{
	"id": "fe54cd83-86e2-4180-bc46-d6be098bfa83",
	"created_at": "2026-04-06T00:15:54.135565Z",
	"updated_at": "2026-04-10T13:13:01.10869Z",
	"deleted_at": null,
	"sha1_hash": "224f7aabeadc16a00f10741874bec8c0601211f1",
	"title": "SBA phishing scams: from malware to advanced social engineering | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 535127,
	"plain_text": "SBA phishing scams: from malware to advanced social engineering\r\n| Malwarebytes Labs\r\nBy Jérôme Segura\r\nPublished: 2020-08-09 · Archived: 2026-04-05 13:48:48 UTC\r\nHere we note the file was created on July 31 with Skia, a graphics library for Chrome. This tells us that the\r\nfraudsters created that form shortly before sending the spam emails.\r\nFor comparison, if we look at the application downloaded from the official SBA website, we see some different\r\nmetadata:\r\nhttps://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/\r\nPage 1 of 33\n\nThis legitimate application form was created used Acrobat PDFMaker for Word on March 27 which coincides\r\nwith the pandemic timeline.\r\nThe loan application would typically be printed out and then mailed to a physical address at one of the\r\ngovernment offices. If we go back to the original email, it asks to send the completed form as a reply via email\r\ninstead:\r\nThis is where things get interesting. Even though the sender’s email is disastercustomerservice@sba.gov, when\r\nyou hit the reply button, it shows a different email address at: disastercustomerservice@gov-sba[.]us. While\r\nsba.gov is the official and legitimate government website, gov-sba[.]us is not.\r\nhttps://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/\r\nPage 2 of 33\n\nThat domain name (gov-sba[.]us) was registered just days before the email campaign began and clearly does not\r\nbelong to the US government.\r\nHowever, we should note that this campaign is quite elaborate and that it would be easy to fall for it. Sadly, the\r\nlast thing you would want when applying for a loan is to be out of even more money.\r\nIf you reply to this email with the completed form containing private information that includes your bank account\r\ndetails, this is is exactly what would happen.\r\nTips on how to protect yourself\r\nThere is no question that people should be extremely cautious whenever they are asked to fill out information\r\nonline—especially in an email. Fraudsters are lurking at every corner and ready to pounce on the next opportunity.\r\nBoth the Department of Justice and the Small Business Administration have been warning of scams pertaining to\r\nSBA loans. Their respective sites provide various tips on how to steer clear of various malicious schemes.\r\nPerhaps the biggest takeaway, especially when it comes to phishing emails, is that the sender’s address can easily\r\nbe spoofed and is in no way a solid guarantee of legitimacy, even if it looks exactly the same.\r\nBecause we can’t expect everyone to be checking for email headers and metadata, at least we can suggest double\r\nchecking the legitimacy of any communication with a friend or by phoning the government organization. For the\r\nlatter we always recommend to never dial the number found in an email or left on a voicemail, as it could be fake.\r\nGoogle the organization for its correct contact number.\r\nMalwarebytes also protects against phishing attacks and malware by blocking offending infrastructure used by\r\nscammers.\r\nhttps://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/\r\nPage 3 of 33\n\nOne of the items to look at is the “Received” field. In this case, it shows a hostname (park-mx.above[.]com) that\r\nlooks suspicious. In fact, we can see it has already been mentioned in another scam campaign.\r\nIf we go back to this email, we see that it contains an attachment, a loan application with the 3245-0406 reference\r\nnumber. A look at the PDF metadata can sometimes reveal interesting information.\r\nhttps://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/\r\nPage 4 of 33\n\nHere we note the file was created on July 31 with Skia, a graphics library for Chrome. This tells us that the\r\nfraudsters created that form shortly before sending the spam emails.\r\nFor comparison, if we look at the application downloaded from the official SBA website, we see some different\r\nmetadata:\r\nhttps://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/\r\nPage 5 of 33\n\nThis legitimate application form was created used Acrobat PDFMaker for Word on March 27 which coincides\r\nwith the pandemic timeline.\r\nThe loan application would typically be printed out and then mailed to a physical address at one of the\r\ngovernment offices. If we go back to the original email, it asks to send the completed form as a reply via email\r\ninstead:\r\nThis is where things get interesting. Even though the sender’s email is disastercustomerservice@sba.gov, when\r\nyou hit the reply button, it shows a different email address at: disastercustomerservice@gov-sba[.]us. While\r\nsba.gov is the official and legitimate government website, gov-sba[.]us is not.