Compliance: FinCEN addresses cybercrime exploiting COVID-19

July 31, 2020

The Financial Crimes Enforcement Network (FinCEN) issued an advisory July 30 to alert financial institutions to potential indicators of cybercrime and cyber-enabled crime observed during the COVID-19 pandemic. Many illicit actors are engaged in fraudulent schemes that exploit vulnerabilities created by the pandemic, according to FinCEN.

The advisory contains descriptions of COVID-19-related malicious cyber activity and scams, associated financial red flag indicators, and information on reporting suspicious activity.

Scams and their associated red flags include:

Targeting and exploitation of remote platforms and processes through fraudulent identity documents and the use of stolen credentials. Red flags include:

  • The spelling of names in account information does not match the government-issued identity documentation provided for online onboarding;
  • Pictures in identity documentation, especially areas around faces, are blurry or low resolution, or have aberrations;
  • Images of identity documentation have visual irregularities that indicate digital manipulation of the images, especially around information fields likely to have been changed to conduct synthetic identity fraud.
  • A customer’s physical description on identity documentation does not match other images of the customer;
  • A customer refuses to provide supplemental identity documentation or delays producing supplemental documentation;
  • Customer logins occur from a single device or Internet Protocol (IP) address across multiple seemingly unrelated accounts, often within a short period of time;
  • Customer logins occur within a pattern of high network traffic with decreased login success rates and increased password reset rates; and
  • A customer calls a financial institution to change account communication methods and authentication information, then quickly attempts to conduct transactions to an account that never previously received payments from the customer.

Phishing, malware and extortion which are increasingly utilizing offers of COVID-19 information and supplies. Red flags include:

  • Information technology enterprise activity related to transaction processes or information is connected to cyber indicators that have been associated with possible illicit activity. Malicious cyber activity may be evident in system log files, network traffic, or file information;
  • Email addresses purportedly related to COVID-19 do not match the name of the sender or the corresponding domain of the company allegedly sending the message;
  • Unsolicited emails related to COVID-19 from untrusted sources encourage readers to open embedded links/files or to provide personal or financial information, such as usernames and passwords or other account credentials;
  • Emails from untrusted sources or addresses similar to legitimate telework vendor accounts offer remote application software, often advertised at no or reduced cost;
  • Emails contain subject lines identified by government or industry as associated with phishing campaigns;
  • Text messages have embedded links purporting to be from or associated with government relief programs and payments;
  • Embedded links or webpage addresses for purported COVID-19 resources have irregular URLs that do not match that of the expected destination site or are similar to legitimate sites but with slight variations in the domain;

Business email compromise schemes, which in the COVID-19 environment often involve criminals interesting themselves into communications by impersonating a critical player in a transaction. Red flags include:

  • A customer’s transaction instructions contain different language, timing, and amounts in comparison to prior transaction instructions, especially regarding transactions involving healthcare providers or supplies purchases;
  • Transaction instructions, typically involving a healthcare-sector counterparty or referencing purchase of healthcare or emergency response supplies, originate from an email account closely resembling, but not identical to, a known customer’s email account;
  • Emailed transaction instructions direct payment to a different account for a known beneficiary. The transmitter may claim a need to change the destination account as part of a COVID-19 pandemic response and assert urgency to conduct the transaction; and
  • Emailed transaction instructions request to move payment methods from checks to ACH transfers as a response to the pandemic.

FinCEN will continue issuing COVID-19-related information to financial institutions to help enhance their efforts to detect, prevent, and report suspected illicit activity on its website.