The Financial Crimes Enforcement Network (FinCEN) has issued two advisories to alert financial institutions to scams related to the COVID-19 pandemic, and has stated that it intends to continue to issue similar alerts.  The advisories, based on FinCEN’s analysis of COVID-19-related information obtained through Bank Secrecy Act (BSA) data, public reports, and law enforcement partners are intended to aid financial institutions in detecting, preventing, and reporting potential COVID-19-related criminal activity and provide “red flags” that may assist financial institutions in identifying suspicious activity.

Most recently, FinCEN issued an alert on July 7, 2020, describing indicators of imposter scams and money mule schemes, which FinCEN said illicit actors are using to take advantage of the COVID-19 pandemic.  On May 18, 2020, FinCEN issued an advisory alerting financial institutions to the rise in medical scams related to the pandemic.  These alerts follow earlier COVID-19-related guidance from FinCEN that, in part, identified certain trends of potential suspicious activity, and advised financial institutions to be alert for the kind of malicious or fraudulent transactions that it suggested are common with natural disaster.  FinCEN requested that financial institutions reference the consumer fraud advisory by including the term “COVID19 MM FIN-2020-A003” in SAR field 2 and reference the medical scam advisory by including “COVID19 FIN-2020-A002”.

Consumer Fraud Scams

On July 7, 2020, FinCEN issued an advisory alerting financial institutions to indicators of imposter scams and money mule schemes; two forms of consumer fraud that FinCEN has observed during the COVID-19 pandemic.

Imposter scams involve criminals impersonating organizations such as government agencies, non-profit groups, universities, or charities to offer fraudulent services or to defraud victims.  FinCEN described the basic methodology of an imposter scam as one that “involves an actor (1) contacting a target under the false pretense of representing an official organization, and (2) coercing or convincing the target to provide funds or valuable information, engage in behavior that causes the target’s computer to be infected with malware, or spread disinformation.”  Based on FinCEN’s analysis of COVID-19-related information obtained from Bank Secrecy Act (BSA) data, open source reporting, and law enforcement partners, in COVID-19-related scams, imposters may pose as officials from the U.S. Internal Revenue Service (IRS), the Center for Disease Control and Prevention (CDC), the World Health Organization (WHO), or other healthcare and non-profit groups and academic institutions.  These illicit actors may use the scams to deceive vulnerable populations, such as the elderly or unemployed, through the solicitation of payments, donations, or personal information through email, robocalls, and text messages.

FinCEN included in the alert the following list of “red flags” to help financial institutions identify and report suspicious activity related to imposter scams:

  • A customer indicating that a person claiming to represent a government agency contacted them asking for personal or bank account information to verify, process, or expedite Economic Impact Payments (“EIPs”), unemployment insurance, or other benefits. FinCEN suggested that financial institutions remain alert to communications emphasizing “stimulus check” or “stimulus payment” in solicitations to the public, sometimes claiming that the fraudulent entity can expedite the “stimulus check” or other government payment on behalf of the beneficiary for a fee paid by gift card or prepaid card;
  • Receipt of a document that appears to be a check or prepaid debit card from the U.S. Treasury, often in an amount less than the expected EIP, with instructions to contact the fraudulent government agency, via a phone number or online, to verify personal information in order to receive the entire benefit;
  • Unsolicited communications from purported trusted sources or government programs related to COVID-19, instructing readers to open embedded links or files or to provide personal or financial information, including account credentials (e.g., usernames and passwords);
  • Email addresses in COVID-19 correspondence that do not match the name of the sender, contain misspellings, or do not end in the corresponding domain of the organization from which the message allegedly was sent. For example, while government agencies will use “.gov” or “.mil”; many legitimate charities will use “.org”; and WHO emails will contain “@who.int”, fraudsters may use “.com” or “.biz” in place of the expected domain;
  • Email correspondence that contains subject lines that government or industry have identified as being associated with phishing campaigns, or that contains embedded links or webpage addresses for purported COVID-19 resources that have irregular URLs (e.g., slight variations in domain extensions like “.com,” “.org”; and “.us”). Examples of U.S. government-identified COVID-10 phishing email subject lines include “2020 Coronavirus Updates,” “Coronavirus Updates,” “2019-nCov: New confirmed cases in your City,” and “2019-nCov: Coronavirus outbreak in your city (Emergency)”;
  • Solicitations where the person, email, or social media advertisement seeks donations on behalf of a reputable organization, but is not affiliated with the reputable organization (e.g., the solicitor is not recognized or endorsed as an employee or volunteer by the organization, the email address is misspelled or not connected to the organization, or the social media advertisement directs individuals to an unaffiliated website);
  • A charitable organization soliciting donations that (1) does not have an in-depth history, financial reports, IRS annual returns, documentation of their tax-exempt status, or (2) cannot be verified by using various internet-based resources that may assist in confirming the group’s existence and its non-profit status;

