The Fed, SBA Fight Off Scams & a Breach While Processing Emergency Loans
Security experts report a more than 6,000% increase in COVID-19-related spam since mid-March.
While small businesses try to secure lifeline loans via emergency funding programs, fraudsters continue to look for opportunities to scam their way toward a payday by phishing, impersonation and other means.
The Federal Reserve Bank of New York warned the public of potential scams relating to the coronavirus. “Unfortunately, fraudsters will try to profit off the public during these uncertain and unprecedented times. We have recently learned of a 50% increase in phishing scams.” The New York Fed also urged the public to remain attentive to scams involving individuals impersonating Fed employees, who seek money or personal information for COVID-19 research, medical supplies or financial transactions.
Scammers also send out emails impersonating the U.S. Federal Reserve and attempt to lure recipients with financial relief options through the Paycheck Protection Program. IBM X-Force observed, since the World Health Organization declared the COVID-19 outbreak a pandemic on March 11, a more than 6,000% increase in COVID-19-related spam, with lures ranging from phishing emails impersonating the SBA, the WHO and U.S. banking institutions.
Colin Bastable, CEO of security awareness and training firm Lucy Security, said, “The SBA halted the use of outbound phone calls to potential PPP/Emergency Loan applicants because there are so many phone scammers making fraudulent calls. It is now all done by email, slowing down the process and making email the biggest attack vector. Unfortunately, it becomes a sort of Catch 22.”
The SBA also reported a potential data breach on its website on March 25 of almost 8,000 business owners applying for economic injury disaster loans. A letter sent to applicants, dated April 13, explained while resolving a security issue, they left a portal section disabled, inadvertently disclosing personally identifiable information such as names, Social Security numbers, physical and email addresses, birth dates, citizen status and insurance information.
The SBA said the incident only affected the disaster loan program, not the PPP, handled by a separate system and which did not begin until April 3.
“Thousands of small business owners have been waiting for an email from the SBA to advise them of the status of their EIDL loans. Unfortunately, 8,000 of them received the wrong kind of bad news, offering them 12 months credit monitoring,” Bastable noted. “We are fortunate that the SBA caught the problem in time, although it would be good to know more about the nature of the suspected breach.”
However, the situation also highlighted cloud access tribulations. “Unfortunately, unauthorized access is a challenge for most, especially as many rush to reap the business benefits of cloud technologies. This allows cybercriminals to have more streamlined access to personal data, the number one target of 97% of breaches,” Ben Goodman, certified information systems security professional and SVP of global business and corporate development, ForgeRock, said.
Anurag Kahol, chief technology officer and co-founder, Bitglass, said, “As organizations continue to store sensitive information in the cloud, adopting proper cloud security measures is critical. Organizations that seek to avoid similar cloud security failures, protect user data and uphold their brand reputation must have full visibility and control over their data.”
Without a holistic security approach, organizations open themselves up to undue risk, according to Chris DeRamus, chief technology officer and co-founder of DivvyCloud. “If they are among the more prepared organizations, their teams will scramble to catch cloud infrastructure misconfigurations, risks and compliance violations after provisioning or creation.”
As Kevin Lancaster, founder of ID Agent, a Kaseya company, observed, “The public, with fresh wounds from the [Office of Personnel Management] data breaches of 2015 and the follies associated with the deployment of the Heathcare.gov website, didn’t seem to bat an eye when the SBA’s breach was announced last week.”
Lancaster suggested a few troubling trends with this latest breach. “It appears the site was placed in maintenance mode to implement a series of ‘routine’ updates. Most development and QA teams run through a series of checks to ensure the updates were successful, test data and security integrity and move on. This ‘bug’ on the other hand is one that should have been caught given the publicity, significant uptick in traffic and increased volume of cyberattacks one would assume that the SBA is under given the volume and type of data they hold.”
Lancaster warned there is still the possibility that nefarious individuals gained access to this data and will dump it out on the dark web at some point.