\r\nhttps://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/\r\nPage 6 of 33\n\nThat domain name (gov-sba[.]us) was registered just days before the email campaign began and clearly does not\r\nbelong to the US government.\r\nHowever, we should note that this campaign is quite elaborate and that it would be easy to fall for it. Sadly, the\r\nlast thing you would want when applying for a loan is to be out of even more money.\r\nIf you reply to this email with the completed form containing private information that includes your bank account\r\ndetails, this is is exactly what would happen.\r\nTips on how to protect yourself\r\nThere is no question that people should be extremely cautious whenever they are asked to fill out information\r\nonline—especially in an email. Fraudsters are lurking at every corner and ready to pounce on the next opportunity.\r\nBoth the Department of Justice and the Small Business Administration have been warning of scams pertaining to\r\nSBA loans. Their respective sites provide various tips on how to steer clear of various malicious schemes.\r\nPerhaps the biggest takeaway, especially when it comes to phishing emails, is that the sender’s address can easily\r\nbe spoofed and is in no way a solid guarantee of legitimacy, even if it looks exactly the same.\r\nBecause we can’t expect everyone to be checking for email headers and metadata, at least we can suggest double\r\nchecking the legitimacy of any communication with a friend or by phoning the government organization. For the\r\nlatter we always recommend to never dial the number found in an email or left on a voicemail, as it could be fake.\r\nGoogle the organization for its correct contact number.\r\nMalwarebytes also protects against phishing attacks and malware by blocking offending infrastructure used by\r\nscammers.\r\nhttps://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/\r\nPage 7 of 33\n\nThis latest campaign started in early August and is convincing enough to fool even seasoned security experts.\r\nHere’s a closer look at some red flags we encountered as we analyzed it.\r\nMost people aren’t aware of email spoofing and believe that if the sender’s email matches that of a legitimate\r\norganization, it must be real. Unfortunately, that is not the case, and there are additional checks that need to be\r\nperformed to confirm the authenticity of a sender.\r\nThere are various technologies for confirming the true sender email address, but we will instead focus on the\r\nemails headers, a sort of blue print that is available to anyone. Depending on the email client, there are different\r\nways to view such headers. In Outlook, you can click File and then Properties to display them:\r\nhttps://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/\r\nPage 8 of 33\n\nOne of the items to look at is the “Received” field. In this case, it shows a hostname (park-mx.above[.]com) that\r\nlooks suspicious. In fact, we can see it has already been mentioned in another scam campaign.\r\nIf we go back to this email, we see that it contains an attachment, a loan application with the 3245-0406 reference\r\nnumber. A look at the PDF metadata can sometimes reveal interesting information.\r\nhttps://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/\r\nPage 9 of 33\n\nHere we note the file was created on July 31 with Skia, a graphics library for Chrome. This tells us that the\r\nfraudsters created that form shortly before sending the spam emails.\r\nFor comparison, if we look at the application downloaded from the official SBA website, we see some different\r\nmetadata:\r\nhttps://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/\r\nPage 10 of 33\n\nThis legitimate application form was created used Acrobat PDFMaker for Word on March 27 which coincides\r\nwith the pandemic timeline.\r\nThe loan application would typically be printed out and then mailed to a physical address at one of the\r\ngovernment offices. If we go back to the original email, it asks to send the completed form as a reply via email\r\ninstead:\r\nThis is where things get interesting. Even though the sender’s email is disastercustomerservice@sba.gov, when\r\nyou hit the reply button, it shows a different email address at: disastercustomerservice@gov-sba[.]us. While\r\nsba.gov is the official and legitimate government website, gov-sba[.]us is not.\r\nhttps://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/\r\nPage 11 of 33\n\nThat domain name (gov-sba[.]us) was registered just days before the email campaign began and clearly does not\r\nbelong to the US government.