background image

Paycheck Protection Program Scams Aimed At Businesses

We’ve learned of a number of scams targeting businesses using information from the Small Business Administration’s Paycheck Protection Program loans and related forgiveness process. This article includes some helpful information for spotting a scam and keeping your business safe.

Stop Phishing Attempts From Hackers

Phishing is an attempt to “fish” for your personal or business information by impersonating someone else. Phishers might pretend to be a bank or credit union, or even the Small Business Administration, using messages that look official and include the logos of a legitimate organization. These messages are often designed to lead you to a website that captures your business or personal information so that thieves can use it for ill-gotten gains later on.

To help stop these phishing attempts, please make sure to double check emails and letters that appear to come from Royal Credit Union, other financial institutions, or the SBA and think before providing your information. You can see an example of a phishing email from the U.S. Cybersecurity & Infrastructure Security Agency here.

Common red flag elements of a phishing email include:

  • A sending email address that doesn’t match the expected format. For example, most legitimate emails from Royal end in @rcu.org.
  • The email content does not match your expectations. For example, if the email references applying for your PPP loan and you have already received PPP loan funding and are expecting an email about PPP loan forgiveness, this could be a red flag.
  • A hyperlink that redirects to an unexpected website. For example, if the link takes you to a site other than sba.gov or rcu.org.

Because the Paycheck Protection Program uses public funds, the SBA has released many PPP loan details as part of open records requests. Unfortunately, this means malicious actors now have easy access to databases containing specific information about PPP borrowers. This gives hackers all the information they need to create targeted phishing attempts that prey on businesses and other organizations. Be aware that a potential phishing attempt could use this publicly available information to appear legitimate.

Legitimate Emails & Letters From Royal

Of course, Royal Credit Union and the SBA may still need to contact PPP loan borrowers about their loans using the same channels that hackers use. The following information explains how Royal and the SBA may use email, mail, or phone to contact you for legitimate business purposes.

  • Royal Credit Union will contact most PPP loan borrowers about their loans and about PPP loan forgiveness by email and postal mail.
  • For example, we have been emailing all borrowers throughout December 2020 to let them know that our PPP loan forgiveness application is available. We are also sending a letter in the mail with the information you’ll need to access our forgiveness application.
  • Royal’s legitimate emails and letters may ask you to visit a secure page on Royal Credit Union’s website to enter and upload your information. In some cases, Royal may provide a secure file transfer link to upload and send your documents using a secure file transfer tool.
  • Royal may contact you after you apply for forgiveness to gather any missing information we need to process your forgiveness request.
  • If the Small Business Administration chooses to review your loan, Royal may need to reach out to you to ask for more documentation. (The SBA may also contact borrowers directly, although at this time we do not anticipate a large number of borrowers will be contacted directly.)
  • Royal will also provide email status updates throughout the PPP loan forgiveness process, and we may also make phone calls to borrowers as needed to discuss questions or other aspects of the PPP loan program.

Most importantly, if you ever have questions about if a message is really from Royal Credit Union, please reach out to us and we can help.