SBA loan programs
Small Business Administration (SBA) Safety:
The Economic Injury Disaster Loan (EIDL) and Paycheck Protection Program (PPP) provided a great opportunity for potential fraudsters to be very specific in their communications, making them appear even more legitimate.
- SBA does not initiate contact on either 7a or Disaster loans or grants. If you are proactively contacted by someone claiming to be from the SBA, suspect fraud.
- Always reference the application number. If you are in the process of applying for an SBA loan and receive email correspondence asking for PII, ensure that the referenced application number is consistent with the actual application number.
- Look out for phishing attacks/scams utilizing the SBA logo. The presence of an SBA logo on a webpage does not guarantee the information is accurate or endorsed by SBA. Please cross-reference any information you receive with information available at www.sba.gov. Any email communication from SBA will come from accounts ending with sba.gov. These may be attempts to obtain your personally identifiable information (PII), to obtain personal banking access, or to install ransomware/malware on your computer.
- Personal Identifiable Information - Don't release any private information (especially Social Security numbers, credit card information, or banking information) in response to an unsolicited call, letter, or email.
- Fraudulent SBA phone calls. These calls can be quite effective because, in addition to appearing legitimate, the caller can pressure and manipulate you into providing personal information. If you receive a phone call concerning any account, tell the caller you'll need to call them back, then dial a number you have on hand - not a number the caller gives you. A legitimate caller will not try to pressure you into staying on the line.
- Fake web pages. Cybercriminals impersonate the Small Business Administration COVID-19 relief webpage through phishing emails. The phishing emails contain a malicious link to a fake page used for re-directs and credential stealing. The phishing email subject line currently reads, "SBA Application - Review and Proceed" and the sender has marked it as "disastercustomerservice@sba[.]gov." Legitimate government entities will have websites and emails that end with .gov such as www.sba.gov. Note: SBA.com is not a legitimate site.
- Fees & Conditions. If you are contacted by someone promising to get the approval of an SBA loan, but require any payment upfront or offer a high-interest bridge loan in the interim, suspect fraud. SBA limits the fees a broker can charge a borrower to 3% for loans $50,000 or less and 2% for loans $50,000 to $1,000,000 with an additional ¼% on amounts over $1,000,000. Any attempt to charge more than these fees is inappropriate.
- You haven’t requested any documents. Be wary if you receive an email stating that you have documents to sign. If you haven’t requested any documents, it’s likely a phishing attack.
- You don't recognize the sender. If the email comes from a name you don't recognize, delete it. You shouldn't be receiving signature requests from strangers. If individuals or businesses legitimately want you to sign a document, they should contact you beforehand, letting you know that a signature request is on the way.
- Fake sender email address. Fake emails may include a forged email address in the "From" field, which is easily altered. If you don’t recognize the sender of a DocuSign envelope, contact the sender to verify the authenticity of the email.
- Check those links. You should never click on a link in a random email. Always check the URLs of those links. You'll often find that they aren't links to DocuSign but to other companies. Avoid fake links by accessing your documents directly from https://www.docusign.com using the unique security code found at the bottom of the DocuSign notification email. Always check where a link goes before you click on it by hovering your mouse over the link to look at the URL in your browser or email status bar (they should be hosted on docusign.com or docusign.net).
- Watch for misspellings. Scammers often send their phishing attacks from emails that are close to but not exactly the same as those used by legitimate companies. For instance, instead of coming from email addresses ending in @docusign.com, they might come from ones ending with @docusgn.com or @docus.com.
- Attachments. DocuSign emails that request you to sign a document never contain attachments of any kind. Don’t open or click on attachments within an email requesting your signature. DocuSign emails only contain PDF attachments of completed documents after all parties have signed the document. Even then, pay close attention to the attachment to ensure it’s a valid PDF file. DocuSign never attaches zip files or executables.
- Generic greetings. Many fake emails begin with a generic greeting like “Dear DocuSign Customer.” If you don’t see your name in the salutation, be suspicious and don’t click on any links or attachments.
- False sense of urgency. Many fake emails try to deceive you with the threat that your account is in jeopardy if you don’t provide immediate updates. They may also state that unauthorized transactions have occurred on your account or that DocuSign needs to update your account information immediately.
- Unsafe sites. The term "https" should always precede any website address where you enter personal information. The "s" stands for secure. If you don't see "https," you're not in a secure Web session, and you shouldn’t enter any personal data. A legitimate DocuSign sign-in page address always starts with “https://” not “http://.”
- Pop-up boxes. DocuSign never uses a pop-up box in an email, because pop-ups aren’t secure.