\r\nHowever, we should note that this campaign is quite elaborate and that it would be easy to fall for it. Sadly, the\r\nlast thing you would want when applying for a loan is to be out of even more money.\r\nIf you reply to this email with the completed form containing private information that includes your bank account\r\ndetails, this is is exactly what would happen.\r\nTips on how to protect yourself\r\nThere is no question that people should be extremely cautious whenever they are asked to fill out information\r\nonline—especially in an email. Fraudsters are lurking at every corner and ready to pounce on the next opportunity.\r\nBoth the Department of Justice and the Small Business Administration have been warning of scams pertaining to\r\nSBA loans. Their respective sites provide various tips on how to steer clear of various malicious schemes.\r\nPerhaps the biggest takeaway, especially when it comes to phishing emails, is that the sender’s address can easily\r\nbe spoofed and is in no way a solid guarantee of legitimacy, even if it looks exactly the same.\r\nBecause we can’t expect everyone to be checking for email headers and metadata, at least we can suggest double\r\nchecking the legitimacy of any communication with a friend or by phoning the government organization. For the\r\nlatter we always recommend to never dial the number found in an email or left on a voicemail, as it could be fake.\r\nGoogle the organization for its correct contact number.\r\nMalwarebytes also protects against phishing attacks and malware by blocking offending infrastructure used by\r\nscammers.\r\nhttps://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/\r\nPage 12 of 33\n\nA URL, especially if it has nothing to do with the sender, is a big giveaway that the email may be fraudulent. But\r\nthings get a little more complicated when attackers are using attachments that look seemingly legitimate.\r\nAdvanced phishing attempt\r\nThis is what we saw in a pretty clever and daring scheme that tricks people into completing a full form containing\r\nhighly personal information, including bank account details. These could be used to directly drain accounts or in\r\nan additional layer of social engineering, which tricks users into paying in advanced fees that don’t exist as part of\r\nthe real SBA program.\r\nhttps://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/\r\nPage 13 of 33\n\nThis latest campaign started in early August and is convincing enough to fool even seasoned security experts.\r\nHere’s a closer look at some red flags we encountered as we analyzed it.\r\nMost people aren’t aware of email spoofing and believe that if the sender’s email matches that of a legitimate\r\norganization, it must be real. Unfortunately, that is not the case, and there are additional checks that need to be\r\nperformed to confirm the authenticity of a sender.\r\nThere are various technologies for confirming the true sender email address, but we will instead focus on the\r\nemails headers, a sort of blue print that is available to anyone. Depending on the email client, there are different\r\nways to view such headers. In Outlook, you can click File and then Properties to display them:\r\nhttps://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/\r\nPage 14 of 33\n\nOne of the items to look at is the “Received” field. In this case, it shows a hostname (park-mx.above[.]com) that\r\nlooks suspicious. In fact, we can see it has already been mentioned in another scam campaign.\r\nIf we go back to this email, we see that it contains an attachment, a loan application with the 3245-0406 reference\r\nnumber. A look at the PDF metadata can sometimes reveal interesting information.\r\nhttps://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/\r\nPage 15 of 33\n\nHere we note the file was created on July 31 with Skia, a graphics library for Chrome. This tells us that the\r\nfraudsters created that form shortly before sending the spam emails.\r\nFor comparison, if we look at the application downloaded from the official SBA website, we see some different\r\nmetadata:\r\nhttps://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/\r\nPage 16 of 33\n\nThis legitimate application form was created used Acrobat PDFMaker for Word on March 27 which coincides\r\nwith the pandemic timeline.\r\nThe loan application would typically be printed out and then mailed to a physical address at one of the\r\ngovernment offices. If we go back to the original email, it asks to send the completed form as a reply via email\r\ninstead:\r\nThis is where things get interesting. Even though the sender’s email is disastercustomerservice@sba.gov, when\r\nyou hit the reply button, it shows a different email address at: disastercustomerservice@gov-sba[.]us. While\r\nsba.gov is the official and legitimate government website, gov-sba[.]us is not.