New FinCEN Cybercrime Advisory Targets COVID-19 Related Crimes

Overview of FinCen Cybercrime Advisory

This article is intended to provide an overview of the advisory and to better inform financial institutions on red flags, phishing, malware and extortion.

Red Flags

It’s important to remember that no one red flag is necessarily an indicator of suspicious activity, but you want to review:

• Historical activity
• Does the transaction align with normal business practices?

While there are other red flags, these two are the most common to help identify if there is an illegal activity.

Targeting and Exploitation of Remote Platforms and Processes

Remote work presents different opportunities to exploit vulnerabilities in remote systems & customer-facing processes including:

• Digital Manipulation of Identity Documentation
  This type of exploitation targets fraudulent identity information
• Leveraging Compromised Credentials Across Accounts
  This is the exploitation of weak authentication processes in attempted account takeovers and effects stolen usernames/passwords/emails to gain access

Remote Platforms and Processes Red Flag Indicators:

• The spelling of names in account information doesn’t match identifying information (IDs) provided for account onboarding
• Pictures in IDs are blurry/low resolution or have alterations
• IDs seem to have alterations around information fields such as name or address
  • The physical description on the ID doesn’t match other images of customer
  • Customer does not have supplemental ID documentation
• Logins occur from a single IP address across multiple unrelated accounts within a short period of time
• The IP address associated with logins does not match the address on IDs
• Logins occur with a pattern of high network traffic with decreased login success & increased password reset rates
• Customer calls the financial institution to change account communication methods then quickly tries to conduct transactions to accounts that never previously received payments from the customer

Phishing, Malware, and Extortion

Cybercrime has also seen a significant increase in phishing, malware and extortion. These campaigns attempt to lure companies, especially healthcare & pharmaceutical providers, with offers of COVID-19 info & supplies.

Phishing is communications with seemingly legitimate sources looking to collect personal and financial information. Phishing also includes infecting devices by convincing victims of target to download malicious software. These campaigns can be run via email, phone or text and typically reference the CARES Act & payments.

Red Flag Indicators of Phishing and Malware:

• Malicious cyber activity may be evident in system log files, network traffic, or file information
• Email addresses supposedly related to COVID-19 do not match the name of the sender or the corresponding domain of the company supposedly sending the message
• Unsolicited emails related to COVID-19 encourage readers to open links or files or provide personal/financial information
• Emails offer remote application software at little or no cost
• Emails contain subject lines identified by the government as associated with phishing campaigns, such as “COVID-19 Updates” or “Outbreaks in Your City”
• Text messages have embedded links with government programs and payments
• Embedded links have irregular URLs that do not match the destination or are similar with slight variations in the spelling, etc.
  • For example, fincen.com rather than www.fincen.gov

Business Email Compromise Schemes (BEC)

BEC schemes mainly target municipalities and the healthcare industry supply chain. A common scheme involves criminals convincing companies to redirect payments to new accounts while claiming the modification is due to pandemic-related changes in operations. Schemes use spoofed emails to communicate these “urgent” payment changes to vendors.

Business Email Compromise (BEC) Red Flag Indicators:

• Transaction instructions contain different language, timing and/or amounts in comparison to prior instructions
• Transaction instructions originate from an email account that isn’t identical to a customer’s email account
• Instructions direct payment to a different account for a known beneficiary
• Instructions request to move payment methods from checks to ACH

Reporting Suspicious Activity

SAR Reporting is crucial in identifying & stopping financial crimes. When reporting suspicious activities provide all information in the SAR.

Adhering to the filing instructions below will improve FInCEN’s ability to effectively identify & pull actionable SARs & info from the FinCEN query system to support COVID-19 related cases.

• Include the key term: COVID19-CYBER FIN-2020-A005 in SAR field 2 & the narrative to indicate a connection between the suspicious activity being reported & activities highlighted in the advisory
• Suspected fraudulent COVID-19-related activity should mark all appropriate boxes on the SAR form to indicate a connection between COVID-19 & the suspicious activity being reported
• Include any relevant technical cyber indicators related to cyber events & associated transactions reported in a SAR within the available structured cyber event indicator fields

In conclusion, fraudulent activities have increased during the pandemic. Criminals are using a variety of ways to target victims. Staying current on FinCEN advisories and cybercrime indicators will keep your institutions and customers/members protected.

For more information on how to combat cyber criminals while working remotely, download a free copy of our ebook: 10 Security Best Practices When Working Remote.