The Financial Crimes Enforcement Network (FinCEN) recently issued an advisory to alert financial institutions to potential indicators of cybercrime and cyber-enabled crime observed during the COVID-19 pandemic.
The advisory addresses the many ways by which cybercriminals are increasingly using the pandemic in cyber-enabled crime through phishing schemes, email compromise fraud and exploitation of remote applications. Many of our clients still have remote employees.
Purpose of Advisory
This advisory is intended to aid financial institutions in detecting, preventing and reporting potential COVID19-related criminal activity. Cybercrime and criminal activities are becoming more frequent based on analysis of COVID-19 information obtained from Bank Secrecy Act data, reporting, and law enforcement.
FinCEN will continue issuing COVID-19-related information to financial institutions to help enhance their efforts to detect, prevent and report suspected illicit activity on its website.
To assist you in training your employees in safely working remotely, in partnership with Inspired eLearning,
OnCourse Learning offers a new Remote Worker Preparedness Series
Overview of FinCen Cybercrime Advisory
This article is intended to provide an overview of the advisory and to better inform financial institutions on red flags, phishing, malware and extortion.
Red Flags
It’s important to remember that no one red flag is necessarily an indicator of suspicious activity, but you want to review:
- Historical activity
- Does the transaction align with normal business practices?
While there are other red flags, these two are the most common to help identify if there is an illegal activity.
Targeting and Exploitation of Remote Platforms and Processes
Remote work presents different opportunities to exploit vulnerabilities in remote systems & customer-facing processes including:
- Digital Manipulation of Identity Documentation
This type of exploitation targets fraudulent identity information - Leveraging Compromised Credentials Across Accounts
This is the exploitation of weak authentication processes in attempted account takeovers and effects stolen usernames/passwords/emails to gain access
Remote Platforms and Processes Red Flag Indicators:
- The spelling of names in account information doesn’t match identifying information (IDs) provided for account onboarding
- Pictures in IDs are blurry/low resolution or have alterations
- IDs seem to have alterations around information fields such as name or address
- The physical description on the ID doesn’t match other images of customer
- Customer does not have supplemental ID documentation
- Logins occur from a single IP address across multiple unrelated accounts within a short period of time
- The IP address associated with logins does not match the address on IDs
- Logins occur with a pattern of high network traffic with decreased login success & increased password reset rates
- Customer calls the financial institution to change account communication methods then quickly tries to conduct transactions to accounts that never previously received payments from the customer
Phishing, Malware, and Extortion
Cybercrime has also seen a significant increase in phishing, malware and extortion. These campaigns attempt to lure companies, especially healthcare & pharmaceutical providers, with offers of COVID-19 info & supplies.
Phishing is communications with seemingly legitimate sources looking to collect personal and financial information. Phishing also includes infecting devices by convincing victims of target to download malicious software. These campaigns can be run via email, phone or text and typically reference the CARES Act & payments.
Red Flag Indicators of Phishing and Malware:
- Malicious cyber activity may be evident in system log files, network traffic, or file information
- Email addresses supposedly related to COVID-19 do not match the name of the sender or the corresponding domain of the company supposedly sending the message
- Unsolicited emails related to COVID-19 encourage readers to open links or files or provide personal/financial information
- Emails offer remote application software at little or no cost
- Emails contain subject lines identified by the government as associated with phishing campaigns, such as “COVID-19 Updates” or “Outbreaks in Your City”
- Text messages have embedded links with government programs and payments
- Embedded links have irregular URLs that do not match the destination or are similar with slight variations in the spelling, etc.
- For example, fincen.com rather than www.fincen.gov
Business Email Compromise Schemes (BEC)
BEC schemes mainly target municipalities and the healthcare industry supply chain. A common scheme involves criminals convincing companies to redirect payments to new accounts while claiming the modification is due to pandemic-related changes in operations. Schemes use spoofed emails to communicate these “urgent” payment changes to vendors.
Business Email Compromise (BEC) Red Flag Indicators:
- Transaction instructions contain different language, timing and/or amounts in comparison to prior instructions
- Transaction instructions originate from an email account that isn’t identical to a customer’s email account
- Instructions direct payment to a different account for a known beneficiary
- Instructions request to move payment methods from checks to ACH
Reporting Suspicious Activity
SAR Reporting is crucial in identifying & stopping financial crimes. When reporting suspicious activities provide all information in the SAR.
Adhering to the filing instructions below will improve FInCEN’s ability to effectively identify & pull actionable SARs & info from the FinCEN query system to support COVID-19 related cases.
- Include the key term: COVID19-CYBER FIN-2020-A005 in SAR field 2 & the narrative to indicate a connection between the suspicious activity being reported & activities highlighted in the advisory
- Suspected fraudulent COVID-19-related activity should mark all appropriate boxes on the SAR form to indicate a connection between COVID-19 & the suspicious activity being reported
- Include any relevant technical cyber indicators related to cyber events & associated transactions reported in a SAR within the available structured cyber event indicator fields
In conclusion, fraudulent activities have increased during the pandemic. Criminals are using a variety of ways to target victims. Staying current on FinCEN advisories and cybercrime indicators will keep your institutions and customers/members protected.
For more information on how to combat cyber criminals while working remotely, download a free copy of our ebook: 10 Security Best Practices When Working Remote.
About the Author
Rachel Davis
Product Manager at OnCourse Learning
Rachel Davis is the Product Manager of GRC and professional education for banks, credit unions, and non-bank financial services at OnCourse Learning. Rachel has worked in the financial services industry for 12 years and keeps up to date on financial industry hot topics. Rachel received her Bachelor of Arts in English Literature from Saint Louis University.
About the Author
Rachel Davis
Product Manager at OnCourse Learning
Rachel Davis is the Product Manager of GRC and professional education for banks, credit unions, and non-bank financial services at OnCourse Learning. Rachel has worked in the financial services industry for 12 years and keeps up to date on financial industry hot topics. Rachel received her Bachelor of Arts in English Literature from Saint Louis University.
Leave A Comment