\r\nhttps://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/\r\nPage 17 of 33\n\nThat domain name (gov-sba[.]us) was registered just days before the email campaign began and clearly does not\r\nbelong to the US government.\r\nHowever, we should note that this campaign is quite elaborate and that it would be easy to fall for it. Sadly, the\r\nlast thing you would want when applying for a loan is to be out of even more money.\r\nIf you reply to this email with the completed form containing private information that includes your bank account\r\ndetails, this is is exactly what would happen.\r\nTips on how to protect yourself\r\nThere is no question that people should be extremely cautious whenever they are asked to fill out information\r\nonline—especially in an email. Fraudsters are lurking at every corner and ready to pounce on the next opportunity.\r\nBoth the Department of Justice and the Small Business Administration have been warning of scams pertaining to\r\nSBA loans. Their respective sites provide various tips on how to steer clear of various malicious schemes.\r\nPerhaps the biggest takeaway, especially when it comes to phishing emails, is that the sender’s address can easily\r\nbe spoofed and is in no way a solid guarantee of legitimacy, even if it looks exactly the same.\r\nBecause we can’t expect everyone to be checking for email headers and metadata, at least we can suggest double\r\nchecking the legitimacy of any communication with a friend or by phoning the government organization. For the\r\nlatter we always recommend to never dial the number found in an email or left on a voicemail, as it could be fake.\r\nGoogle the organization for its correct contact number.\r\nMalwarebytes also protects against phishing attacks and malware by blocking offending infrastructure used by\r\nscammers.\r\nhttps://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/\r\nPage 18 of 33\n\nThe malware was the popular GuLoader, a stealthy downloader used by criminals to load the payload of their\r\nchoice and bypass antivirus detection.\r\nTraditional phishing attempt\r\nThe second wave we saw involved a more traditional phishing approach where the goal was to collect credentials\r\nfrom victims in order to scam them later on.\r\nhttps://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/\r\nPage 19 of 33\n\nA URL, especially if it has nothing to do with the sender, is a big giveaway that the email may be fraudulent. But\r\nthings get a little more complicated when attackers are using attachments that look seemingly legitimate.\r\nAdvanced phishing attempt\r\nThis is what we saw in a pretty clever and daring scheme that tricks people into completing a full form containing\r\nhighly personal information, including bank account details. These could be used to directly drain accounts or in\r\nan additional layer of social engineering, which tricks users into paying in advanced fees that don’t exist as part of\r\nthe real SBA program.\r\nhttps://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/\r\nPage 20 of 33\n\nThis latest campaign started in early August and is convincing enough to fool even seasoned security experts.\r\nHere’s a closer look at some red flags we encountered as we analyzed it.\r\nMost people aren’t aware of email spoofing and believe that if the sender’s email matches that of a legitimate\r\norganization, it must be real. Unfortunately, that is not the case, and there are additional checks that need to be\r\nperformed to confirm the authenticity of a sender.\r\nThere are various technologies for confirming the true sender email address, but we will instead focus on the\r\nemails headers, a sort of blue print that is available to anyone. Depending on the email client, there are different\r\nways to view such headers. In Outlook, you can click File and then Properties to display them:\r\nhttps://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/\r\nPage 21 of 33\n\nOne of the items to look at is the “Received” field. In this case, it shows a hostname (park-mx.above[.]com) that\r\nlooks suspicious. In fact, we can see it has already been mentioned in another scam campaign.\r\nIf we go back to this email, we see that it contains an attachment, a loan application with the 3245-0406 reference\r\nnumber. A look at the PDF metadata can sometimes reveal interesting information.\r\nhttps://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/\r\nPage 22 of 33\n\nHere we note the file was created on July 31 with Skia, a graphics library for Chrome. This tells us that the\r\nfraudsters created that form shortly before sending the spam emails.\r\nFor comparison, if we look at the application downloaded from the official SBA website, we see some different\r\nmetadata:\r\nhttps://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/\r\nPage 23 of 33\n\nThis legitimate application form was created used Acrobat PDFMaker for Word on March 27 which coincides\r\nwith the pandemic timeline.