Fraudsters are exploiting lingering pandemic-loan confusion, publicly accessible borrower data, and forgiveness anxiety to target past recipients with fake reviews, bogus payment requests, and lender impersonation schemes.
WASHINGTON, DC
If Part 1 was about the scale of the theft, Part 2 about the mechanics of the fraud, Part 3 about the brazen misuse of funds, Part 4 about stolen identities, Part 5 about the decade-long legal exposure for scammers, and Part 6 about the federal crackdown, then Part 7 is about a cruel second wave of harm. The first crime was the looting of pandemic relief. The second, increasingly, is the exploitation of the people and businesses that participated in the program lawfully.
For many legitimate PPP borrowers, the trouble did not end when the money was spent correctly, the forgiveness application was filed, or the business survived the pandemic. A new class of scammers has learned to prey on the program’s administrative afterlife. They target old borrowers with phishing calls, fake review notices, bogus fee demands, lender impersonation, and fraudulent requests for financial information, counting on one simple fact: even years later, many business owners still do not know what a real PPP communication should look like.
That is what makes this phase of the story so dangerous. It is not classic emergency fraud in the original sense. It is aftershock fraud. The criminal no longer needs to invent a fake restaurant, a fake payroll processor, or a fake Schedule C to get government money directly. Now the criminal can weaponize confusion, public records, and fear. A borrower who once complied with the system in good faith suddenly becomes a target precisely because they were a real participant in the system.
Legitimate borrowers are now being hit because the program never really ended administratively.
One reason these scams work is that the Paycheck Protection Program is over politically but not fully over operationally. Borrowers can still encounter forgiveness questions, recordkeeping obligations, lender contact, or government review issues years after the original disbursement. The official PPP loan forgiveness framework remains active, and SBA states clearly that while some small-loan borrowers do not have to submit all documentation up front, they should still be prepared to provide relevant records if requested as part of a loan review or audit process.
That lingering administrative reality creates the perfect backdrop for phishing. A fake message does not have to be especially sophisticated if it sounds close enough to something the borrower believes might still happen. A business owner who hears “forgiveness review,” “collections issue,” “document verification,” or “loan audit” may not immediately dismiss the message as absurd because the PPP file may still feel unresolved in some corner of their business life.
This is the central vulnerability scammers exploit. They do not need to invent a completely foreign narrative. They only need to imitate a real administrative possibility and then add urgency, fear, or a payment demand.
The target list is easier to build than many borrowers realize.
One reason this second-wave fraud is so dangerous is that the universe of past PPP borrowers is not hard to identify. SBA still maintains PPP data, including downloadable loan data in CSV format. That public-access environment does not by itself prove that any one phishing ring built its contact list directly from SBA records. But it does mean that the population of past borrowers is far more visible than many small-business owners assume.
For scammers, visibility is an opportunity. A borrower who once thought the pandemic program was an old, closed chapter may not realize that public-facing loan data, archived business information, lender relationships, and commercial data brokers can together make former PPP recipients easier to identify than the average business owner. Once a scammer knows a business has received a loan, the next step is not difficult. Impersonate the lender. Impersonate the SBA. Impersonate a collections firm. Impersonate a government contractor supposedly assigned to “clear” the file.
This is why the phishing threat feels personal for legitimate borrowers. They are being targeted not randomly, but because they are known to have a history with the program. In other words, the relief file that once kept the business alive can become the signal that attracts the next scam.
SBA has already warned that this is happening.
This is not speculative. In 2024, SBA published a direct warning in its blog, Stay Safe: Tips to Protect Your Business from Scams Targeting COVID Loan Borrowers. The agency said scammers have targeted PPP and COVID-EIDL borrowers with phishing calls or emails that impersonate a lender, a collection agency, or even the SBA itself.
That warning is significant because it confirms the victims are not imaginary and the tactic is not fringe. This is now part of the official risk environment around old pandemic loans. The scammers understand that an email with the SBA logo, a message using lender language, or a demand framed as a collections follow-up can sound plausible enough to trigger a reaction from a borrower already tired of years of shifting rules, delayed communication, and lingering uncertainty.
The SBA warning also makes another critical point. Government employees do not charge borrowers for help accessing federal services. That matters because one of the easiest ways to spot a scam is the sudden introduction of a fee, an expedited-processing charge, a document-release charge, or some other payment demand dressed up as an administrative necessity. Real confusion about forgiveness, review, or collections is precisely what fraudsters monetize.
The fake “forgiveness problem” is one of the strongest hooks.
Among the most effective scams targeting legitimate PPP borrowers are those built on the idea that something is wrong with forgiveness. The borrower is told that a document is missing. A review is pending. A file needs immediate correction. An audit has been triggered. A deadline is about to lapse. Some scammers go further and imply that a quick payment, professional service fee, or verification charge can solve the problem immediately.