Money mule schemes use witting, unwilling, or complicit participants, to move illegally acquired money.  During the COVID-19 pandemic, FinCEN noted that U.S. authorities have detected illicit actors using money mule schemes involving good-Samaritan, romance, and work-from-home schemes and have identified criminals using money mules to exploit unemployment insurance programs during the COVID-19 pandemic.

FinCEN included in the alert a list of “red flags” specific to money mule schemes:

  • The customer’s personal bank account starts to receive transactions that do not fit his or her transactional history profile, including overseas transactions, the purchase of large sums of convertible virtual currency, or transactions in large fiat amounts, or the account generally had a low balance until the customer became involved in a money mule scheme. When asked about the changes in transactions, the customer declines requests for “know your customer” documents or inquiries regarding sources of funds, and may mention COVID-19, relief work or a “work-from-home” opportunity as the source of the income;
  • The customer opens a new bank account in the name of a business and someone shortly thereafter transfers the funds out of the account. The person transferring the funds could be the registered accountholder or someone else, and may keep a portion of the money he or she transferred (per instruction of the scammer).  FinCEN noted that while this activity, in and of itself, may not be suspicious, it may become so if the individual provides unsatisfactory answers to the financial institution’s inquiries, declines to provide essential “know your customer” documents, or mentions COVID-19, relief work, or “work from home” opportunities as the source of the funds;
  • The customer opens accounts in his or her name at multiple banks so he or she may receive money from various individuals or businesses, then moves the money to other accounts at the direction of the customer’s purported employer;
  • The customer receives multiple state unemployment insurance payments to his or her account, or to multiple accounts held at the same financial institution, within the same disbursement timeframe (e.g., weekly or biweekly payments) issues from or multiple states;
  • The customer’s account(s) receives an unemployment deposit from a different state in which he or she reportedly resides or has previously worked;
  • The customer’s account receives unemployment insurance payments for numerous employees or the accountholder name and ACH program “remit to” name do not match;
  • Deposited funds are quickly diverted via wire transaction to foreign accounts located within countries known for having poor anti-money laundering controls;
  • The customer makes one or more atypical transactions involving an overseas account, especially through unusual payment methods for the customer. When asked about the transaction, the customer indicates it is for a person located overseas who is in need of financial assistance because of the COVID-19 pandemic;
  • Documentation from the customer shows that the purported employer or recruiter uses a common web-based, free email service instead of a company-specific email. For example, instead of a company- or organization-specific email address, such as first.lastname@ABCcompany.com or lastname@XYZ.NGO.org, the email address is from a common and free email address provider;
  • The customer provides information that his or her purported employer asked the customer to receive funds into his or her personal bank account, so that the employer can then process or transfer funds via wire transfer, ACH, mail, or money services businesses out of the customer’s personal account; and
  • The customer states, or information shows, that an individual, whom the customer may not have known previously, requested financial assistance to send/receive funds through the customer’s personal account, including requested by individuals claiming to be a U.S. Service member who is reportedly stationed abroad; a U.S. citizen working or traveling abroad; or a U.S. citizen quarantined abroad.

Medical Scams

FinCEN had earlier issued an advisory on May 18, 2020, alerting financial institutions to rising medical scams related to the COVID-19 pandemic.  Based on BSA information, and information collected from other federal agencies, foreign government partners, and public sources, FinCEN informed financial institutions of possible illicit activities related to the COVID-19 pandemic.  Such scams include those in which (1) fraudulent COVID-19-related cures, tests, vaccines, and associated services are offered to the public; (2) a customer pays a company for goods the customer will never receive; and (3) bad actors engage in price gouging and hoarding of medical-related items, such as face masks and hand sanitizer.

