We’ve learned of a number of scams targeting businesses using information from the Small Business Administration’s Paycheck Protection Program loans and related forgiveness process. This article includes some helpful information for spotting a scam and keeping your business safe.
Watch Out For Paycheck Protection Program Phishing Attempts
Phishing is an attempt to “fish” for your personal or business information by impersonating someone else. Phishers might pretend to be a bank or credit union, or even the Small Business Administration.
Because the Paycheck Protection Program uses public funds, the SBA has released many PPP loan details as part of open records requests. Unfortunately, this means malicious actors now have easy access to databases containing specific information about PPP borrowers. This gives hackers all the information they need to create targeted phishing attempts that prey on businesses and other organizations. Be aware that a potential phishing attempt could use this publicly available information to appear legitimate.
- PPP phishers may call your business and impersonate your PPP loan lender. They may claim there is an urgent problem that requires you to provide your bank account numbers or your online banking username or password. Royal Credit Union will never call you and ask for your online banking username or password!
- PPP phishers may also contact you by email or mail with messages that look official and include the logos of a legitimate organization. These messages are often designed to lead you to a website that captures your business or personal information so that thieves can use it to access your accounts or call and request more information from you.
To help stop these phishing attempts, please be skeptical of any phone calls you receive related to the Paycheck Protection Program. Also make sure to double check any emails and letters that appear to come from Royal Credit Union, other financial institutions, or the SBA. Think before providing any information, and if you aren't sure if something is a scam, please contact Royal to ask about it. You can see an example of a spoofed web page from the U.S. Cybersecurity & Infrastructure Security Agency here.
Common red flag elements of a phishing phone call include:
- An unexpected call with a sense of urgency. For example, callers may claim to be from your PPP lender and explain there is a problem with your loan records requiring verification.
- Requests for information the caller should already know. For example, if the caller is claiming to be from a financial institution, it wouldn't make sense for them to request your full account numbers.
- Asking for your online banking username or password, or sending you a verification text message during the call. Phishers may attempt to reset your online banking password to access your accounts, which often requires a text message code to be sent to you. Royal will never ask for your online banking username or password, and text message codes from Royal have clear instructions never to share the code with anyone, even if they claim to be from Royal.
Common red flag elements of a phishing email include:
- A sending email address that doesn’t match the expected format. For example, most legitimate emails from Royal end in @rcu.org.
- The email content does not match your expectations. For example, if the email references a new problem with your PPP loan even though you already applied for and received PPP loan forgiveness, this could be a red flag.
- A hyperlink that redirects to an unexpected website. For example, if the link takes you to a site other than sba.gov or rcu.org.
Legitimate Emails & Letters From Royal
Of course, Royal Credit Union and the SBA may still need to contact PPP loan borrowers about their loans using the same channels that hackers use.
- Royal Credit Union has finished contacting most PPP loan borrowers about their loans and about PPP loan forgiveness by email and postal mail.
- Royal provided email status updates throughout the PPP loan forgiveness process.
- Royal may make phone calls to borrowers as needed to discuss questions or other aspects of the PPP loan program.
Most importantly, if you ever have questions about if a message is really from Royal Credit Union, please don't provide any information. Instead, reach out to Royal and we can help.