The Payroll Protection Program (“PPP”) may be an attractive target for cyber-fraudsters. Organizations of all levels of sophistication are about to receive large blocks of money, and that provides fraudsters with an opportunity to try to score big paydays by tricking lenders and organizations into sending that money to fraudsters.
We have been providing organizations with information about the PPP, which allows qualifying organizations to obtain loans for up to 2.5x their average monthly payroll costs. Lenders began accepting applications last Friday, and organizations may soon learn whether they are approved for the loans, and when they will be able to get the proceeds.
While PPP is undoubtedly a lifeline for many organizations, it also presents an attractive target for fraudsters. Many organizations will soon have access to a large amount of money to cover payroll and certain qualifying expenses. Fraudsters, however, are also able to work from home during this crisis, and may try to take advantage of both lenders and borrowers to obtain those loan proceeds.
We have covered many instances where fraudsters have inserted themselves into email communication chains between organizations and their vendors, or between organizations and their financial institutions. Typically, fraudsters attempt to convince the entity preparing to release funds that the destination for those funds should be the fraudster’s bank account. The fraudsters may use spoofed emails, or gain access to an email account and impersonate a legitimate sender to perpetrate the fraud.
If fraudsters succeed in convincing a lender or organization to send PPP funds to fraudsters, then it will create legal havoc for the lender and organization. The best course for organizations and lenders is to be certain that payments are transmitted to the correct location. Often, a simple phone call to verify account information is sufficient to ensure that the destination for a funds transfer is correct. However, it is critical that the phone call be to a number known to belong to either the lender or organization. Fraudsters often provide phony callback numbers to try to prevent phone-call verification.
If an organization realizes fraudsters have stolen PPP funds, or any funds, the organization should act quickly:
- First, the organization should report the loss to the FBI on https://www.ic3.gov.
- Second, the organization should notify its insurance company of the potential loss to start the process for determining whether they have coverage for this type of loss.
- Third, the organization should consult with legal counsel to determine what obligations the organization may have to its lender, employees, or vendors.
- Finally, the organization should be prepared to retain a computer forensic firm to determine if fraudsters managed to steal funds by infiltrating the organization’s network.
For lenders, if a borrower notifies the lender that fraudsters have taken the organization’s PPP funds, or any funds, then the lender should recommend reporting the loss to the FBI and that the organization contact knowledgeable legal counsel. The lender will then want to consult its own legal counsel about who will likely be responsible for the loss.
Organizations have enough challenges to address without trying to recover lost funds that were supposed to be a lifeline. Taking the time to verify that funds transfers go to the correct location will ensure that organizations do not have one more problem to deal with.