Advisory on Cyber Crimes and Cyber-Enabled Crimes Exploiting the COVID-19 Pandemic (FinCEN Advisory FIN-2020-A005 Spanish)

FIN-2020-A005 July 30, 2020

Advisory on Cyber Crimes and Cyber-Enabled Crimes Exploiting the 2019 Coronavirus Disease (COVID-19) Pandemic

Detecting, preventing, and reporting illicit transactions and cyber activity will assist in protecting legitimate COVID-19 relief efforts and safeguarding financial institutions and their clients from malicious cybercriminals and state-sponsored threat actors.

This advisory should be communicated to: • Chief Executive Officers • Chief Operating Officers • Chief Compliance Officers • Chief Risk Officers • AML/BSA Departments • Legal Departments • Security and Cybersecurity Departments • Customer Service Agents • Bank Tellers

Suspicious Activity Report (SAR) Filing Request: FinCEN requests that financial institutions cite this advisory in field 2 of the SAR (Institution-to-FinCEN Note) and the description by entering the following keyword: “COVID19-CYBER FIN-2020-A005” and selecting field 42 of the SAR (Cyber Event). Additional guidance for completing the SAR appears at the end of this advisory.

Introduction The Financial Crimes Enforcement Network (FinCEN) issues this advisory to alert financial institutions to potential indicators of cyber crimes and cyber-enabled crimes observed during the COVID-19 pandemic. A multitude of individuals engaging in illicit acts are participating in fraudulent scams exploiting vulnerabilities generated by the pandemic. This advisory presents descriptions of cyberattacks and cyber scams, warning signs, and information on how to report suspicious activities, all in relation to COVID-19.

This advisory aims to assist financial institutions in detecting, preventing, and reporting possible illicit activities related to COVID-19. It is based on FinCEN’s analysis of COVID-19-related information obtained from data provided under the Bank Secrecy Act (BSA), public domain reports, and law enforcement agency partners. FinCEN will continue to publish COVID-19-related information for financial institutions to help them improve their efforts to detect, prevent, and report suspicious illicit activities on its website, https://www.fincen.gov/coronavirus, which also contains information on how to register to receive updated information from FinCEN.

Warning Signs of Cyber Crimes and Cyber-Enabled Crimes Exploiting COVID-19 This advisory addresses the primary means by which cybercriminals and state-sponsored threat actors are increasingly exploiting the COVID-19 pandemic through cyber-enabled crimes via malware and phishing, extortion, business email compromise (BEC), and exploitation of remote applications, particularly against financial and health systems.1

1. See the Department of Justice (DOJ) press release, “Department of Justice Announces Disruption of Hundreds of Online COVID-19 Related Scams” (April 22, 2020); the United Kingdom’s National Cyber Security Centre (NCSC) press release, “Public Urged to Flag Coronavirus Related Email Scams as Online Security Campaign Launches” (April 21, 2020); the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) notice, “Defending Against COVID-19 Cyber Scams” (March 6, 2020); the Europol report, “Pandemic Profiteering: How Criminals Exploit the COVID-19 Crisis” (March 27, 2020); the DHS CISA and Federal Bureau of Investigation (FBI) public service announcement, “People’s Republic of China (PRC) Targeting of COVID-19 Research Organizations” (May 13, 2020); the FBI Internet Crime Complaint Center (IC3) public service announcement, “Increased Use of Mobile Banking Apps Could Lead to Exploitation” (June 10, 2020); and the joint DHS CISA, National Security Agency, NCSC, and Canada Communications Security Establishment advisory, “APT29 Targets COVID-19 Vaccine Development” (July 16, 2020).

FinCEN has identified the following warning signs of cyber-enabled crimes exploiting COVID-192 to help financial institutions detect, prevent, and report suspicious transactions related to the COVID-19 pandemic. Since no single warning sign is in itself an indication of illicit or suspicious activity, financial institutions should consider other contextual information and related facts and circumstances, such as the customer’s financial activity history, whether the transactions align with prevailing business practices, and whether the customer presents multiple indicators before determining if a transaction is suspicious or indicative of possibly fraudulent activity related to COVID-19. Consistent with the risk-based approach to BSA compliance, financial institutions are also encouraged to conduct additional due diligence and investigations when appropriate. Furthermore, some of the warning signs described below may apply to multiple COVID-19-related fraudulent activities. Since many scammers may target customers, financial institutions should remain alert to detect suspicious activities involving their customers.

2. For the purposes of this advisory, cyber-enabled crimes refer to illicit activities (such as fraud, identity theft, etc.) that are carried out or facilitated through electronic systems and devices such as networks and computers. See FinCEN Advisory, FIN-2016-A005, “Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime” (October 25, 2016).