In the alert, FinCEN identified the following “red flags” to help financial institutions identify and report suspicious activity related to COVID-19-related medical scams:

  • Medical-Related Frauds, Including Fraudulent Cures, Tests, Vaccines, and Services
    • S. authorities, such as the Federal Trade Commission (“FTC”), the Food and Drug Administration (“FDA”), or the Department of Justice (“DOJ”), have identified the company, merchant, or business owners as selling fraudulent products;
    • A web-based search or review of advertisements indicates that a merchant is selling at-home COVID-19 tests, vaccines, treatments, or cures;
    • The customer engages in transactions to or through personal accounts related to the sale of medical supplies, which could indicate that the selling merchant is an unregistered or unlicensed business or is conducting fraudulent medical-related transactions;
    • The financial institution’s customer has a website with one or more indicia of suspicion, including a name/web address similar to real and well-known companies, a limited internet presence, a location outside of the United States, and/or the ability to purchase pharmaceuticals without a prescription when one is usually required;
    • The product’s branding images found in an online marketplace appear to be slightly different from the legitimate product’s images, which may indicate a counterfeit product;
    • The merchant is advertising the sale of highly sought-after goods related to the COVID-19 pandemic and response at either deeply discounted or highly inflated prices;
    • The merchant is requesting payments that are unusual for the type of transaction or unusual for the industry’s pattern of behavior. For example, instead of a credit card payment, the merchant requires a pre-paid card, the use of a money services business, convertible virtual currency, or that the buyer send funds via an electronic funds transfer to a high-risk jurisdiction; and
    • FinCEN also stated that financial institutions might detect patterns of high chargebacks and return rates in their customer’s accounts, which may be indicative of merchant fraud in general.
  • Non-Delivery Fraud of Medical-Related Goods Scams
    • The merchant does not appear to have a lengthy corporate history (e.g., the business was established within the last few months), lacks physical presence or address, or lacks an Employer Identification Number (“EIN”). Additionally, if the merchant has an address, there are noticeable discrepancies between the address and a public record search for the company or the street address, multiple businesses at the same address, or the merchant is located in a high-risk jurisdiction or a region that is not usually associated with the merchandise they are selling;
    • Searches in corporate databases reveal that the merchant’s listing contains a vague or inappropriate company name, multiple unrelated names, a suspicious number of name variations, multiple “doing business as” (“DBA”) names, or does not align with its business model;
    • Merchants are reluctant to provide the customer or the financial institution that is processing that transactions with invoices or other documentation supporting the stated purpose of trade-related payments;
    • The financial institution does not understand the merchant’s business model, and has difficulty determining the true nature of the company and its operations;
    • The merchant cannot provide shipment-tracking numbers to the customer or proof of shipment to a financial institution so it may process related financial instructions;
    • The merchant claims several last minute and suspicious delays in shipment or receipt of goods. For example, the merchant claims that the equipment was seized at port or by authorities, that customs has not released the shipment, or that the shipment is delayed on a vessel and cannot provide any additional information about the vessel to the customer or their financial institution;
    • The merchant cannot explain the source of the goods or how the merchant acquired bulk supplies of highly sought-after goods related to the COVID-19 pandemic;
    • Domestic or foreign governments have identified the merchant or its owners/incorporators as being associated with fraudulent criminal activities; and
    • A newly-opened account receives a large wire transaction that the account holder failed to mention during the account opening process.
  • Price Gouging and Hoarding of Medical-Related Items
    • In addition to the use of personal accounts for business purposes, a customer begins using their personal accounts for business-related transactions after January 2020, and sets up a medical supply company or is selling highly sought-after COVID-19-related goods online, such as hand sanitizer, toilet paper, masks and anti-viral disinfectant cleaning supplies;
    • The customer begins using their money services or bank account differently;
    • The customer’s accounts are receiving or sending electronic fund transfers (“EFT”) to/from a newly established company that has no known physical or internet presence;
    • The customer’s account is used in transactions for COVID-19-related goods, such as masks and gloves, with a company that is not a medical supply distributor, is involved in other non-medical-related industries, or is not known to have repurposed its manufacturing to create medical-related goods.; and
    • The customer makes unusually large deposits that are inconsistent with the customer’s profile or account history. Upon further investigation, the customer states, or open-source research indicates, that the customer was selling COVID-19-related goods not usually sold by the customer.

Practical Considerations

FinCEN’s guidance throughout the COVID-19 pandemic makes clear that the agency expects financial institutions to remain vigilant against efforts by fraudsters and other bad actors to take advantage of the pandemic.

Institutions should consider the “red flags” identified by the agency in these advisories, in addition to other available information, and consider incorporating them as part of their suspicious activity monitoring.

As the environment surrounding the COVID-19 pandemic continues to evolve, financial institutions should continue to watch for additional guidance from FinCEN and other regulators.