FinCEN Red Flags for Economic Impact Payment Fraud

Terri Luttrell, CAMS-Audit
March 3, 2021
Read Time: min

New relief may escalate EIP criminal activity. 

While the typologies of EIP fraud are not new, FinCEN has provided examples of trending types of EIP-related criminal activities. 

Would you like other articles like this in your inbox?

As COVID-19 vaccination efforts gain momentum across the U.S., many people are hoping that the time has come to resume a relatively normal life after the pandemic.  However, the effects of COVID-related scams and cyberattacks continue to increase and target federal efforts for economic relief, as a significant portion of the U.S. population remains vulnerable. This is unlikely to change anytime soon.

In February, FinCEN released an advisory, Financial Crimes Targeting COVID-19 Economic Impact Payments (FIN-2021-A002), alerting financial institutions to the potential for fraud, ransomware attacks, or similar types of criminal activity related to COVID-19 stimulus relief related to the Economic Impact Payments (EIPs).  The House has passed another $1.9 trillion emergency relief package, which is expected to be approved by the Senate and sent to President Biden soon. This type of EIP criminal activity may escalate.

Escalating criminal activity

Look out for trending EIP-related criminal activities

Law enforcement has already detected a significant increase in EIP-related fraud, which is one of the more challenging forms of criminal activity to digest, as these bad actors prey on the most vulnerable during these unprecedented times. While none of these typologies of fraud are new, FinCEN provides a few examples of the trending types of EIP-related criminal activities:

  • Fraudulent checks: Criminals send potential victims fraudulent checks, instructing the recipients to call a number or verify information online to cash the fraudulent EIP checks. Victims are asked for personal information under the guise that the information is needed to receive or speed up their EIP.
  • Altered checks: Fraudsters deposit altered EIP checks, often by ATM or mobile device, that may modify name of payee or increase the amount of the check.
  • Counterfeit checks: Fraudsters deposit counterfeit EIP checks, often via ATM or mobile device. Fraudsters use various methods to create a counterfeit check, including reproducing checks from digital images. Counterfeit checks will often have irregularities involving the check number, paper, coloring, and/or font.
  • Theft of EIP: Criminals may steal an EIP from the U.S. mail; request an EIP disbursal for an ineligible person; seek another person’s EIP without the payee’s knowledge and/or approval; or through coercive means, or use stolen Personally Identifiable Information (PII).
  • Phishing using EIP: Fraudsters use phishing schemes by emails, letters, phone calls, and text messages containing keywords such as “Coronavirus,” “COVID-19,” and “Stimulus,” with the purpose of obtaining PII and financial account information.
  • Inappropriate seizer of EIP: A private company that may have control over a person’s finances seizes a person’s EIP for wage garnishments or debt collection and does not return the inappropriately seized payments.

Stay up to date on COVID-19-related crime and BSA obligations.

FinCrime monitoring

Red flags for EIP fraud

Financial institutions can help their communities by keeping EIP fraud top of mind and using a risk-based approach when monitoring transaction accounts for suspicious activity. There are several red flags that should be incorporated into an institution’s processes and procedures as part of their COVID-19 related FinCrime monitoring program.

Fraudulent, altered, counterfeit, or stolen EIP checks, Automated Clearing House (ACH) deposits, and prepaid debit cards.

  • An account holder attempts to deposit one or more checks that appear to be issued by the U.S. Treasury but are fraudulent or counterfeit checks. When questioned, the customer may disclose that he or she:
    • was sent a partial payment, and needed to verify his or her PII or financial information before receiving the full EIP; or
    • received the check purportedly from a current or former employer with instructions that the check was the customer’s “stimulus payment” and that he or she was to buy prepaid cards and send them to another individual.
  • An existing account receives multiple EIP-related deposits for individuals other than the account holder(s). The individuals named on the checks reside outside the geographic region of the account holder.
  • An existing account receives an excessive number of EIPs via U.S. Treasury check or deposits related to a prepaid debit card linked to the same address (e.g., an account receiving more checks than expected relative to the customer’s profile and financial institution’s customer due diligence).
  • A customer opens a new account with an EIP check or debit card, and the name of the potential account holder is different from that of the depositor or the payee of EIP.
  • The EIP check is deposited, or the debit card’s funds are transferred into dormant accounts with little or no prior activity.

