FinCEN: COVID-Related Crimes, Scams, and Cyberattacks

On December 28, 2020, the Financial Crimes Enforcement Network (FinCEN) issued a Notice to alert financial institutions about the potential for fraud, ransomware attacks, or similar types of criminal activity related to COVID-19 vaccines and their distribution. As the vaccine rollout accelerates, it is all the more crucial to revisit FinCEN’s December Notice regarding vaccine-related financial crime.

FinCEN has issued several advisory warnings over the past year about a growing variety of scams related to the COVID-19 pandemic.

The publication of these advisory notices serves to provide financial institutions with a framework to identify suspicious activity related to the pandemic. FinCEN details red flag indicators of COVID-related fraud and provides instructions on how to report potentially fraudulent activities related to the pandemic.

FinCEN’s December Notice urges Financial Institutions to stay alert to vaccine-related scams and cyberattacks.

The vaccine provides a unique angle and opportunity for fraudulent activity. Even at the very initial rollout, when only two vaccinations had been approved for a very small subset of the population, fraudsters were already promising special or expedited access to vaccines.

FinCEN cites that COVID vaccine fraud may include the sale of unapproved and illegally marketed vaccines, the sale of counterfeit versions of approved vaccines, and promises to provide the vaccine sooner than permitted under the applicable vaccine distribution plan. In addition, we have seen evidence of the illegal diversion of legitimate vaccines.

Furthermore, cybercriminals have been reported to target research institutions and exploit the development, distribution, and administration of the vaccine. This includes the use of malware and phishing schemes, extortion, business email compromise (BEC) fraud, and exploitation of remote applications.

Although this trend developed as early as December, during the initial rollout to medical workers, financial institutions may still anticipate more vaccine-related criminal activity.

The notice on financial crimes related to COVID-19 vaccine distribution is not a standalone issue. FinCEN has identified other red flag indicators to help reporting on COVID-19 related scams, schemes, and criminal activity. The following section details identified instances and the corresponding red flag indicator published by FinCEN.

Financial Crimes Targeting COVID-19 Economic Impact Payments

Most recently, FinCEN identified financial crimes connected to COVID-19 Economic Impact Payments (EIP). U.S. authorities detected a wide range of EIP-related fraud and theft involving a variety of criminal actors.

Now, financial institutions must monitor for fraudulent, altered, or counterfeit checks:

• An account holder attempts to deposit one or more checks that appear to be issued by the U.S. Treasury, but are fraudulent or counterfeit checks. When questioned, the customer may disclose that he or she:

(i) was sent a partial payment, and needed to verify his or her PII or financial information before receiving the full EIP; or

(ii) received the check purportedly from a current or former employer with instructions that the check was the customer’s “stimulus payment” and that he or she was to buy prepaid cards and send them to another individual.

Some other crimes reported include outright stealing of checks from mail:

• An account receives (a) numerous deposits or electronic funds transfers (EFTs) that indicate the payments are linked to EIPs and (b) unemployment insurance payments from one or more states in names that do not match the account holder(s).

Consumer Fraud

Financial institutions and their customers must be cautious of imposter scams, phishing schemes luring victims with fraudulent information about COVID-19 vaccines, and money mule schemes.

In the case of imposter scams, criminals impersonate officials or representatives from organizations, such as the Internal Revenue Service (IRS), the Centers for Disease Control and Prevention (CDC), the World Health Organization (WHO), other healthcare or non-profit groups, and academic institutions.

• A customer indicating that a person claiming to represent a government agency contacted him or her by phone, email, text message, or social media asking for personal or bank account information to verify, process, or expedite EIPs, unemployment insurance, or other benefits. For more information on EIPs, visit IRS, “Economic Impact Payment Information Center,” (June 30, 2020). In particular, be alert to communications emphasizing “stimulus check” or “stimulus payment” in solicitations to the public, sometimes claiming that the fraudulent entity can expedite the “stimulus check” or other government payment on behalf of the beneficiary for a fee paid by gift card or prepaid card.

Multiple examples include phishing schemes mimicking legitimate charities and non-profits to offer services to victims or solicit information from the vulnerable (like the elderly or unemployed):

• Unsolicited communications from purported trusted sources or government programs related to COVID-19, instructing readers to open embedded links or files or to provide personal or financial information, including account credentials (e.g., usernames and passwords).

Crimes also included money mule schemes, which involve a person who, either as unwitting, witting, or complicit individual, transfers illegally acquired money on behalf of or at the direction of another:

• The customer’s personal bank account starts to receive transactions that do not fit his or her transactional history profile, including overseas transactions, the purchase of large sums of convertible virtual currency, or transactions in large fiat amounts, or the account generally had a low balance until the customer became involved in a money mule scheme. When asked about the changes in transactions, the customer declines requests for “know your customer” documents or inquiries regarding sources of funds and may mention COVID-19, relief work, or a “work-from-home” opportunity as the source of the income.

