Malicious Email Appearing to Come from the SBA: A COVID-19 Case Study

Posted

The Scenario in Brief:

A client of ours forwarded us an email that was slightly suspicious (pictured here in this article). Though it was caught in their Office 365 spam filter it appeared to come from the Small Business Association. Coincidentally over the weekend (like so many others) they had just applied for a business loan. In their own words, they thought it could be a legitimate email. Thankfully they had a security mindset and asked our team if they should open it.

The fact is this very convincing email did contain malware. It also would be difficult to detect for many users.

How can you know this is a dangerous email? We thought we would share what we learned in the likely event others will receive similar emails.

Malicious Email Appearing to come from the Small Business Administration

The Solution – A Break Down of the Email:

Here are some of the factors that made this email more convincing than other phishing or malicious emails:

  • The sender successfully spoofed the Small Business Administration’s email address. This means it appears to come from a valid email.
  • There are no phishing links. Many people are learning to not click on links. (Read our article to learn more.)
  • It looked like a relatively professional email.
  • It came at an appropriate time when the business may be expecting to hear from the Small Business Association.
  • Implicit in the messaging is a huge emotional appeal: Your application is complete, you just need to do one more thing to get the financial relief you are looking for.

Here are some facts that should be a warning to the recipient:

  • The date in the email is the European order Day/Month/Year.
  • The date in the email is incorrect and predates the email itself, making it impossible to process the request.
  • The attachment is a .img file. You would expect such a request to come as a PDF file.
  • The words “endeavor” and “centre” are the British/European version.
  • The language does make sense, including references to vouchers and testing centres.
  • The process is contrary to expectations. You would expect to be working directly with your bank, not the SBA.

The Conclusion

There is no question that this was a malicious email. The end result is not clear, but the goal is to compromise your system. Thankfully spam filters in addition to next generation endpoint protection will often catch such emails. Continue to encourage your team to remain on high alert regarding emails and communication during this time. If you have any questions, don’t hesitate to reach out to us.