The Financial Crimes Enforcement Network (FinCEN[1]) has issued an advisory[2], providing guidance and red flags for cybercrime and cyber-enabled crime occurring during the COVID-19 pandemic. The advisory is intended to, “aid financial institutions in detecting, preventing, and reporting potential COVID-19-related criminal activity.” As you know, there have been numerous alerts issued by various government agencies about crimes and frauds being perpetrated during the pandemic. Links to many of them are available on our COVID-19 resources page - feel free to disseminate them throughout your institution or firm.

This advisory shares 20 red flag indicators to help financial services companies (FIs) identify, prevent and report COVID-19 cyber-enabled crimes. FinCEN’s advisory specifically identifies three broad areas of concern:

  • Targeting and Exploitation of Remote Platforms and Processes
  • Phishing, Malware, and Extortion
  • Business Email Compromise (BEC) Schemes.

Remote Platforms and Processes

With the large number of transactions being initiated in a non-face-to-face environment, cybercriminals have shifted their attention to remote applications; their goal, to acquire confidential information and interdict financial transactions. In attacking remote access methodologies, bad actors look to corrupt verification of online identification using manipulated identification documents. Cybercriminals also attack poor authentication systems to takeover accounts.

The advisory identifies these red flags for these threats:

  • “The spelling of names in account information does not match the government-issued identity documentation provided for online onboarding.
  • Pictures in identity documentation, especially areas around faces, are blurry or low resolution, or have aberrations. Pictures in identity documentation or other images of persons in remote identity verification show signs indicating image manipulation (e.g., incongruences in coloration near the edge of the face, or double edges or lines on delineated facial features).
  • Images of identity verification documentation have visual irregularities that indicate digital manipulation of the images, especially around information fields likely to have been changed to conduct synthetic identity fraud (e.g., name, address, and other identifiers).
  • A customer’s physical description on identity documentation does not match other images of the customer.
  • A customer refuses to provide supplemental identity documentation or delays producing supplemental documentation.
  • Customer logins occur from a single device or Internet Protocol (IP) address across multiple seemingly unrelated accounts, often within a short period of time.
  • The IP address associated with logins does not match the stated address in identity documentation. Customer logins occur within a pattern of high network traffic with decreased login success rates and increased password reset rates.
  • A customer calls a financial institution to change account communication methods and authentication information, then quickly attempts to conduct transactions to an account that never previously received payments from the customer.”

Phishing, Malware, and Extortion

FinCEN notes that there has been a significant increase in phishing scams[3], particularly targeting the healthcare and pharmaceutical industries. Many of these efforts pretend to offer access to much-needed supplies. These scams are most often done through email, but can be facilitated using telephone calls or text messages. The current wave of frauds focuses largely on COVID-19 themes, referencing pandemic relief programs, availability of high-priority supplies, and opportunities to invest in bogus cures or remedies.

Cybercriminals are also spreading malware[4], including ransomware,[5] through these phishing attacks. FinCEN expects these types of intrusions to continue to increase, targeting entities actively responding to the pandemic. The advisory identifies these red flags for these threats:

  • “Information technology enterprise activity related to transaction processes or information is connected to cyber indicators that have been associated with possible illicit activity. Malicious cyber activity may be evident in system log files, network traffic, or file information.
  • Email addresses purportedly related to COVID-19 do not match the name of the sender or the corresponding domain of the company allegedly sending the message.
  • Unsolicited emails related to COVID-19 from untrusted sources encourage readers to open embedded links/files or to provide personal or financial information, such as usernames and passwords or other account credentials.
  • Emails from untrusted sources or addresses similar to legitimate telework vendor accounts offer remote application software, often advertised at no or reduced cost.
  • Emails contain subject lines identified by government or industry as associated with phishing campaigns (e.g., “Coronavirus Updates,” “2019-nCov: New confirmed cases in your City,” and “2019-nCov: Coronavirus outbreak in your city (Emergency)”).
  • Text messages have embedded links purporting to be from or associated with government relief programs and payments.
  • Embedded links or webpage addresses for purported COVID-19 resources have irregular uniform resource locators (URLs) that do not match that of the expected destination site or are similar to legitimate sites but with slight variations in the domain (e.g., variations in domain extensions like “.com,” “.org,” and “.us”) or web address spelling.”

Business Email Compromise (BEC) Schemes

BEC schemes focused on municipalities and healthcare related companies are expected to rise during the pandemic. In these scams, bad actors impersonate critical players and insert themselves into transactions to cause fraudulent payments to be issued to them. The advisory identifies these red flags for this threat:

  • “A customer’s transaction instructions contain different language, timing, and amounts in comparison to prior transaction instructions, especially regarding transactions involving healthcare providers or supplies purchases.
  • Transaction instructions, typically involving a healthcare-sector counterparty or referencing purchase of healthcare or emergency response supplies, originate from an email account closely resembling, but not identical to, a known customer’s email account.
  • Emailed transaction instructions direct payment to a different account for a known beneficiary. The transmitter may claim a need to change the destination account as part of a COVID-19 pandemic response, such as moving the account to a financial institution in a jurisdiction less affected by the disease, and assert urgency to conduct the transaction.
  • Emailed transaction instructions request to move payment methods from checks to ACH transfers as a response to the pandemic.”

The 20 red flags in the advisory are useful tools to use for training surveillance and front-line staff to heighten awareness of these fraud patterns. This information can be integrated into ongoing training curricula and used for informal departmental level training conversations. As the environment continues to change, keeping staff informed about the latest fraud and criminal schemes is critical to maintaining the effectiveness of your financial crimes compliance program. FinCEN has added to those resources with this advisory.


[1] The Financial Crimes Enforcement Network is a bureau of the US Department of the Treasury that collects and analyzes information about financial transactions in order to combat domestic and international money laundering, terrorist financing, and other financial crimes.

[2] Advisory on Cybercrime and Cyber-Enabled Crime Exploiting the Coronavirus Disease 2019 (COVID-19) Pandemic; FIN-2020-A005; July 30, 2020

[3] In the advisory, FinCEN defines phishing as “scams target[ing] individuals with communications appearing to come from legitimate sources to collect victims’ personal and financial data and potentially infect their devices by convincing the target to download malicious programs.”

[4] In the advisory, FinCEN defines phishing as scams which, “enable criminals to access compromised computers and computer systems to steal credentials, exfiltrate sensitive information through mechanisms like screenshots or keylogging, alter account information, and conduct fraudulent transactions.”

[5] In the advisory, FinCEN defines ransomware as, “a specific type of malware, typically encrypts data on systems in the interest of extorting ransom payment from victims in exchange for decrypting the information and giving victims access to their systems again.”