Curt Gausman received an email that looked suspicious after first applying for the Economic Injury Disaster Loan (EIDL). The first red flag was the timing. It came after he had tried to upload his application on the U.S. Small Business Administration website. He couldn’t finish because the site was overwhelmed with applicants.
“It actually looked so official. I thought, ‘How did this happen?’ because I didn’t think the loan went through. Then, I noticed there was a number on it, and the number was not a good number when I checked with the SBA,” said Gausman, owner of Pro-American Tours, based in Ruckersville, Virginia.
More red flags
The email had a link asking for his past three years of tax returns. That was another red flag. He had just learned at a United Motorcoach Association Town Hall session that the SBA was no longer asking for returns. Instead, the federal agency is requesting applicants sign a form granting access to their IRS records to confirm financial eligibility.
The third red flag popped up when he hit reply and clicked on the return address, “Small Business Administration.” The address was actually firstname.lastname@example.org. It should have been an @sba.gov address.
“I said, OK, this is definitely a scam,” said Gausman. “They were trying to get me to attach my tax returns to this link, and they would have had all my personal information.”
Phishing for information
Phishing scams targeting applicants of SBA loans have risen dramatically in recent days. The SBA advises applicants to take precautions when responding to emails — asking for additional information — that appear to be from the governmental agency.
Usually, the goal of phishing attacks and scams is to obtain personal information or to install ransomware/malware on a computer.
Gausman is grateful he didn’t immediately respond, but took the time to check the 10-digit number on the email to see if it matched the number on his application.
He received another suspicious email a few days later. The red flag on this one was the lack of a number. To be on the safe side, Gausman contacted the SBA, which told him this email was also fraudulent.
The SBA is encouraging applicants to be extra cautious, as Gausman is doing. The federal agency issued a March 31 warning for people to be careful of phishing attacks/scams utilizing the SBA name and logo.
“Fraudsters have already begun targeting small business owners during these economically difficult times. Be on the lookout for grant fraud, loan fraud and phishing,” part of the message read.
The message noted that the SBA doesn’t initiate contact for grants, and recommended applicants always check to make sure the referenced application number is consistent with the actual application number. Any email communication from SBA will come from accounts ending with sba.gov.
It added that the presence of an SBA logo on a webpage does not guarantee the information is accurate or endorsed by the SBA. Applicants are encouraged to cross-reference any information received with information available at sba.gov.
The SBA is recommending that people with questions about an SBA disaster loan call 800-659-2955 or send an email to email@example.com. Those with questions about other SBA lending products are directed to call SBA’s Answer Desk at 800-827-5722 or send an email to firstname.lastname@example.org.
Cases of suspected fraud should be reported online at the Office of Inspector General Hotline or by calling 800-767-0385.