The Financial Crimes Enforcement Network (FinCEN) issued an advisory to alert financial institutions to potential indicators of cybercrime and cyber-enabled crime observed during the COVID-19 pandemic. The advisory contains descriptions of COVID-19-related malicious cyber activity and scams, associated financial red flag indicators, and information on reporting suspicious activity.
The advisory is based on FinCEN’s analysis of COVID-19-related information obtained from Bank Secrecy Act data, open source reporting and law enforcement partners. FinCEN said it will issue COVID-19-related information to financial institutions to help enhance their efforts to detect, prevent, and report suspected illicit activity on its website at https://www.fincen.gov/coronavirus.
It noted first: “The significant migration toward remote access in the pandemic environment presents opportunities for criminals to exploit financial institutions’ remote systems and customer-facing processes. Cybercriminals and malicious state actors are targeting vulnerabilities in remote applications and virtual environments to steal sensitive information, compromise financial activity, and disrupt business operations.”
It pointed out that remote identity processes also face significant risks, including:
- “Digital Manipulation of Identity Documentation: Criminals often seek to undermine online identity verification processes through the use of fraudulent identity documents, which can be created by manipulating digital images of legitimate government-issued identity documents to alter the information and/or photos displayed.
- Leveraging Compromised Credentials Across Accounts: Cybercriminals commonly undermine weak authentication processes in attempted account takeovers via methods such as credential stuffing attacks. In these attacks, cybercriminals generally use lists of stolen account credentials (typically usernames or email addresses, and associated passwords) to conduct automated login attempts to gain unauthorized access to victim accounts.”
It stated that financial red flag indicators of this sort of activity might include:
- “The spelling of names in account information does not match the government-issued identity documentation provided for online onboarding.
- Pictures in identity documentation, especially areas around faces, are blurry or low resolution, or have aberrations. Pictures in identity documentation or other images of persons in remote identity verification show signs indicating possible image manipulation.
- Images of identity documentation have visual irregularities that indicate digital manipulation of the images, especially around information fields likely to have been changed to conduct synthetic identity fraud.
- A customer’s physical description on identity documentation does not match other images of the customer.
- A customer refuses to provide supplemental identity documentation or delays producing supplemental documentation.
- Customer logins occur from a single device or Internet Protocol (IP) address across multiple seemingly unrelated accounts, often within a short period of time.
- The IP address associated with logins does not match the stated address in identity documentation.
- Customer logins occur within a pattern of high network traffic with decreased login success rates and increased password reset rates.
- A customer calls a financial institution to change account communication methods and authentication information, then quickly attempts to conduct transactions to an account that never previously received payments from the customer.”
It also noted that FinCEN and U.S. law enforcement have observed increases in both broad-based and targeted phishing campaigns attempting to lure companies with offers of COVID-19 information and supplies.
“In these new schemes, phishing scammers will often reference COVID-19 themes, such as payments related to the Coronavirus Aid, Relief and Economic Security (CARES) Act, in the subjects and bodies of emails,” the advisory stated. “Some phishing emails lure victims by advertising ways to make money, such as through investing in convertible virtual currencies (CVCs) or via domain names that mimic names of organizations, including those that provide or enable telework capabilities. Cybercriminals are also distributing malware, including ransomware, through phishing emails, malicious websites and downloads, domain name systems (DNS) hijacking or spoofing attacks, and fraudulent mobile applications. These techniques can be applied in broader campaigns involving social media, such as the recent exploit targeting Twitter and prominent users of the platform. Financial institutions dealing in CVC should be especially alert to the potential use of their institutions to launder proceeds affiliated with cybercrime, illicit darknet marketplace activity, and other CVC-related schemes and take appropriate risk mitigation steps consistent with their BSA obligations.”
FinCEN also stated that instances of extortion also will continue to grow in the wake of the COVID-19 pandemic. It noted that so far in 2020, FinCEN has received numerous suspicious activity reports involving ransomware.
“We expect criminals to continue targeting entities that are vulnerable due to their involvement in pandemic response, such as researchers working on medical treatments or manufacturers of personal protective equipment,” FinCEN stated. “In other instances of extortion, criminals are threatening to expose victims and their families to COVID-19 if they do not pay the extortion fee. In almost all cases, criminals require ransomware-related extortion payments to be made in CVC.”
It listed financial red flag indicators for that sort of activity:
- “Information technology enterprise activity related to transaction processes or information is connected to cyberindicators that have been associated with possible illicit activity. Malicious activity may be evident in system log files, network traffic or file information.
- Email addresses purportedly related to COVID-19 do not match the name of the sender or the corresponding domain of the company allegedly sending the message.
- Unsolicited emails related to COVID-19 from untrusted sources encourages readers to open embedded links/files or to provide personal or financial information, such as usernames and passwords or other account credentials.
- Emails from untrusted sources or addresses similar to legitimate telework vendor accounts offer remote application software, often advertised at no or reduced costs.
- Emails contain subject lines identified by government or industry as associated with phishing campaigns.
- Text messages have embedded links purporting to be from or associated with government relief programs and payments.
- Embedded links or webpage addresses for purported COVID-19 resources have irregular uniform resource locators (URLs) that do not match that of the expected destination site or are similar to legitimate sites but with slight variations in the domain or web address spelling.”
The advisory also noted that cybercriminals have exploited the COVID-19 pandemic by using business email compromise (BEC) schemes.
“A common BEC scheme involves criminals convincing companies to redirect payments to new accounts, while claiming the modification is due to the pandemic-related changes in business operations,” the advisory stated. “BEC criminals often use spoofed or compromised email accounts to communicate these urgent, last-minute payment changes. In the COVID-19 environment, criminals insert themselves into communications by impersonating a critical player in a business relationship or transaction, typically posing as providers of healthcare supplies, to intercept or fraudulently induce a payment for critically needed supplies.”
Red flag indicators for BEC schemes include:
- “A customer’s transaction instructions contain different language, timing and amounts in comparison to prior transaction instructions, especially regarding transactions involving healthcare providers or supplies purchases.
- Transaction instructions, typically involving a healthcare-sector counterparty or referencing purchase of healthcare or emergency response supplies, originate from an email account closely resembling, but not identical to, a known customer’s email account.
- Emailed transaction instructions direct payments to a different account for a known beneficiary. The transmitter may claim a need to change the destination account as part of a COVID-19 pandemic response, such as moving the account to a financial institution in a jurisdiction less affected by the disease, and assert urgency to conduct the transaction.
- Emailed transaction instructions request to move payment methods from checks to ACH transfers as a response to the pandemic.”