Unemployment and SBA Loan Fraud Swells in Illicit Online Communities Amid Coronavirus



As the world continues to grapple with the devastating and ongoing fallout from COVID-19, cybercriminals continue to pursue ways to benefit from it.

Here at Flashpoint, we’re tracking significant shifts in cybercriminal tendencies and associated activity on illicit online communities, marketplaces, and encrypted chat services like Telegram. Deprived of pre-coronavirus income streams, cybercriminals and fraudsters quickly turned to scamming state unemployment payments systems and federal emergency loan programs.  



Unemployment and SBA Loan Fraud Swell in Online Illicit Communities

On April 2, 2020, a major new fraud market emerged when U.S. President Donald Trump signed the US Coronavirus Aid, Relief, and Economic Security (CARES) Act, including a $349 billion small business provision providing a critical lifeline to suffering small businesses across the United States. In mid-June 2020, when the SBA reopened and expanded its Economic Injury Disaster Loans (EIDL) relief program, a surge of SBA-related fraud offers and content began circulating across the online criminal underground.

With a quick search query in Flashpoint’s Intelligence Platform—which contains collected activity from cybercriminal forums and chat rooms—we see right away that mentions of the keyword “SBA” skyrocketed from a paltry handful in the spring of 2020 to the tens of thousands by the late summer and fall (see Figure 1).



Figure 1: SBA Loan Fraud Took Off in June, Based on Flashpoint Intelligence



Vendors Flood Illicit Marketplaces with Coronavirus-Related Fraud Schemes

Today, heaps of illicit online vendors offer SBA fraud “walkthrus,” often including “same day approval” guarantees and the highest payout for their particular FEMA or SBA Loan fraud method. Some actors, observed by Flashpoint on Telegram channels, make even bolder claims to potential buyers:

“The SBA loan… they don’t call or nothing they just deposit the money.” 

“FEMA sauce ongoing, don’t wait until they start asking for documents and Ids, get with it now.”

To prove their credibility, illicit vendors post screenshots of their fraud techniques mid-process and list the amounts of their successful fraudulent claims—which, for one vendor, meant payouts of $79,800, $150,000, and $239,200. In some cases, they include photos of bank statements with their successful payout from the US SBA. Some even go as far as to include free, multi-step tutorials with detailed screenshots that guide their users through the entire SBA loan application process.

A separate recent screenshot published in a fraud channel on Telegram shows a Kansas Department of Labor envelope and a Way2Go debit card used to launder the proceeds of the transaction–along with the caption, “Kansas still banging hot.”  



Figure 2: Cybercriminals Share Pictures of Successful SBA Loan Fraud Schemes



Beyond SBA Loans, Other Unemployment and Pandemic-Related Fraud Spiked Too

In a near-identical trendline, chatter discussing fraud schemes to exploit the Pandemic Unemployment Assistance (PUA) funds rose significantly starting back in May 2020 (see Figure 3). Now facing pressure with fraud activity at peak levels, fierce competition amongst illicit vendors compels them to make bolder offers and to extend operations to various state-led initiatives throughout the country.

Nonetheless, some states appear to be targeted more than others. For example, one vendor advised prospective clients that “PA has the highest payout for unemployment benefits weekly.” Another posted a screenshot of a pandemic unemployment benefit deposit of $15,640, with the caption “Yo kansas is still payin.  Thanks for the sauce bro.”  



Figure 3: Unemployment Fraud Chatter Began Rising Heavily in May 2020



Trending Data Offers Early Signals to New Threats

By tracking relevant names, keywords, and activities, security and threat professionals can uncover a wealth of valuable data. This form of proactive threat alerting and trending signals can pinpoint shifts in adversarial tactics, techniques, and procedures (TTPs), as well as identify new vulnerabilities and other points of exposure for your organization and your entire extended third-party ecosystem. 

Put Flashpoint Alerting to the Test

With Flashpoint, you’re equipped with a range of trending and threat alerting options at your disposal. Try out Flashpoint risk-free for 30 days today!