On Monday, the U.S. Small Business Administration (SBA) released loan data for more than 660,000 large Paycheck Protection Program (PPP) loans made to businesses over the past few months.  You may have seen some scandalous local and national news articles regarding recipients, but the data released contains some much more concerning information that all financial institutions (FIs) and their business customers must now take into consideration to protect against general fraud, targeted phishing, other types of social engineering, and corporate account takeover (CATO.)

The data set released by the SBA is divided into several parts; individual state records with anonymous details of loans up to $150,000 and one very large spreadsheet of all PPP loans exceeding $150,000 with approximate loan amount ranges, names of business recipients, associated address details, and the most concerning element: the lender.  Your customer names along with their lending partner.  What could possibly go wrong?

You can find this data set at:  https://www.sba.gov/funding-programs/loans/coronavirus-relief-options/paycheck-protection-program#section-header-11

What’s the big deal?  The data set doesn’t disclose the actual loan amounts, account numbers, names of business principals, or anything like that.  Someone please correct us if we’re wrong, but I don’t believe anything of this sort, with customer/FI correlations, has ever been intentionally released in such an easily accessible package.

Here’s a visual:

Think like a bad guy with me for a while.

If I want to target a financial institution, knowing details of their business customers may assist me in formulating sophisticated spear phishing attacks to a bank or credit union and may even provide a springboard for online banking CATO attempts if easily guessed, generic credential details are used by business customers.  It can also be flipped the other way;  I can target these businesses while posing as someone from the FI by phone, email, or even in-person social engineering.

Before you begin freaking out about the negative potential here, take a breath. There’s no putting the genie back in the bottle, but there are several things that you can do to try to minimize the impact of the SBA PPP data set being used against you and your customers.

Download the >$150,000 or more spreadsheet from the SBA website. It’s about 130 megabytes, so you’ll want to work with this on a computer with decent RAM specs and have most other documents and applications closed.  Open it in your favorite spreadsheet viewer and filter it by the Lender column; selecting only your FI name(s).  The resulting list should look familiar.  These business customers should be given special attention:

  • Consider contacting each of them, preferably the company principal or whomever your bank worked with to establish their PPP loan, through typical channels. Make them aware of the SBA PPP data set exposure.  You can find the official press release here:  https://www.sba.gov/about-sba/sba-newsroom/press-releases-media-advisories/sba-and-treasury-announce-release-paycheck-protection-program-loan-data
  • Educate or re-educate your contacts on the potential for fraud using this newly public data. Make a strong impact by using examples of how attacks may look specifically for the customer.  Phishing, vishing, mail, in-person social engineering, and online banking account access attempts are all possible not only for the businesses, but their personal accounts as well.  (Many business customers also hold personal accounts with community FIs.  Business principal details may be easily found at https://opencorporates.com )  Reinforce official contact methods and the types of information your staff may ask for using each method along with the types of information your staff will not ask for over phone calls or emails.  Encourage business contacts to disseminate this information to others within their organization, especially those that interact with your FI.

On the FI staff side, do the same.  Let employees know about the public SBA PPP data and reinforce internal policy expectations for Customer Identification Program (CIP) and CATO protections.  Re-educate on fraud attack vectors mentioned above and be sure to highlight that impersonation attempts may be either attackers posing as customers targeting the FI or as the FI targeting customers.

At 10-D Security, we don’t only look at IT and Information Security environments with a critical lens for  deficiencies, we also do our best to give credit where it’s due for good practices.  Here are some fraud prevention controls we’ve seen implemented in our customer environments over the years that may help this time around:

  • Many core and other customer relationship management (CRM) platforms support custom attributes. Consider using such an attribute flag or captive note field to alert internal staff of “PPP exposure” prior to or during any related account transfer interaction.  Don’t forget personal accounts associated with the exposed businesses as well.  Having such a control enabled within your environment may increase your staff’s awareness of any potential oddities during customer interactions through any of your approved contact methods.
  • Buy up domain name variants. It’s an imperfect method of preventing branded phishing attempts, but it’s a cheap insurance policy.  com will probably have .org, .us, .net, and other peers available at nominal cost through your favorite budget registrar.  If you want to get advanced with it, bankofwhateveremail.com, bankofwhateveronline.com, and others may be worth including.  Having these may prevent attackers from easily propping up look-alike websites or email addresses.
  • Require business customers use out-of-band multi-factor authentication (MFA) and unique usernames for online banking access. Using one of the customer names from the data set image above as an example, an attacker may attempt to login as westernsales on their bank’s website;  Without MFA access credentials, the attacker would be dead in the water.  If there is no MFA required, attempts may result in unauthorized account access or denial of service through repeated failed password attempts.  CATO is scary, but also imagine dealing with your entire business customer base being locked out of online banking at the same time.  If westernsales isn’t a real username, that security through obscurity may actually assist in account protection.
  • Educate employees not to trust Caller ID or simple voice recognition of business customers as a CIP method. Caller ID can be easily spoofed, and mobile phone SIM swapping is on the rise.  Consider requiring call-in business customer requests to have a unique password phrase before performing any account transfer activities or information disclosure.  Again, many cores and other CRM platforms support custom attributes that may assist in implementing such a process.
  • Consider adjusting affected customer transaction sensitivity in your BSA or other fraud detection platforms to manually alert on transaction types or volumes that may be anomalous.
  • Increase visibility of potential electronic banking, phone-based, and other customer-related incidents by disseminating employee reports broadly within your environment. Keep your Information Security Officer and IT staff in the loop on what’s happening at the customer level.  They may be able to assist with investigation or correlations with other incidents in real-time.  Assure all customer-facing staff are aware of internal policies and processes regarding anomalous customer activity reporting.

Authored by:  Kyle Stelly, CISSP, PCIP

Download Blog