ComplianceJune 22, 2020

CT Expert Insights: How to Avoid COVID-19 Business Scams with Rosario Mendez

While many business owners are readying to reopen their doors, scammers are likely the furthest thing on their minds. Nonetheless, many scammers are utilizing COVID-19 related business opportunities to take advantage of unassuming businesses and employees.

The FTC’s Rosario Mendez joins Expert Insights to discuss the different types of scams she’s seeing today, like phishing and business email scams, which are hard to decipher from legitimate communications. She reviews best practices regarding scams including what to look for, trusted resources, and how to report a scam.


Welcome to CT Expert Insights. When your business needs people that can trust you can count on us. We dedicate ourselves to getting to know your needs and finding solutions to meet them. You'll have a team of experts backing you up.

Greg Corombos: Hi, I'm Greg Corombos. Our guest this week on Expert Insights is Rosario Mendez. Rosario is an attorney in the Division of Consumer and Business Education at the Federal Trade Commission's Bureau of Consumer Protection. For the next few minutes, we'll be discussing a variety of scams that are currently aimed at small businesses as we prepare to open in the wake of the coronavirus pandemic. And Rosario, thanks so much for being with us.

Rosario Mendez: Thanks for having me. This is great.

GC: So disheartening to know that this happens, but it's certainly not a surprise. We see this in the wake of any major national calamity. You see scammers in the wake of natural disasters and so forth. So I don't think this is catching too many people by surprise, but with so many other things on the minds of business owners as they get ready to reopen or ramp up more than they already are, it's probably not the first thing on their mind. So let's just get a broad picture and then look at some of the more specific scams going on. But from what you can see so far, how pervasive is this right now? How much are business owners being inundated with scammers?

RM: Yes, I think it's really important to talk about this topic and to talk specifically about the scams that are targeting small businesses during this time of the pandemic. Because I think people forget that scammers also, you know, go after businesses, not just individuals. And at this time where we're seeing is that you know, scammers really follow the headlines. So they know that there is money from the government going to small businesses. They know that small businesses are in need of money and in need of assistance, and they tried to take advantage of that.

GC: And there are some more common ways than others that they do that and I know the FTC is trying to make folks aware of that. One of the biggest ways is through what's called phishing emails, explain what those are and what you should be on the lookout for.

RM: That's right. phishing emails are a common practice of scammers. What it is, basically is that you receive an email that looks like it's from an organization that you know, so it looks like it's from a government agency or it looks like it’s from your bank, or you know, from another organization, but it really is a scammer behind that email. And the reason that they try to do that is because they're trying to fish for your information. So they want you to click on the links that will take you either to another page where you are asked to put your personal information, since you're believing that it is a legitimate organization, you may do that. Or they are by clicking on that link, you may be downloading some malware that then is going to damage your computer or take information from your computer.

Sometimes it's very hard to know how these phishing emails work and how and if they are real or not, you know, like it's hard to spot. For example, we saw an email that looked like it was from the World Health Organization, and it was asking for people to click on a link in order to get some information on the pandemic. And it turned out to be a scammer behind that. It was not really the World Health Organization, but it looked like it.

So some of the signs to look for is, you know, make sure that you see the logo, sometimes they use appropriate logos and everything but check for typos, check for information that doesn't really make sense to you. And really, the best thing is, if you're not expecting an email from an organization, just go to the organization's website and find out the information that way better instead of clicking on any links on the emails that are asking you for any personal information and you don't know where they're coming from.

GC: So if you're not expecting an email that's asking you for personal information, it's not a good idea to just start filling that in. And what I've also seen from your report here Rosario, is it that sometimes it's emails that look like they're from someone even within your company, it could be your boss asking for something.

And this reminds me of a recent story, where I think it was Barbara Corcoran from the Shark Tank, either her personal assistant or she were scammed out of thousands and thousands of dollars because it looked like the email was legitimate. And it turned out that there was one letter that was either missing or different, and you just didn't notice it was coming. So is it kind of the same way with emails that look like they're coming even from within your own organization?

