PPP loan data scams

In January of this year, the U.S. Small Business Administration inspector general estimated $136 billion in fraud from the EIDL and $64 billion in fraud from the PPP. About the same amount the U.S. to sent Ukraine the first time around. But honestly, considering the scams TBA and our ISAO are seeing, I think the number is much larger.

While scams related to PPP loans are not new, we have noticed an uptick in their prevalence, and we’ve identified a handful of different tactics used by the bad guys. It appears that the fraudsters have capitalized on the loan data made public in 2020 by the SBA. This information includes names, types, addresses, loan amounts, funding dates, employee numbers and financial institutions. Who in the heck thought that was a good idea? Ask any fraudster what the first step in their scams is: to gather as much information as possible from their targets so they can impersonate, use scare tactics, compromise accounts, etc.

Examples that we’ve seen so far:

Scenario one

The bank reports that criminals impersonating the sheriff’s department called the bank customer saying that a warrant had been issued for their arrest due to their failure to appear at a court hearing. The hearing was supposed to be about fraudulent PPP loan applications. The scammers said the customer could post a “cash bond” rather than appear, then provide information for where to send the money. The criminals are utilizing public PPP records to identify their potential victims by using a scare tactic.

If customers are contacted in this manner, they should write down the name of the purported law enforcement office and the name of the supposed agency. Customers should first contact their local police or sheriff’s department, independent of any contact information provided over the phone. Scammers are good at providing fake phone numbers, phony email accounts and forged documents. They often use the names of real law enforcement officers obtained from public websites. 

Scenario two

Using information obtained from the public PPP loans, the scammers are spoofing the bank’s phone number. When they call the customer, they claim to be from the bank’s fraud department and state unusual or suspicious activity on the account. They then send the customer a link to reset their banking credentials and ask for the one-time passcode while on the phone. 

What you can do

Point your customers to ABA’s, Banks Never Ask That — www.banksneveraskthat.com — or TBA’s Banking Safely webpage —  www.texasbankers.com/banking-safely. Following is some information you can share with your customers to help safeguard them. 

Be skeptical

Unusual caller ID — While caller ID can be spoofed, legitimate calls from your bank are more likely to display an official phone number or a known identifier. If not, be very skeptical.

Scare tactics or threats — Phishing calls rely on a sense of urgency. If the caller pressures you into immediate action or threatens negative consequences, just hang up and call the number on the back of your bank card.

Asking for personal information — Banks will rarely ask for your account number, PIN or password during a call — and will never ask for a one-time login code. Never share such confidential details unless you’ve called the number on the back of your bank card.

Calling you unexpectedly — Be very skeptical of calls you receive out of the blue. Normally, bank representatives will only reach out if you initiate contact first. Stay safe by ending the call and dialing the number on the back of your bank card. (American Bankers Association)

On a positive note, several of the scams reported to the ISAO were thwarted by very alert bank staff. Utilizing fraud detection and monitoring tools is not enough. The key is educating your customers. Make them aware of the risks they face, what to look for and safe transaction tips. In the end, this makes your customers trust your bank even more.