The Cybersecurity and Infrastructure Security Agency (CISA) has let us know that businesses are receiving fraudulent emails that claim to be from the Small Business Administration’s (SBA) COVID‑19 webpage. The email includes a malicious link to a page that the criminals use to steal your legitimate SBA login and password information, as well as other vital information about your business.
The examples that CISA has seen so far include emails that contain the following:
- Subject line- SBA Application – Review and Proceed
- Sender marked as- disastercustomerservice[at]sba[.]gov
- Text in the email body urging the recipient to click on a hyperlink
Now that CISA has begun notifying organizations that this fraud is happening, the criminals are likely to alter the wording. If you receive an email directly from the SBA about your loan, do not click on the link. Instead, call or email the SBA using the information you received from them during the application process or visit the SBA website you used to apply for the loan, and contact the SBA through that website.
Below are a few best practices that may improve the security of your business’ network. If you ever feel information related to your accounts with us has been compromised, please contact us immediately so we can help you and report the fraud to your local police department.
Best Practices for Protecting Your Business from Phishing Scams
- Include warning banners on all emails that come from senders outside your organization.
- Maintain up-to-date antivirus signatures and engines. Be sure to visit the CISA website for more information about Protecting Against Malicious Code.
- Ensure that your systems have the latest security updates. The CISA website has more information about Understanding Patches and Software Updates.
- Disable file and printer sharing services. If these services are required, use strong passwords or active directory authentication.
- Restrict users’ permissions to install and run unwanted software applications.
- Enforce a strong password policy. Visit here for more information about Choosing and Protecting Passwords.
- Teach all staff to exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known.
- Enable a personal firewall on agency workstations that is configured to deny unsolicited connection requests.
- Disable unnecessary services on agency workstations and servers.
- Use security software to scan for and remove suspicious email attachments; ensure that the scanned attachment is its “true file type” (i.e., the extension matches the file header).
- Monitor the web browsing habits of your users; restrict access to sites with unfavorable content.
- Train staff about being careful when using removable media (such as USB thumb drives, external drives, CDs).
- Install software that scans all software downloaded from the internet prior to executing.
- Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs). Sign up to receive CISA’s alerts on security topics and threats.