The reason this works is that forgiveness has always felt bureaucratic enough to be believable. Borrowers know there were forms, lender involvement, SBA involvement, evolving rules, documentation standards, and, in some cases, later review. A scammer does not need the story to be legally perfect. The scammer only needs it to be close enough to the real architecture of PPP administration for the borrower to hesitate rather than delete the message.
That is what makes legitimate recipients into what might be called double victims. First, they had to navigate a rushed emergency program during a national crisis. Then they had to manage the compliance tail that followed. Now, some are being targeted again because criminals know that old uncertainty can still be converted into new money.
Collections language is another powerful weapon.
SBA’s warning specifically mentions impersonation of collection agencies, and that detail matters. For borrowers with outstanding questions, unresolved records, or confusion about what was forgiven and what was not, collections language can be extremely effective. A fake message framed as a demand for repayment, a threatened referral, a delinquency correction, or a notice of enforcement can push a business owner into exactly the wrong state of mind.
Once panic enters the picture, normal skepticism weakens. The borrower may click before checking the sender. They may call the number in the message instead of the number on an official site. They may hand over banking details, tax information, login credentials, or copies of documents that a scammer can later use for further fraud. In some cases, the scam may aim directly at money. In others, the real goal may be account takeover or identity theft.
This is why the phrase phishing can be too mild for what is happening. These scams are not only about deceptive emails. They are about pressure. The borrower is made to feel late, exposed, or in danger of official action. Once that emotional frame is established, the rest of the manipulation becomes easier.
Identity theft remains part of the aftermath.
The danger is not limited to borrowers who actually received PPP loans. FTC continues to warn that if you receive a bill for an SBA PPP or EIDL loan you never applied for, an identity thief probably used your personal information to get it. That point matters because some victims in the post-program environment are not being targeted as real borrowers at all. They are being dragged into the system because a scammer already used their identity earlier in the pandemic.
That means Part 7 connects directly to Part 4. The human cost of identity theft did not end when the fraudulent application was approved. Victims may still face fraudulent contacts, bills, fake follow-up messages, or scams pretending to “resolve” a loan they never requested in the first place. The FTC’s identity-theft guidance for SBA loan victims underscores how real that problem remains.
In other words, the same data exposure and administrative confusion that helped fraudsters steal from the government can later help them steal again from the people caught in the paperwork.
The scam works because it borrows the language of real compliance.
A good PPP-targeted scam is not random. It is designed to sound like normal business administration. It uses words such as lender review, document deficiency, forgiveness status, collections action, SBA verification, portal access, audit support, or case resolution. The criminal knows that the more ordinary the message sounds, the more likely the borrower is to respond before asking the right question: is this actually how the SBA or my lender would contact me?
This is why ordinary business owners are vulnerable even if they are smart, cautious, and experienced. The scam is not trying to outsmart them with technical brilliance. It is trying to mimic the exhausting administrative language they have already lived through for several years.
And because so many borrowers are still uncertain about where the line runs among lender communication, SBA communication, Treasury collection activity, and old pandemic-loan paperwork, the impersonation need not be perfect. It only has to arrive at the right moment with the right tone.
What legitimate borrowers should actually do
The response should be procedural, not emotional. First, do not click links or call numbers provided in an unexpected message. Use only known official channels. Second, verify whether the issue described is even plausible by checking the relevant official portal or contacting the real lender through previously verified contact information. Third, remember the basic SBA warning signs: real SBA emails come from addresses ending in @sba.gov, and government employees do not charge fees for access to federal services.
If the message suggests identity theft, billing for a loan you never received, or a fraudulent account issue, the next step is not to negotiate privately with the caller. It is formal reporting. That means using FTC identity-theft resources and SBA’s own identity-theft and fraud-reporting channels. The sooner the borrower exits the scammer’s communications loop and moves into official channels, the lower the chance that panic will cause further damage.
For businesses that now realize their prior PPP participation may still expose them to operational risk, this is also the moment to tighten internal controls. Narrow down who receives financial emails. Separate routine travel or operational accounts from lender-facing accounts. Limit the circulation of archived loan documents. Review who inside the company can access old forgiveness records, tax files, or account credentials. The quieter and cleaner the administrative structure, the harder it becomes for a phishing message to hijack it.
At Amicus International Consulting, the wider lesson is that crisis-era financial participation often leaves a long data tail, and that tail can become a second attack surface long after the original emergency has passed.
The aftermath is becoming its own fraud market.
That may be the clearest way to understand Part 7. PPP was not only a relief program but also a fraud opportunity. It also generated a long-lived administrative ecosystem of borrowers, records, lenders, forgiveness steps, reviews, collections anxiety, and public data. Scammers now understand that this aftermath can be mined for another round of exploitation.
That is what makes legitimate borrowers into double victims. First, they lived through a crisis and participated in a chaotic federal program in good faith. Then they became targets again because the record of that good-faith participation made them easier to identify, frighten, and contact.
The first theft was from taxpayers. This second one aims directly at the people who were supposed to be helped.