Cyber-Enabled Crime

As noted, cybercriminals exploit legitimate efforts to develop, distribute and administer vaccines. There are reported instances of ransomware attacking institutions focused on vaccine research. Malicious state actors have also exploited the COVID-19 pandemic through malware and phishing schemes, extortion, business email compromise fraud.

Some schemes targeted financial and healthcare systems to steal sensitive information and disrupt business operations. These cybercriminals exploited the virtual environments and the remote applications used. Criminals could undermine online identity verification processes with digitally manipulated or altered documents:

• Images of identity documentation have visual irregularities that indicate digital manipulation of the images, especially around information fields likely to have been changed to conduct synthetic identity fraud (e.g., name, address, and other identifiers).
• A customer refuses to provide supplemental identity documentation or delays producing supplemental documentation.

In other cases, cybercriminals can leverage compromised or stolen credentials across multiple accounts. They may attempt numerous account takeovers via methods like “credential stuffing attacks” – using lists of stolen account credentials and automating login attempts to gain unauthorized access to victim accounts:

• Customer logins occur from a single device or Internet Protocol (IP) address across multiple seemingly unrelated accounts, often within a short period of time.
• The IP address associated with logins does not match the stated address in identity documentation.
• Customer logins occur within a pattern of high network traffic with decreased login success rates and increased password reset rates.

There have also been significant increases in broad-based and targeted phishing campaigns. These scammers often targeted individuals by referencing the Coronavirus Aid, Relief, and Economic Security (CARES) Act payments, with malicious websites and downloads, domain name system hijacking or spoofing attacks, and fraudulent mobile applications:

• Unsolicited emails related to COVID-19 from untrusted sources encourage readers to open embedded links/files or to provide personal or financial information, such as usernames and passwords or other account credentials.

Cybercriminals have also used business email compromise (BEC) schemes, targeting municipalities and the healthcare industry supply chain by impersonating critical players in a particular transaction or business relationship. For example, a cybercriminal could convince companies to redirect payments to a new account due to pandemic-related changes in business operations: 

• A customer’s transaction instructions contain different language, timing, and amounts in comparison to prior transaction instructions, especially regarding transactions involving healthcare providers or supplies purchases.

These advisories and notices are based on FinCEN’s analysis of COVID-19-related reports obtained through public statements, data from the Bank Secrecy Act (BSA), and their law enforcement partners.

As reiterated in each of the notices, filing Suspicious Activity Reports (SAR) reporting and effective implementation of Bank Secrecy Act (BSA) compliance requirements by financial institutions is crucial to identifying and stopping fraud, cybercrime, and cyber-enabled crime, especially those related to the COVID-19 vaccine.

At the September 29, 2020 virtual ACAMS AML Conference, FinCEN’s Director Kenneth Blanco prepared remarks sharing trends on COVID-19 Related BSA Reporting.

• From February 1 to September 12, 2020, financial institutions have filed with FinCEN over 91,000 SARs referencing COVID-19 and the stimulus programs. 
• Depository Institutions (Banks) filed over 64,000 of these SARs, accounting for about 71 percent of all COVID-related SAR filings.
• The Money Services Business (MSB) industry filed over 4,000 SARs, accounting for 5 percent of all COVID-related SAR filings.

SARs are a crucial component to safeguard the financial system. Along with the effective implementation of due diligence and BSA requirements, SARs help identify and stop financial crimes.

Financial institutions should provide all pertinent information in the SAR to help FinCEN address any fraud and expedite the Report to the right investigative teams. FinCEN included a consolidated list of specific instructions for filing COVID-19 SARs.

Banks and other financial institutions must continue being on high alert to COVID-19-related financial crimes. Monitoring these transactions may require new compliance policies and regular system checks to ensure that red flag transactions are properly caught. Financial institutions are encouraged to perform additional inquiries and investigations in line with their risk-based approach to BSA compliance.

With our extensive abilities in compliance including former U.S. regulators on staff, Sia Partners is ready to assist you in managing all your compliance needs. Sia Partners consultants can provide the expertise to best shape and align your compliance solutions with your business plans and strategy.

Dan Connor
CEO – US
+ 1 (862) 596-0649
daniel.connor@sia-partners.com

Lauren Pickett
Managing Director AML, Sanctions & FATCA
+ 1 (917) 439-3328
lauren.pickett@sia-partners.com