How Not To Get Caught by the New SBA COVID-19 Relief Phishing Scam
Why Phishing Resistance Training Matters: Defending Against the New SBA COVID-19 Relief Phishing Scam
With an increase of more than 600% since the start of the global pandemic, phishing is the most common (and dangerous) threat of 2020. But not all phishing and spear phishing scams are built the same. Clever cybercriminals know they need to go the extra mile to try to pull off major scams with major paydays – and major consequences. Enter the new SBA COVID-19 relief phishing scam.
In a Cybersecurity & Infrastructure Security Agency (CISA) warning that released on 8/12/20, the agency noted that it is “currently tracking an unknown malicious cyber actor who is spoofing the Small Business Administration (SBA) COVID-19 loan relief webpage via phishing emails. These emails include a malicious link to the spoofed SBA website that the cyber actor is using for malicious re-directs and credential stealing.”
A clever and dangerous new scam preys on businesses
So far, investigators have determined that the bad actors have kicked off their cybercrime spree by sending a phishing email to Federal Civilian Executive Branch and state, local, tribal, and territorial government recipients.
Here’s the structure of the scam:
- A highly convincing phishing email hooks the user
- The subject line, SBA Application – Review and Proceed, looks legitimate
- The sender is marked as disastercustomerservice@sba[.]gov
- Text inside urges the recipient to click on a hyperlink to address:
hxxps://leanproconsulting[.]com.br/gov/covid19relief/sba.gov - The domain resolves to IP address: 162.214.104[.]246
- And that website appears to be intended for malicious re-directs and credential stealing
The warning goes on to detail potential mitigations against this scam, including using warning banners for all emails external to an organization, ensuring that all systems have the latest security updates, and maintaining up-to-date antivirus signatures and engines.
Updated security training including phishing resistance and stronger password security is also on the recommendation list – and ID Agent has got you covered.
BullPhish ID Boosts Phishing Resistance Fast
BullPhish ID is a smart training solution that increases phishing resistance companywide with memorable and effective training on how to detect and avoid phishing, transforming your staff from your biggest cybersecurity threat into your biggest cybersecurity asset.
- It’s simple to set up, fast to deploy, and easy to run.
- Training raises your staff’s overall cybersecurity awareness, making them more alert to other potential phishing threats, like SMS text and chat phishing attempts.
- Over 80 plug-and-play phishing resistance training kits are available, with 4 new kits added each month including COVID-19 threats.
- Engaging animated video delivers effective training in bite-sized pieces for improved retention in 8 languages.
- Online testing quickly determines who needs more training and enabling you to adjust training groups accordingly.
Passly Protects You From Phished Passwords
Passly provides strong password protection to keep cybercriminals at bay. Our state of the art secure identity and access management solution is an essential tool that provides vital password security, preventing cybercriminals from accessing your systems and data by making sure that the right people have access to the right things anytime, anywhere – and only the right people.
- Multifactor authentication takes the sting out of a stolen password by requiring a second form of identification for access.
- Identifier codes and tokens can be delivered by text, app, and more.
- Seamless integration with 1,000+ apps means a smooth transition.
- Single sign-on creates individual user Launchpads, allowing for easy access control.
- Simple remote management with protection that deploys in days, not weeks.
- Secure Shared Password Vaults enable techs to manage and store passwords for business, personal, or shared accounts in one central location.
- Ideal for supporting a remote workforce.
Smarter Security Now Means Safer Data Later
By taking smart precautions, improving the company’s phishing resistance training (including executives), committing to securing identity and access management, and boosting overall cybersecurity awareness, you can avoid getting caught up in today’s constantly growing wave of phishing scams and stay on top of tomorrow’s cybersecurity threats.