The Financial Crimes Enforcement Network (FinCEN) analyzed COVID-19-related information obtained from Bank Secrecy Act (BSA) data, open source reporting, and law enforcement partners to prepare guidance to aid financial institutions in detecting, preventing, and reporting potential COVID-19-related criminal activity.
FinCen sets out the following red flag indicators of COVID-19 cyber-enabled crimes, noting however that since no single indicator is necessarily indicative of suspicious activity, FIs should consider additional contextual information and the surrounding facts and circumstances, such as:
- a customer’s historical financial activity,
- whether the transactions are in line with prevailing business practices, and
- whether the customer exhibits multiple indicators
Indications of Targeting and Exploitation of Remote Platforms and processes
- name spelling in account information doesn't match government ID, or physical description doesn't match other images of the customer
- pictures have low resolution or appear blurry or with irregularities
- customer refuses to provide supplementary photographic ID
- customer logs in via multiple IP addresses, often in short time period, or IP address doesn't match stated address in identity documentation
- customer requests to change account communication methods or authentication information, followed quickly by attempts to use the account
These could all be indicators that illicit actors are seeking to use stolen credentials or fraudulent identities.
Phishing, Malware, and Extortion
- system log files, network traffic or files may contain indications of cyber activity such as malware or phishing
- email address doesn't match alleged sender company's domain name, or other mismatches in email or URL
- unsolicited emails or text messages encouraging recipient to open links or files, or to provide personal or financial information
- emails with subject lines identified by government or industry as associated with COVID-19-related scams
Business Email Compromise (BEC) Scheme
In some instances, criminals seek to impersonate a person within a company to intercept or fraudulent induce a payment for supplies.
- customer's transaction instructions use different language, timing or amounts than prior instructions
- email address closely resembles but doesn't exactly match prior known customer email account
- email transaction instructions request to move payment methods from checks to ACH transfers, or to a different account than previously used. The requestor may claim COVID-related necessity or urgency.
What Financial Institutions Should Do
FIs should continue to make Suspicious Activity Report (SAR) filings, using the COVID-19 key term and marking all appropriate check boxes.
FinCEN will continue issuing COVID-19-related information to financial institutions to help enhance their efforts to detect, prevent, and report suspected illicit activity on its website at https://www.fincen.gov/coronavirus, which also contains information on how to register to receive FinCEN Updates.
Many illicit actors are engaged in fraudulent schemes that exploit vulnerabilities created by the pandemic. This advisory contains descriptions of COVID-19-related malicious cyber activity and scams, associated financial red flag indicators, and information on reporting suspicious activity. This advisory is intended to aid financial institutions in detecting, preventing, and reporting potential COVID-19-related criminal activity.