Attack and Exploitation of Remote Platforms and Processes The significant migration to remote access during the pandemic presents opportunities for criminals to exploit the remote systems of financial institutions and processes directed at their customers. Cybercriminals and state-sponsored threats take advantage of vulnerabilities in remote applications and the virtual environment to steal confidential information, compromise financial activity, and disrupt business operations.3

3. For information regarding cybersecurity vulnerabilities and exposures disseminated to the public, see the U.S. Department of Commerce’s National Institute for Standards and Technology (NIST) “National Vulnerability Database”; MITRE, “Common Vulnerabilities and Exposures: CVE List Home”; and FBI IC3 public service announcements, “Cyber Actors Take Advantage of COVID-19 Pandemic to Exploit Increased Use of Virtual Environments” (April 1, 2020) and “Increased Use of Mobile Banking Apps Could Lead to Exploitation” (June 10, 2020). See also the prepared remarks presented by FinCEN Director Kenneth A. Blanco at the “Consensus Blockchain Conference (Virtual)” (May 13, 2020).

Remote identification processes4 also face significant risks that may include:

4. For the purposes of this advisory, “remote identification processes” includes remote customer onboarding and identity verification processes, as well as customer authentication for account access purposes. For more information on digital identity criteria, see NIST guidelines, “Digital Identity Guidelines” (December 1, 2017) and the Financial Action Task Force (FATF), “Guidance on Digital Identity” (March 6, 2020).

• Digital manipulation of identity documents: Criminals frequently attempt to weaken online identity verification processes by using fraudulent identification documents. These can be generated by digitally manipulating images of legitimate government-issued identity documents to alter the information or photos they contain.5

5. Criminals exploiting identity verification processes typically use information related to a real person’s identity (known as identity theft) or fabricate a new identity that usually consists of a real identifier, such as a social security number or driver’s license, along with other false information (known as synthetic identity fraud). For more information on examples of typologies and financial warning signs involving identity theft or fraud, see the FinCEN report, “Identity Theft: Trends, Patterns, and Typologies Reported in Suspicious Activity Reports” (October 2010).

• Exploiting compromised credentials to access multiple accounts: Cybercriminals frequently exploit weaknesses in authentication processes to attempt to take control of accounts, using methods such as credential stuffing attacks. In these attacks, cybercriminals use lists of stolen account credentials, such as usernames or emails and their passwords, to carry out automated login attempts to gain unauthorized access to victims' accounts.

Financial warning signs of this type of activity may include:6

6. Id. See also the Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation, Title 16 of the Code of Federal Regulations, Part 681, Appendix A.

• Photos in identity documents are blurry, low resolution, or show aberrations, especially around the face. Photos in identity documents or other images of persons presented in remote identity verification processes7 show visual signs pointing to possible image manipulation (for example: inconsistencies in coloration near the face margins or double edges or lines in facial features).

7. Images used in identity verification that are not identity documents can be photos or videos of the customer (such as selfie images) taken as part of the financial institution's onboarding process.

Phishing, Malware, and Extortion FinCEN and U.S. law enforcement agencies have observed a considerable increase in extensive and targeted phishing campaigns attempting to lure companies, particularly in the health sector and pharmaceutical suppliers, with offers of information and supplies related to COVID-19.8 Phishing scams are directed at individuals through communications appearing to come from legitimate sources to collect personal and financial information from victims, as well as potentially infecting their electronic devices by convincing the victim to download malware.9 Generally, cybercriminals send phishing communications via email, but they could also do so via phone calls or text messages. In these new fraud schemes, identity spoofers frequently reference COVID-19-related topics, such as payments related to the Coronavirus Aid, Relief, and Economic Security (CARES) Act,10 in the subject line and content of emails. Some phishing emails lure victims with announcements about methods to generate money, for example, investments in convertible virtual currency (CVC) or domain names mimicking organization names, such as those providing or facilitating telework capabilities.11 Cybercriminals also distribute malware,12 including ransomware, via phishing emails, downloads, and malicious websites, domain name system (DNS) hijacking or spoofing, and fraudulent mobile applications. These techniques can be applied in broader campaigns involving social media, such as the recent attack targeting Twitter and famous users of that platform.13 Financial institutions handling CVC should be especially alert to the potential use of their institutions for laundering proceeds linked to cyber crimes, darknet market activity, also known as the dark web, and other CVC-related scams, and take appropriate measures to mitigate risk, in accordance with their BSA obligations.

