FinCEN Issues Advisory on Cybercrime and Cyber-Enabled Crime Exploiting COVID-19

On July 30, 2020, the Financial Crimes Enforcement Network (FinCEN) issued an advisory alerting financial institutions to potential indicators of cybercrime and cyber-enabled crime observed during the COVID-19 pandemic. The advisory – based on FinCEN’s analysis of Bank Secrecy Act (BSA) data, open source reporting, and law enforcement reports – describes COVID-19-related malicious cyber activity and scams, red flag indicators, and directions for reporting suspicious activity. The purpose of the advisory is to help financial institutions and their customers protect legitimate relief efforts for the COVID-19 pandemic against cyber criminals and malicious state actors.

What Does This Mean for Me?

With the increase in fraudulent schemes and cybercrime related to the COVID-19 pandemic, this is a good time to evaluate your AML/BSA and fraud-related compliance programs – including internal due diligence processes, training materials, and reporting procedures – to verify that your program is up to date and takes into account the risks and red flags identified in the advisory. Government agencies repeatedly have warned since March that now is not the time to throttle back on compliance and, when it comes to proprietary data, all companies should tailor their compliance efforts and resources to implement or upgrade proactive protection measures.

Risks and Red Flags

FinCEN’s advisory identifies the primary means by which cybercriminals and malicious state actors are exploiting the current COVID-19 pandemic. These include:

• Exploitation of remote applications: schemes targeting vulnerabilities in remote applications and virtual environments to steal sensitive information and disrupt business operations. These risks include digitally manipulating identity documentation in order to undermine online verification processes and leveraging compromised login credentials across numerous customer accounts.

   

• Malware phishing schemes and extortion: schemes targeting health care and pharmaceutical providers with offers related to COVID-19 information and supplies. The scams appear to originate from legitimate sources and seek to collect personal and financial data, and to potentially infect target devices by convincing the target to download malicious programs including ransomware in an effort to extort the target to gain access to its own systems.

   

• Business email compromise (BEC) fraud schemes: schemes targeting municipalities and the health care industry supply chain that involve cyber criminals convincing companies to redirect payments to new accounts, claiming account modifications are due to pandemic-related changes to business operations.

The advisory lists 20 red flag indicators across these three risk areas and instructs financial institutions to consider these red flags in addition to the context and factual circumstances of a specific transaction, prior to determining whether a transaction is suspicious or indicative of a potential fraudulent-related COVID-19 transaction. These factors include a customer’s historical financial activity, whether the transaction is in line with prevailing business practice, and whether a customer exhibits multiple red flag indicators. The advisory covers a wide range of red flag indicators, including, but not limited to, name changes between government-issued identification and customer account opening information, issues with images on government-issued identification, customer login irregularities, and changes to known customer email addresses. A full list of red flag indicators, per risk area, is included in the FinCen advisory.

Suspicious Activity Reporting

Lastly, the advisory provides information on how to properly file a Suspicious Activity Report (SAR) identifying potential cybercrime and cyber-enabled crime related to the COVID-19 pandemic. The advisory instructs the following:

• Include the key term “COVID19-CYBER FIN-20-A005” on the SAR form, field 2, to indicate a connection between the suspicious activity and the activities set forth above;

   

• Mark all appropriate check boxes on the SAR form to indicate a connection between COVID-19 and the suspicious activity being reported;

   

• Include any relevant technical cyber indicators related to cyber events in a SAR within the available structured cyber event fields; and

   

• For cyber-enable crime involving COVID-19 related fraud, select SAR field 34z (Fraud – other) as the suspicious activity type and include the type of scheme as a keyword (i.e., COVID-19 BEC Fraud).