Credential phishing attacks continue to exploit COVID-19 to target businesses

Recent phishing emails claim to offer a COVID-19 grant application from the SBA but are actually looking to capture banking details and other confidential data, says Inky.

Since early 2020, the coronavirus pandemic has given cyber criminals another area that’s ripe for exploitation as they try to trick individuals and businesses into divulging sensitive information. In a report published Wednesday, Oct. 11, email security provider Inky discusses a recent phishing campaign that takes advantage of COVID-19 in an attempt to steal financial account details from business users.

How does this credential phishing attack work?

In this latest attack, users receive a phishing email that claims to contain a COVID-19 grant application from the Small Business Administration. This idea gained traction in 2020 and 2021, as small businesses that were suffering financial hardship due to the pandemic applied for loans and grants from the SBA. The agency has since stopped accepting applications for these types of grants, but that hasn’t stopped criminals from continuing to use this theme.

Promising grant money to all businesses and organizations, with no need to pay it back, the phishing email includes an “Apply Now” button that takes users to a survey form that must be filled out to determine if they’re eligible for the grant. The form itself was generated using Google Forms, a free web-based survey tool offered by Google.

What types of information are the attackers getting?

The initial questions on the form seem to be taken directly from a legitimate COVID-19 grant message, so they could easily fool any unsuspecting small business owner who attempts to answer them. But after the innocuous question asking for the person’s gender, the form segues into more sensitive territory, requesting a Social Security number or Employer Identification Number, a driver’s license number, and bank account and routing numbers.

Filling out and then submitting the form triggers a final message to confirm that the information was received. Of course, whatever information is submitted is captured by the attackers, allowing them to easily access the victim’s bank account and identity or sell the data on the dark web.

Why are small business owners falling for this?

The criminals behind this scam employ a few different tactics to make it sound convincing. Promising a grant as a result of the pandemic is designed to arouse interest and curiosity among business owners and users. Impersonating the SBA makes the email look legitimate. Using Google Forms to create and host the survey is a clever method as this is a free tool trusted by businesses and one that’s likely to avoid security detection.

But as with many phishing emails and forms, the ones in this campaign fail to hold up upon closer scrutiny:

• The word “family’s” is misspelled.
• The term “Corona-virus” is not written properly.
• The phrase “is offering designated states” is not grammatically correct.
• Certain sentences are missing key words.
• Using the words “GRANT MONEY” in all caps seems unprofessional.

How can users avoid this attack?

To help business owners and users avoid these types of scams, Inky offers a few simple but helpful tips:

• Remember what to look for in a phishing email. Make sure you scrutinize the message carefully for typos and other errors before you even consider acting on it.
• Inspect the sender’s address, especially if the email claims to be from the U.S. government. Official U.S. government domains typically end in .gov or .mil rather than .com or another suffix.
• Never submit sensitive or confidential information, such as passwords, Social Security numbers, or license numbers, in an online survey.