FinCEN Releases New Advisory on Cybercrime During COVID-19

Terri Luttrell, CAMS-Audit
August 11, 2020
Read Time: min

As the COVID-19 pandemic continues to wreak havoc around the globe, related fraud continues to escalate. Bad actors strive to be one step ahead of detection and are eager to take advantage of the new vulnerabilities people faceThey are poised and ready to use disasters, such as a pandemic, to steal money and/or personal information.   

On July 30, 2020, the Financial Crimes Enforcement Network (FinCEN) released their third advisory concerning COVID-19-related fraud typologies of which financial institutions should be awareAccording to the advisory, detecting, preventing, and reporting illicit cyber activity will help protect legitimate relief efforts for the COVID-19 pandemicDiligent detection not only helps protect financial institutions and their customers from cybercriminals, but also strengthens the financial institution’s partnership with the community 

Common typologies by which cybercriminals are exploiting COVID-19

FinCEN addresses common typologies by which cybercriminals are exploiting the COVID-19 pandemic through: 

  • Malware 
  • Phishing schemes: the practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal or financial information 
  • Extortion: demanding something, such as money, by force or threats 
  • Business email compromise (BEC)a scam that targets those who perform funds transfers 
  • Exploitation of remote applications: the transition to work from home remote access and virtual applications during the pandemic has presented new opportunities for bad actors to target businesses and individuals. 

Cybercriminals target remote platforms and processes.

The advisory puts these cybercrime typologies into three main categories. The first is targeting remote platforms and processes, including undermining online identity verification through fraudulent identity documents, and leveraging weak authentication processes for account takeovers.

The red flags include: 

  • The spelling of names in account information does not match the government-issued identity documentation. 
  • Pictures in identity documentation are fuzzy or blurry.   
  • Images of identity documentation have visual irregularities that suggest digital manipulation, particularly in the name, address, and other identifier fields. 
  • A customer’s physical description on identity documentation does not match other images of the customer. 
  • A customer refuses to provide supplemental identity documentation or delays producing requested documentation. 
  • Customer logins occur from a single device or Internet Protocol (IP) address across multiple seemingly unrelated accounts. 
  • The IP address associated with logins does not match the stated address in identity documentation. 
  • Customer logins occur during high network traffic times to avoid detection. 
  • A customer notifies the financial institution to change account communication and authentication methods and then promptly attempts to move funds to an account that had not previously received payments from the customer. 
Find out how we can work together to better protect your institution from financial crime.
Learn more

Phishing, malware, and extortion are on the rise.

The second category of the advisory discusses phishing, malware, and extortion. Although these typologies are not new to illicit actors, there have been significant increases of reported fraud by these methods during the pandemic. These targeted campaigns focus on offers of COVID-19-related information and supplies, most by email but some by phone calls or text messages. It is more important than ever to remember to “stop before you click” on links or attachments by an unknown sender. Red flags to detect this illicit activity include: 

  • Information technology activity related to transaction processes is connected to cyber indicators of illicit activity. Malicious cyber activity may be evident in system log files, network traffic, or file information. 
  • Email addresses seemingly related to COVID-19 do not match the name of the sender or the domain of the company allegedly sending the message. 
  • Unsolicited emails related to COVID-19 from untrusted sources encouraging readers to open links or files to provide personal or financial information. 
  • Emails from untrusted sources or addresses similar to legitimate telework vendor accounts offering remote application software, often at no additional cost. 
  • Emails containing subject lines identified by government or industry as associated with phishing campaigns.  
  • Text messages have embedded links supposedly from government relief programs. 
  • Embedded links or web addresses for purported COVID-19 resources that have irregular uniform resource locators (URLs) that are slightly different from the common “.com”, “.org”, or “.us.”  

Business email compromise scams have increased during the pandemic.

Lastly, the advisory cautions about an increase in BEC schemes during the pandemicThe victim receives an email they believe is from a known sender and requests funds be sent to a new account or alters recognized payment practices in other ways. COVID-19-related BEC schemes target municipalities and healthcare supply chain industry.   

Red flags of BEC include: 

  • Transaction instructions contain different language, timing, and amounts compared to prior customer transactions, especially involving healthcare providers or supplies purchased. 
  • Transaction instructions involve a healthcare counterparty originating from an email account closely resembling, but not identical to, a known customer’s email account. 
  • Emailed instructions for payment to a different account for a known beneficiary. The requester may claim the change is due to a COVID-19-related response. 
  • Emailed instructions request to move payment methods from checks to ACH as a response to the pandemic. 