Theft of multiple EIPs

  • Individual accounts opened after the U.S. government announced the EIP program, receive U.S. Treasury checks or direct deposits from the U.S. Treasury that could indicate multiple EIPs, and for individuals other than the account holder.
  • The account holder is a child under age 17 at the end of the taxable year, but the account received numerous EIPs.
  • Rapid transfers of multiple EIPs into one account could indicate that bad actors are consolidating the payments. The funds may be:
    • Quickly withdrawn via large cash withdrawals or serial ATM withdrawals;
    • Used to purchase convertible virtual currencies;
    • Transferred out of the account via a money services business such as cryptocurrency exchanges and peer-to-peer mobile payment systems, or wire transfers to other accounts;
    • Used for large purchases at merchants that offer cash back as an option or transferred onto prepaid debit or gift cards.
  • Deposits of one or more EIP U.S. Treasury checks or electronic deposits made into an account held by a retail business or a personal account of a business owner or employee, and the account holder is not the payee/endorser.
  • The same IP address is used to transfer funds from several EIP debit cards to a bank account, especially if that IP address is located outside of the United States or associated with a business.

Other frauds and thefts occurring in an account receiving EIPs.

  • An account receives numerous deposits or electronic funds transfers (EFTs) that indicate the payments are linked to EIPs, and unemployment insurance payments from one or more states in names that do not match the account holder(s).
  • An account with several EIP deposits also receives numerous tax refunds from federal and state governments for individuals other than the account holder(s).
  • Deposits of one or more EIP checks or electronic deposits are made into a nursing home or assisted living facility’s business account, and those payments have not been returned to the resident.
Reporting EIP fraud

SAR Filing Instructions

  • FinCEN requests that financial institutions reference this advisory by including the key term “FIN-2021-A002” SAR field 2 (Filing Institution Note to FinCEN) and the narrative to indicate a connection between the suspicious activity being reported and the activities highlighted in this advisory.
  • FinCEN also requests that filers mention “economic impact payment” in the SAR narrative along with any other relevant behavior, such as counterfeit checks, money mule activity, or identity theft, to indicate a connection between those activities and EIP frauds and thefts. Additionally, FinCEN requests that filers use this program-specific term and avoid relying on generalized key terms, such as “stimulus check.”
  • Financial institutions should also select SAR field 34(z) (Fraud - other) as the associated suspicious activity type to indicate a connection between the suspicious activity being reported and COVID-19. Financial institutions should include the type of fraud and/or name of the scam or product (e.g., economic impact payment) in SAR field 34(z).
  • FinCEN requests filers not report the potential victim of an EIP fraud scheme as the subject of the SAR. Rather, all available information on the victim should be included in the narrative portion of the SAR.

Please refer to FinCEN’s May 2020 Notice Related to the Coronavirus Disease 2019 (COVID-19) and February 2021 Consolidated COVID-19 Suspicious Activity Report Key Terms and Filing Instructions, which contain information regarding reporting COVID-19- related crime and reminds financial institutions of certain BSA obligations.

History has shown that major disasters bring bad actors out of the woodwork, and the COVID-19 pandemic has been no different. With further economic relief funding on the horizon in the tune of trillions of dollars, it is certain that fraudsters are poised to continue their schemes to hurt the most vulnerable. Now is the time to update your training, processes, and procedures in your financial institution to ensure front-line staff, as well as suspicious activity monitoring teams, are aware of these red flags. Early detection and reporting of these detected typologies can stop further victims of what has already been a very difficult time in U.S. history.

About the Author

Terri Luttrell, CAMS-Audit

Compliance and Engagement Director
Terri Luttrell is a seasoned AML professional and former director and AML/OFAC officer with over 20 years in the banking industry, working both in medium and large community and commercial banks ranging from $2 billion to $330 billion in asset size.

Full Bio

About Abrigo

Abrigo is a leading technology provider of compliance, credit risk, and lending solutions that community financial institutions use to manage risk and drive growth. Our software automates key processes — from anti-money laundering to fraud detection to lending solutions — empowering our customers by addressing their Enterprise Risk Management needs.

Make Big Things Happen.

 

Looking for Banker’s Toolbox? You are in the Right Place!

Banker’s Toolbox is now Abrigo, giving you a single source for all your enterprise risk management needs. Use the login button here, or the link in the top navigation, to log in to Banker’s Toolbox Community Online.

Make yourself at home!