\r\nThe loan application would typically be printed out and then mailed to a physical address at one of the\r\ngovernment offices. If we go back to the original email, it asks to send the completed form as a reply via email\r\ninstead:\r\nThis is where things get interesting. Even though the sender’s email is disastercustomerservice@sba.gov, when\r\nyou hit the reply button, it shows a different email address at: disastercustomerservice@gov-sba[.]us. While\r\nsba.gov is the official and legitimate government website, gov-sba[.]us is not.\r\nhttps://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/\r\nPage 24 of 33\n\nThat domain name (gov-sba[.]us) was registered just days before the email campaign began and clearly does not\r\nbelong to the US government.\r\nHowever, we should note that this campaign is quite elaborate and that it would be easy to fall for it. Sadly, the\r\nlast thing you would want when applying for a loan is to be out of even more money.\r\nIf you reply to this email with the completed form containing private information that includes your bank account\r\ndetails, this is is exactly what would happen.\r\nTips on how to protect yourself\r\nThere is no question that people should be extremely cautious whenever they are asked to fill out information\r\nonline—especially in an email. Fraudsters are lurking at every corner and ready to pounce on the next opportunity.\r\nBoth the Department of Justice and the Small Business Administration have been warning of scams pertaining to\r\nSBA loans. Their respective sites provide various tips on how to steer clear of various malicious schemes.\r\nPerhaps the biggest takeaway, especially when it comes to phishing emails, is that the sender’s address can easily\r\nbe spoofed and is in no way a solid guarantee of legitimacy, even if it looks exactly the same.\r\nBecause we can’t expect everyone to be checking for email headers and metadata, at least we can suggest double\r\nchecking the legitimacy of any communication with a friend or by phoning the government organization. For the\r\nlatter we always recommend to never dial the number found in an email or left on a voicemail, as it could be fake.\r\nGoogle the organization for its correct contact number.\r\nMalwarebytes also protects against phishing attacks and malware by blocking offending infrastructure used by\r\nscammers.\r\nhttps://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/\r\nPage 25 of 33\n\nA number of threat actors continue to take advantage of the ongoing coronavirus pandemic through phishing\r\nscams and other campaigns distributing malware.\r\nIn this blog, we look at 3 different phishing waves targeting applicants for Covid-19 relief loans. The phishing\r\nemails impersonate the US Small Business Administration (SBA), and are aimed at delivering malware, stealing\r\nuser credentials or committing financial fraud.\r\nIn each of these campaigns, criminals are spoofing the sender’s email so that it looks like the official SBA’s. This\r\ntechnique is very common and unfortunately often misunderstood, resulting in many successful scams.\r\nGuLoader malware\r\nIn April, we saw the first wave of SBA attacks using COVID-19 as a lure to distribute malware. The emails\r\ncontained attachments with names such as\r\n‘SBA_Disaster_Application_Confirmation_Documents_COVID_Relief.img’.\r\nhttps://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/\r\nPage 26 of 33\n\nThe malware was the popular GuLoader, a stealthy downloader used by criminals to load the payload of their\r\nchoice and bypass antivirus detection.\r\nTraditional phishing attempt\r\nThe second wave we saw involved a more traditional phishing approach where the goal was to collect credentials\r\nfrom victims in order to scam them later on.\r\nA URL, especially if it has nothing to do with the sender, is a big giveaway that the email may be fraudulent. But\r\nthings get a little more complicated when attackers are using attachments that look seemingly legitimate.\r\nAdvanced phishing attempt\r\nThis is what we saw in a pretty clever and daring scheme that tricks people into completing a full form containing\r\nhighly personal information, including bank account details. These could be used to directly drain accounts or in\r\nan additional layer of social engineering, which tricks users into paying in advanced fees that don’t exist as part of\r\nthe real SBA program.\r\nhttps://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/\r\nPage 27 of 33\n\nThis latest campaign started in early August and is convincing enough to fool even seasoned security experts.\r\nHere’s a closer look at some red flags we encountered as we analyzed it.