Business Loan Scams

Business loan scams happen when a scammer pretends to be a lender or small business loan broker in order to steal money, personal information, and/or business information.

**In the face of COVID-19, many small businesses are looking for help from the CARES Act’s Paycheck Protection Program. They may apply for PPP loans with eligible Paycheck Protection Program lenders from the Small Business Administration (SBA). Find eligible Paycheck Protection Program lenders.**

Red Flags of a Business Loan Scam

It may be a scam if the lender…

asks for a down payment or upfront cost before approval.
doesn’t have a physical address or any contact information listed online.
is offering a deal that far exceeds deals offered by other lenders. If it sounds too good to be true, it probably is.
guarantees approval before you submit your business application.
contacts you using a generic email address from Gmail, Hotmail, Yahoo or another generic email account.
sends you an unsolicited loan offer.
is trying to rush you into making a decision and uses phrases like “limited time only” or “last chance.”

If you think your business has been affected by a business loan scam, we recommend that you act immediately by following our guidelines below, and then proceed to our Report, Recover and Reinforce sections for further assistance. Remember, identity theft can affect your business’s finances, privacy, and reputation.

Some Immediate Action Steps to Take

If you sent money or the scammer has obtained sensitive financial information, contact your bank or financial institution immediately.
Collect all relevant documentation related to the incident. You may need to provide this documentation when you file a report or seek legal counsel.
Report the incident to your local law enforcement agency by calling the non-emergency number. Obtain a copy of the incident report and store it with other relevant documentation related to the incident.

Report

Reporting cybercrime incidents to the FBI Internet Crime Complaint Center (IC3) is very important! The more national reporting data that is collected, the better the chance law enforcement has to catch the criminals and decrease online crime. Although the FBI does not resolve individual complaints directly, they will make your report available to local, state and other law enforcement partners. The FAQs about reporting can be found here. Please read the FBI/IC3 privacy policy here. (If you believe that you’ve received a phishing email, please forward the email directly to reportphishing@apwg.org.)

Report fraud, waste, abuse, or mismanagement of federal funds involving SBA programs, operations, or personnel to the SBA OIG Hotline at 800-767-0385 or file a complaint online.

Report the scam to the BBB Scam Tracker. The BBB will use your report to warn others.

Recover

These resources have been gathered, selected and vetted to help simplify the process of recovering after a cybercrime incident has taken place. You may need to contact organizations outside FraudSupport.org. Results will vary depending on your circumstances.

If the scammer has gained access to personal information, contact the Identity Theft Resource Center for identity theft resources:
call 1-888-400-5530 or chat at ITRC
Tips on how to respond to a cyber incident (starting on page 12)
FTC: Cybersecurity for Small Businesses

Reinforce

Once you have notified the appropriate organizations and you are on the road to recovery, it is time to reinforce your cybersecurity using these resources and tools.

Improve Your Security: Find cybersecurity tools to enhance your business’ online safety.
Be aware of other scams that could affect your business with the FTC’s Small Business Scams Guide

Implement Preventive Measures

Be suspicious of ads guaranteeing approval or offering rates that are unrealistic.
Be on the lookout for fake websites. Check for verified contact information and state licenses to confirm if the website is legitimate.
- Visit ITRC’s website to find out how to spot a fake website.
Advise your employees to never click on a link or open an email attachment from someone they don’t know and verify before clicking on an email from a trusted source that you are not expecting.
- Forward phishing emails or websites to the Anti-Phishing Working Group at reportphishing@apwg.org
Create strong passwords. Learn how from ConnectSafely.org.
Always enable a two-step/factor verification on your email, social media and other online accounts– which requires an additional code to log in.
Learn how to understand and address cybersecurity risks with the CISA Cyber Essentials Toolkits.