RM: That's right, and we're calling those business email scams. So basically, in this case, the scammer sets up an email that looks like it's from your company from your business. And you know, each could look like it's from the CEO or the President of the business. It could look like it's from someone from HR. They have the ability to do this.

Unfortunately, if the business email is not set up in a way that can prevent this, what happens is that an employee will get this email saying it looks like it's from the President or from the CEO or from HR and says, “We need your password immediately,” or “We need the bank account number.” This individual thinks that he's the boss, or think he's someone you know in the organization and goes ahead and gives that information.

This environment where a lot of people are working remotely—what we are suggesting is that every employee just really really checks before they give any information even if they think that is someone within the organization that is asking.

And we are also recommending that the business owners have a point of contact like one person within the organization that can confirm this thing. So if you receive an email like this, you would know who to talk to, you know, to confirm that this request is real or then they realize that he could not be real.

We are seeing it happening also with IT. The IT departments where like an employee would get an email that looks like it’s from there IT—either their IT department or their IT contractor. A lot of small businesses don't have their internal IT department but they will have a contractor that does that function for them. And what we're seeing is that potentially, you know, an employee could get an email from what looks like is there IT contractor or their IT department and that asked them to click on a link that would supposedly do an update to the computer or to one of the software's for example, but in reality, what that is doing is downloading some malware that could damage the entire business network if the employee is connected to the business network remotely.

GC: We're talking with Rosario Mendez of the Federal Trade Commission and, Rosario, as you mentioned, and certainly, as the FTC has pointed out, another part of this is not just to infect networks and gain personal data. There's obviously a lot of small businesses out there that have gone for loans through the Paycheck Protection Program and through the CARES Act. And so there’s CARES Act related scams out there as well. What kind of form to those take, what do they look like?

RM: That's right. Ultimately, scammers are looking for money, and so they follow the money. And what we are seeing is that there are companies out there that are putting out information saying that they are a lender for the programs that the SBA has for small businesses, the Patient Protection Program, for example. But in reality, they are not authorized. And so we're seeing some problems with that.

In fact, we sued a company called SBA that was doing just that, or we allege that, you know, they were advertising themselves as a lender under the paycheck protection program. They call themselves SBA You know, they have the symbol of the capital on their advertisement. So it makes it look like you know, they're affiliated with the government. But we allege is that they're not really authorized. They're not giving any loans related to the CARES Act. People who signed up to receive a loan from this company, not only they are wasting their time because they're not getting the loan, they're also now giving their business information to another party that they didn't intend to.

So what we tell businesses is to be really, really careful with applications and go to, only to apply for this loans and not click on any advertisement that you see online or much less on a random email that you receive from someone's saying that they can get you the loan.

Only go to to find out who are the authorized lenders for the programs that are part of the CARES Act.

GC: Two quick questions before we let you go here, Rosario. First of all, I know the FTC wants business owners to report scam. So how did they do that?

RM: That's right. I think reporting scams is really really important for us and you can do it very easily at

And another good thing to do is talk to your employees about all these scams because the more that you talk about it, the more people are aware and they are going to be on the alert and avoid this.

GC: Like I said at the beginning, Rosario, we kind of scratched the surface here on this. Is there any particular site at the FTC where folks can learn more about all the different scams that are out there?

RM: Yes, we have a lot of information at

We have data that we're putting out daily on the scams that we are seeming related to the pandemic. We have tips and information that you can share with your employees and with your family and your neighbors. And we have a lot of information there that you can share on social media as well. As you know, we really count on everyone to spread the word about the scams that are happening so that people are aware and can spot them and avoid them.

GC: Rosario, it's a big issue. There's so much else that's on the plate of small business owners right now, the last thing they need to be worried about is scammers. So due diligence on this is very important as it always is, but especially right now, thank you very much for your time. We appreciate it.

RM: Great, thank you.

GC: Rosario Mendez is an attorney in the Division of Consumer and Business Education at the Federal Trade Commission's Bureau of Consumer Protection. I'm Greg Corombos, and for more information on this topic, you can also head to

With over 125 years of experience, CT is here to help you at every stage of the business lifecycle.