The Financial Crimes Enforcement Network (FinCEN) analyzed  COVID-19-related information obtained from Bank Secrecy Act (BSA) data, open source reporting, and law enforcement partners to prepare guidance to aid financial institutions in detecting, preventing, and reporting potential COVID-19-related criminal activity. 

FinCen sets out the following red flag indicators of COVID-19 cyber-enabled crimes, noting however that since no single indicator is necessarily indicative of suspicious activity, FIs should consider additional contextual information and the surrounding facts and circumstances, such as: 

  • a customer’s historical financial activity, 
  • whether the transactions are in line with prevailing business practices, and 
  • whether the customer exhibits multiple indicators

Indications of Targeting and Exploitation of Remote Platforms and processes

  •  name spelling in account information doesn't match government ID, or physical description doesn't match other images of the customer
  •  pictures have low resolution or appear blurry or with irregularities
  •  customer refuses to provide supplementary photographic ID
  • customer logs in via multiple IP addresses, often in short time period, or IP address doesn't match stated address in identity documentation
  • customer requests to change account communication methods or authentication information, followed quickly by attempts to use the account

These could all be indicators that illicit actors are seeking to use stolen credentials or fraudulent identities. 

Phishing, Malware, and Extortion

  • system log files, network traffic or files may contain indications of cyber activity such as malware or phishing
  •  email address doesn't match alleged sender company's domain name, or other mismatches in email or URL
  •  unsolicited emails or text messages encouraging recipient to open links or files, or to provide personal or financial information
  •  emails with subject lines identified by government or industry as associated with COVID-19-related scams

Business Email Compromise (BEC) Scheme

In some instances, criminals seek to impersonate a person within a company to intercept or fraudulent induce a payment for supplies.

  • customer's transaction instructions use different language, timing or amounts than prior instructions
  •  email address closely resembles but doesn't exactly match prior known customer email account
  • email transaction instructions request to move payment methods from checks to ACH transfers, or to a different account than previously used. The requestor may claim COVID-related necessity or urgency.

What Financial Institutions Should Do

FIs should continue to make Suspicious Activity Report (SAR) filings, using the COVID-19 key term and marking all appropriate check boxes.

 FinCEN will continue issuing COVID-19-related information to financial institutions to help enhance their efforts to detect, prevent, and report suspected illicit activity on its website at, which also contains information on how to register to receive FinCEN Updates.