A recent FBI press release suggests the following additional red flags to protect yourself from BEC: 

  • Unexplained urgency 
  • Last minute changes in wire instructions or recipient account information 
  • Last minute changes in established communication platforms or email account addresses 
  • Communications only in email and refusal to communicate via telephone or online voice or video platforms 
  • Requests for advanced payment of services when not previously required 
  • Requests from employees to change direct deposit information 
  • Last-minute changes in wiring instructions or recipient account information. 
  • Verify any changes and information via the contact on file. Do not contact the vendor through the number provided in the email. 
  • Ensure the URL in emails is associated with the business it claims to be from. 
  • Be alert to hyperlinks that may contain misspellings of the actual domain name. 
  • Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s email address appears to match who it is coming from. 

Individuals must remain vigilant for scams related to COVID-19.

The Cybersecurity and Infrastructure Security Agency (CISA), the United States’ infrastructure risk advisor, warns individuals to remain vigilant for scams related to COVID-19Perpetrators commonly use emails with malicious links or attachments, or fraudulent websites to obtain financial and/or personal information by claiming to represent a COVID-19 related charity or causes. CISA’s advice supports the FinCEN advisory: 

  • Avoid clicking on links in unsolicited emails and be wary of email attachments.  
  • Use trusted sources—such as legitimate, government websites—for up-to-date, fact-based information about COVID-19. 
  • Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. 
  • Verify a charity’s authenticity before making donations. Review the Federal Trade Commission’s page on charity scams for more information. 

 The latest advisories concerning COVID-19-related fraud highlight the increase that government agencies are seeing in fraud typologies. Fraudsters are using similar tactics as previously, but with greater volume and targeting pandemic-related themes. An enhanced fraud risk assessment may be warranted to understand the true risk to your financial institution and your customers. Once you know more about your detection capabilities and any potential gaps, you can develop risk-focused procedures around this heightened illicit activity.  Fraud often can lead to hard dollar losses, and suspicious activity monitoring may need to be enhanced if your risk assessment indicates. Many financial institutions are moving to automated fraud solutions to increase detection capabilities with this growing threat. If you are interested in automating your fraud solutions or integrating single- and multi-channel fraud detection into your anti-money laundering softwarewe can help.   

Financial institutions are in a unique position to educate customers/members and detect fraud before the victim suffers financial loss and embarrassment. If filing a suspicious activity report (SAR) related to these COVID-19 fraud types, FinCEN requests that you include the key term “COVID19-CYBER FIN-2020-A005” in SAR field 2 (Filing Instruction Note to FinCEN) and in the narrative. In addition, be sure to check all relevant activity type boxes and include additional keywords in field 34(z) to describe the type of fraud, such as “COVID 19 BEC Fraud, “EAC fraud,” or BEC data theft.” Protecting legitimate pandemic relief efforts and prevention of fraud are two important fights we can win during this unprecedented time. 

About the Author

Terri Luttrell, CAMS-Audit

Terri Luttrell is a seasoned AML professional and former director and AML/OFAC officer with over 20 years in the banking industry, working both in medium and large community and commercial banks ranging from $2 billion to $330 billion in asset size. She has successfully worked with institutions in developing BSA/OFAC programs, optimizing various automated solutions, and streamlining processes while ensuring all regulatory requirements are met. As the Compliance and Engagement Director at Abrigo, Terri provides insights that contribute and support long-term banking strategies based on analysis of market and industry trends, competitor developments, and financial and regulatory technology changes. She is an audit-certified anti-money laundering specialist and a board member of the Central Texas chapter of the Association of Certified Anti-Money Laundering Specialists (ACAMS). Terri earned her bachelor’s degree in business administration, specializing in business and finance, from the University of North Texas.

Full Bio

About Abrigo

Abrigo is a leading technology provider of compliance, credit risk, and lending solutions that community financial institutions use to manage risk and drive growth. Our software automates key processes — from anti-money laundering to fraud detection to lending solutions — empowering our customers by addressing their Enterprise Risk Management needs.

Make Big Things Happen.

 

Looking for Banker’s Toolbox? You are in the Right Place!

Banker’s Toolbox is now Abrigo, giving you a single source for all your enterprise risk management needs. Use the login button here, or the link in the top navigation, to log in to Banker’s Toolbox Community Online.

Make yourself at home!