FOLLOWUP: Small Business Administration Phishing Campaign

Eric Howes

sba-logoOn Wednesday August 12 the Dept. of Homeland Security issued an alert concerning a phishing campaign using malicious spoofs of the Small Business Administration's (SBA) web site.

The phishing campaign in question is in fact the same one we reported and documented several days earlier in a blog post.


As we noted, this is a extremely polished campaign that leads with a malicious email almost indistinguishable from actual emails from the SBA. That email announces that the recipient's application for an SBA loan or grant has been approved and provides a link for users to click to obtain more information:

That link takes potential marks to an equally well-spoofed copy of the SBA's login page:

Users who input their credentials will in fact be handing over control of their SBA accounts to malicious actors. SBA accounts contain a variety of exploitable information about applicant organizations, including sensitive bank account information.

With access to an organization's SBA account, malicious actors could conceivably hijack or redirect loan or grant funds to bank accounts controlled by said malicious actors. They could also exploit information in that account for still further fraudulent ends.

The Dept. of Homeland Security's alert contains additional technical information about this phishing campaign as well as recommendations mitigating the threat.

This kind of sophisticated, well-crafted phishing campaign is precisely the reason organizations should be stepping their users through New-school Security Awareness Training and testing them regularly with high quality simulated phishing emails. Your users -- including those in senior positions within your organization -- are your last line of defense.

Well-trained, security-conscious users on the alert for phishing campaigns such as this one are may be the only thing that stands between you and financial disaster during these challenging and precarious economic conditions.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Topics: Phishing

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews