‘Malicious’ cyber actor spoofing SBA’s coronavirus loan relief webpage

The spoofed website is designed for credential stealing and comes almost four months after the Small Business Administration took down eight fraudulent websites amid the pandemic.
Small Business Administration headquarters. (Tajha Chappellet-Lanier)

The Cybersecurity and Infrastructure Security Agency is tracking an “unknown, malicious” cyber actor spoofing the Small Business Administration’s coronavirus loan relief webpage via phishing emails, it warned in an alert issued Wednesday.

Suspect emails link to a spoofed website for redirects and credential-stealing and have targeted federal civilian executive branch, state, local, tribal, and territorial recipients, according to CISA‘s alert.

CISA recommended that system owners and administrators include warning banners with external emails, maintain updated antivirus signatures and engines, and ensure systems have the latest security updates among its list of mitigations.


The phishing emails consist of the subject line “SBA Application – Review and Proceed,” as the sender, and text prompting the recipient to click a hyperlink leading to a login page for the credential theft.

CISA’s alert includes indicators of compromise and additional mitigations, including signing up for its alerts and free vulnerability scanning and testing.

In April, former SBA Chief Information Officer Maria Roat said her security team had worked with the Department of Homeland Security, where CISA resides, to take down eight fraudulent websites and two Twitter accounts attempting to take advantage of small businesses seeking coronavirus loan relief.

Latest Podcasts