\r\nMost people aren’t aware of email spoofing and believe that if the sender’s email matches that of a legitimate\r\norganization, it must be real. Unfortunately, that is not the case, and there are additional checks that need to be\r\nperformed to confirm the authenticity of a sender.\r\nThere are various technologies for confirming the true sender email address, but we will instead focus on the\r\nemails headers, a sort of blue print that is available to anyone. Depending on the email client, there are different\r\nways to view such headers. In Outlook, you can click File and then Properties to display them:\r\nhttps://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/\r\nPage 28 of 33\n\nOne of the items to look at is the “Received” field. In this case, it shows a hostname (park-mx.above[.]com) that\r\nlooks suspicious. In fact, we can see it has already been mentioned in another scam campaign.\r\nIf we go back to this email, we see that it contains an attachment, a loan application with the 3245-0406 reference\r\nnumber. A look at the PDF metadata can sometimes reveal interesting information.\r\nhttps://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/\r\nPage 29 of 33\n\nHere we note the file was created on July 31 with Skia, a graphics library for Chrome. This tells us that the\r\nfraudsters created that form shortly before sending the spam emails.\r\nFor comparison, if we look at the application downloaded from the official SBA website, we see some different\r\nmetadata:\r\nhttps://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/\r\nPage 30 of 33\n\nThis legitimate application form was created used Acrobat PDFMaker for Word on March 27 which coincides\r\nwith the pandemic timeline.\r\nThe loan application would typically be printed out and then mailed to a physical address at one of the\r\ngovernment offices. If we go back to the original email, it asks to send the completed form as a reply via email\r\ninstead:\r\nThis is where things get interesting. Even though the sender’s email is disastercustomerservice@sba.gov, when\r\nyou hit the reply button, it shows a different email address at: disastercustomerservice@gov-sba[.]us. While\r\nsba.gov is the official and legitimate government website, gov-sba[.]us is not.\r\nhttps://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/\r\nPage 31 of 33\n\nThat domain name (gov-sba[.]us) was registered just days before the email campaign began and clearly does not\r\nbelong to the US government.\r\nHowever, we should note that this campaign is quite elaborate and that it would be easy to fall for it. Sadly, the\r\nlast thing you would want when applying for a loan is to be out of even more money.\r\nIf you reply to this email with the completed form containing private information that includes your bank account\r\ndetails, this is is exactly what would happen.\r\nTips on how to protect yourself\r\nThere is no question that people should be extremely cautious whenever they are asked to fill out information\r\nonline—especially in an email. Fraudsters are lurking at every corner and ready to pounce on the next opportunity.\r\nBoth the Department of Justice and the Small Business Administration have been warning of scams pertaining to\r\nSBA loans. Their respective sites provide various tips on how to steer clear of various malicious schemes.\r\nPerhaps the biggest takeaway, especially when it comes to phishing emails, is that the sender’s address can easily\r\nbe spoofed and is in no way a solid guarantee of legitimacy, even if it looks exactly the same.\r\nBecause we can’t expect everyone to be checking for email headers and metadata, at least we can suggest double\r\nchecking the legitimacy of any communication with a friend or by phoning the government organization. For the\r\nlatter we always recommend to never dial the number found in an email or left on a voicemail, as it could be fake.\r\nGoogle the organization for its correct contact number.\r\nMalwarebytes also protects against phishing attacks and malware by blocking offending infrastructure used by\r\nscammers.\r\nhttps://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/\r\nPage 32 of 33\n\nSource: https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/\r\nhttps://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/\r\nPage 33 of 33",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/"
	],
	"report_names": [
		"sba-phishing-scams-from-malware-to-advanced-social-engineering"
	],
	"threat_actors": [],
	"ts_created_at": 1775434554,
	"ts_updated_at": 1775826781,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/224f7aabeadc16a00f10741874bec8c0601211f1.pdf",
		"text": "https://archive.orkl.eu/224f7aabeadc16a00f10741874bec8c0601211f1.txt",
		"img": "https://archive.orkl.eu/224f7aabeadc16a00f10741874bec8c0601211f1.jpg"
	}
}