How to protect your small business from COVID-19-related scams and cybersecurity threats

Scammers and hackers are always on the lookout for new ways to steal data and extort money from businesses and individuals. The federal aid made available by the CARES Act, combined with widespread anxiety and uncertainty, creates perfect conditions for scammers and hackers, and they’ve been quick to act—preying on the unaware and breaching computer systems. Having the right controls in place can help you protect your business and your employees from hacking and fraud.

COVID-19 small business loan scams and how to protect your business

As of March 31, 2020, the Federal Trade Commission had received nearly 8,000 coronavirus-related complaints from customers—with half coming in the last week of March alone.¹ Among the top scams are attempting to steal financial information or outright cash, claiming to represent the government or a bank.

Sometimes, scammers ask for bank account information they need for an economic impact payment or loan deposit, or they say that they’re filing stimulus-related loans on behalf of a business in exchange for a fee.

Anyone offering you unsolicited loan help is likely up to no good. Only the U.S. Small Business Administration (SBA) can make paycheck protection or economic injury disaster loans to businesses hurt by COVID-19-related shutdowns. There are three things you should know about the SBA²:

1    They don’t contact you unless you’ve contacted them.

2   They don’t make cash grants, only loans and loan advances.

3   They communicate by email: Their emails come from an email address, and         any email correspondence includes the confirmation number provided by the SBA at         the time of your loan application.

Any proactive communication about an economic relief loan, payroll assistance loan, or cash relief payment is fraud, and you should ignore it.

As a rule, you should never release private information—especially employer identification, Social Security, credit card, and bank account numbers—to an unknown party or to a party requesting information about a loan you didn’t initiate or that doesn’t come from a source who you know to be legitimate.

CARES Act cyber scams and how to keep your information secure

Cyber scammers seeking to exploit COVID-19-related disruptions have several ways to steal critical information about your business and employees. Their methods include fake coronavirus-related information sites and smartphone apps, phony economic aid websites, and emails laced with malware and/or phishing programs.

Your remote workforce is also vulnerable. Scammers posing as high-speed internet or employer technical support may ask for sensitive network information. “Zoom bombers” can interrupt meetings with potentially offensive and emotionally distressing outbursts. And unsecured home WiFi networks are an easy target for cyberthieves seeking personal or company information.

To protect your business from these and other threats posed by cyber scammers,
you should:

  • Make software updates automatic—Continuous updates reduce the chance that a scammer can exploit known vulnerabilities.
  • Establish security policies and frameworks—Protecting data and storage systems requires setting up a process that has support from the top of the company on down. Make sure employees know how to report suspicious emails and links.
  • Educate—Share best practices with employees, and make sure they understand that strong passwords are the best first line of defense.
  • Test—Conduct phishing exercises to help your employees recognize phishing email scams, and learn how to stay safe during national security events.

Finally, if you don’t have a business continuity plan, now’s the time to make one. Use the current scenario of a remote workforce and worldwide disruption to create a plan that keeps your business running and secure in any circumstance.

Start preparing for COVID-19 scams today

It’s an unfortunate reality that financial scammers and cybercriminals are taking advantage of the unfolding international crisis brought about by COVID-19. Cybersecurity measures and best practices that were in place before COVID-19 should help you protect your business and employees through this crisis as well. Among those best practices is staying up to date on new scams and communicating them to your employees and business partners.     

Make sure your employees are aware of the importance of caution when asked for company or personal information and how to report any calls, emails, or texts they receive. Take a look at your cybersecurity and business continuity plans through this new and very real lens of a global crisis to be sure your infrastructure, technologies, processes, and policies are prepared to weather the continually evolving situation.

1 “FTC Data Shows Jump in Coronavirus-related Complaints from Consumers,” Federal Trade Commission,, March 2020. “Economic Injury Disaster Loan Emergency Advance,” U.S. Small Business Administration,, 2020.

The content of this document is for general information only and is believed to be accurate and reliable as of the posting date, but may be subject to change. It is not intended to provide investment, tax, or legal advice. Please consult your own independent advisor as to any investment, tax, or legal statements made herein.


MGTS-PS12086GE 02/20-1286                                           MGR030920511018    

Thomas Shola

Thomas Shola, 

Assistant Vice President, IT Cybersecurity Officer

John Hancock Retirement

Read bio