to play on fears and urgency of the targeted user, and PPP loans were the perfect way to trick users into divulging sensitive information.

Within the email was a link to a Microsoft Office form where users were asked to provide their social security number, name, and date of birth. This information can be used to open credit card accounts and other financial accounts. In normal circumstances, a recipient might understand that an Office form could be malicious, but attackers played on business owner fears and sense of urgency to obtain financial support.

To make it believable, attackers also asked for business information such as revenue, the cost of operations, and the cost of goods and supplied that keep the business running. For any business users who reviewed the necessary qualifications and paperwork, these questions seemed legitimate and necessary. The questions gave the phishing attack a sense of legitimacy.

Like many phishing attacks, the sender address was a malicious domain that looked like the official PPP government domain. The sender was set up as “” and used in the phishing attack. Again, without the sense of urgency a recipient might notice that the sender domain is a .com rather than an official .gov domain, but the attack played on the recipient’s fear of the future and need for financial support.

View the 10 tell-tale signs that spam email is a phishing scam

Stealing Microsoft Credentials

In addition to stealing sensitive information, the attack’s main goal was to obtain Microsoft Office credentials from unsuspecting targeted victims. When users clicked a link in the phishing email message, a spoofed Microsoft Office login page was shown to the user. Users should never enter credentials after clicking a link in email, but many users fail to follow this cybersecurity standard and enter login credentials after opening a malicious web page from an email message.

Users can avoid this type of attack by simply typing a site in their browsers rather than enter credentials from a link in an email. As a matter of fact, this is a common way to trick users into divulging sensitive data including login credentials. Several phishing attacks use spoofed landing page graphics and layouts that mimic an official site including Microsoft, PayPal, Google, and banking institutions.

Another way to avoid becoming a victim of this type of attack is to use two-factor authentication (2FA). Even the most educated user occasionally falls for a phishing attack, but 2FA stops attackers from authenticating into an account with a stolen password. You shouldn’t completely rely on 2FA to protect from phishing scams, but it adds a layer of cybersecurity to your accounts should your credentials be exposed.

Protecting Email with Filters

For every business, email filters will stop many of the common phishing campaigns. Since this campaign targets businesses, filters will stop malicious emails from getting inboxed for both the owner and employees. This type of cybersecurity greatly reduces the effects of phishing and protects the business from unauthorized access from stolen credentials.

Email filters block messages from reaching the recipient’s inbox, but they also allow administrators to review malicious messages. The administrator can confirm that the message is malicious or send it to the user’s inbox in a false positive scenario. Administrator review helps train the artificial intelligence (AI) to better detect malicious messages from legitimate ones.

Finally, users should be trained to identify malicious phishing messages should an attacker bypass an email filter. Good email filters will block phishing based on AI and other detection methods. It’s the first defense against phishing campaigns including the latest ones working with fear and urgency from the pandemic lockdowns, but educating users also helps in defense against phishing. Combining email filters and education, businesses can greatly reduce their risk of a data breach from phishing.

SpamTitan Email Protection blocks spam, viruses, malware, phishing attempts and other email threats from entering your inbox. Learn about how SpamTitan can protect your business in the Spam Titan Demo. View Demo.

Related Articles

Never Miss a Blog Post

Sign-up for email updates...

Get Your 14 Day Free Trial

Talk to Our Email and DNS Security Team

Call us on US +1 813 304 2544

Contact Us