Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Phishing Campaign Lures US Businesses With Fake PPP Loans

Phishing Campaign Lures US Businesses With Fake PPP Loans

Threat actors are sending phishing emails impersonating a Small Business Administration (SBA) lender to prey on US business owners who want to apply for a Paycheck Protection Program (PPP) loan to keep their business going during the COVID-19 crisis.

PPP allows businesses to apply for an SBA loan designed to help them keep their workforce employed throughout the current pandemic.

This loan program was launched by the U.S. government on April 3rd, 2020, as part of the CARES act, which allows small business owners to apply for low-interest loans that will be forgiven by the government if used for payroll.

The attackers behind this phishing campaign are taking advantage of the ongoing financial problems some businesses are experiencing due to the pandemic to lure them into handing over sensitive business and personal info.

In the phishing messages, they are posing as the president of World Trade Finance, a delegated SBA lender that finances small businesses with government-backed loans up to $5,000,000.

As found by researchers at email security company Abnormal Security who spotted this phishing campaign, the targets are lured with a link to a Microsoft Forms survey camouflaged as a PPP registration form.

Also Read: Letter of Consent MOM: Getting the Details Right

Phishing email (Abnormal Security)

After clicking the link embedded in the phishing email, the targets are redirected to a page where they are asked to enter sensitive business information including but not limited to the owner’s social security number, name, and date of birth.

The targets are also asked to provide business information including cost of operation, cost of goods, and gross revenues for the twelve months before the pandemic.

“If recipients fall victim to the phishing ploy and enter their credentials, they provide attackers with confidential information that would expose their business to fraudulent activity,” Abnormal Security said.

“The attack was sent to a mass amount of receipts, increasing its chances of someone falling prey,” using a sender email from a domain designed to mimic an official government SBA site (i.e., [email protected]).

Phishing landing page
Phishing landing page (Abnormal Security)

A similar phishing campaign has targeted the hundreds of thousands of small businesses that applied for Payroll Protection Program SBA loans in April 2020.

Those attacks, however, were focused on trying to steal Microsoft account credentials by asking the targets to sign into their accounts via a phishing landing page designed to resemble a Microsoft login page.

All entered credentials were stolen by the attackers to later be used in Business Email Compromise (BEC) scams, network compromise, or in further phishing attacks.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also alerted businesses of phishing campaigns attempting to harvest logins for Small Business Administration COVID-19 loan relief accounts.

Also Read: A Look at the Risk Assessment Form Singapore Government Requires

To prevent falling victim to such attacks, you should check the source of the email messages for the sender address to find the real sender even if the email comes from a spoofed address. 

Also, paying attention to the URL in your web browser’s address bar will allow you to avoid entering information on phishing pages hosted on Google Docs, Microsoft Forms, and other similar online services.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us