8. The United States Secret Service (USSS) and DHS CISA have observed an increase in the number of phishing, malware, and extortion campaigns linked to COVID-19. See the USSS press release, “Secret Service Issues COVID-19 (Coronavirus) Phishing Alert” (March 9, 2020).
9. See the joint DHS CISA and UK NCSC notice (AA20-099A), “COVID-19 Exploited by Malicious Cyber Actors” (April 8, 2020); and DHS, “Common Scams: Know How to Spot a Fake.”
10. Public Law. 116–136, 116th Congress (2020).
11. Since January 2020, tens of thousands of new domains with COVID-19-related terms or disaster response or health sector activities (e.g., “quarantine,” “vaccine,” and “CDC”) have been registered. Many include names or mimic names of companies providing or facilitating telework capabilities. U.S. law enforcement agencies have dismantled hundreds of malicious domains used to exploit the pandemic. See FinCEN Advisory, FIN-2020-A003, “Advisory on Impostor Scams and ‘Money Mule’ Schemes Related to the 2019 Coronavirus Disease (COVID-19)” (July 7, 2020). See also, the FBI press release, “FBI Expects a Rise in Scams Involving Cryptocurrency Related to the COVID-19 Pandemic” (April 13, 2020).
12. Malware can allow criminals to access compromised computers and computer systems to steal credentials, leak confidential information through mechanisms such as screenshots or keystroke logging, change account information, and carry out fraudulent transactions.
13. See FinCEN Alert, FIN-2020-Alert001, “FinCEN Alerts Financial Institutions to Convertible Virtual Currency Scam Involving Twitter” (July 16, 2020).

FinCEN estimates that extortion cases will also continue to increase after the COVID-19 pandemic. So far in 2020, FinCEN has received numerous Suspicious Activity Reports (SARs) involving ransomware14 targeting medical centers and municipalities. Much of this ransomware was transmitted using the COVID-19-related decoys mentioned above. We predict that criminals will continue to focus on vulnerable entities involved in the pandemic response, such as medical treatment researchers or personal protective equipment manufacturers. In other extortion cases, criminals threaten to expose victims and their families to COVID-19 if they do not pay the demanded amount of money. In almost all cases, criminals demand that extortion-related payments be made in CVC.15

14. Ransomware is a type of malware that typically encrypts data on systems to extort ransom payments from victims in exchange for decrypting the information and returning access to the victims' systems.
15. Financial institutions handling CVC should pay special attention to laundering proceeds linked to cyber crimes, darknet market activity, and other CVC-related scams. See FinCEN Advisory, FIN-2019-003, “Advisory on Illicit Activity Involving Convertible Virtual Currency” (May 9, 2019).

Financial warning signs of this type of activity may include, among others: • Activity of information technology companies related to operations or information processes is linked to cyber indicators related to possible illicit activities. Malicious cyber activity could be evident in system log files, network traffic, or file information.

16. Since cyber indicators are useful warning signs that financial institutions can leverage to detect related and suspicious financial activity, FinCEN, DHS CISA, and the U.S. Department of the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP) offer a wide range of resources on cyber indicators, such as: FinCEN’s Cyber Indicator Lists (CILs), which are disseminated through the FinCEN Secure Information Sharing System; OCCIP’s cyber indicator lists and circulars, available upon request; and DHS CISA’s cyber analytics products and services, including a comprehensive list of indicators of attacks linked to COVID-19 in CSV or XML STIX format, the Cyber Information Sharing and Collaboration Program (CISCP), and the Automated Indicator Sharing (AIS) program. Public-private and industry partnerships, such as the Financial Services Information Sharing and Analysis Center, and public and commercial channels on cyber threats can also be useful resources.

Business Email Compromise (BEC) Cybercriminals are increasingly exploiting the COVID-19 pandemic through BEC scams, particularly targeting municipalities and the healthcare supply chain. A common BEC scam involves criminals convincing companies to redirect payments to new accounts, claiming the change is due to modifications in business operations due to the pandemic. Criminals conducting BEC scams tend to use compromised email accounts, also known as spoofed email accounts, to communicate these last-minute and urgent payment changes. In the context of COVID-19, criminals insert themselves into communications and pose as a crucial person in a business relationship or operation. They usually pretend to be health supply providers to intercept an urgently needed supply payment or fraudulently induce such a payment.17

17. See the FBI press release, “FBI Anticipates Rise in Business Email Compromise Schemes Related to the COVID-19 Pandemic” (April 6, 2020). See also the Europol press release, “Corona Crimes: Suspect Behind €6 Million Face Masks and Hand Sanitisers Scam Arrested Thanks to International Police Cooperation” (April 6, 2020).

Warning signs for this type of activity include the following:18

18. For general warning signs on BEC scams, see FinCEN advisories, FIN-2016-A003, “Advisory to Financial Institutions on E-mail Compromise Fraud Schemes” (September 6, 2016), and FIN-2019-A005, “Updated Advisory on Email Compromise Fraud Schemes Targeting Vulnerable Business Processes” (July 16, 2019).

Suspicious Activity Reporting Information Instructions for Filing Suspicious Activity Reports (SARs) Suspicious Activity Report (SAR) filing, along with the effective implementation of due diligence requirements by financial institutions, is crucial for identifying and ending financial crimes, including those related to the COVID-19 pandemic. Financial institutions should provide all relevant and available data in the SAR and the description. Compliance with the instructions below will improve FinCEN’s and law enforcement agencies’ ability to properly identify actionable SARs using the FinCEN Query system and extract information to support COVID-19-related investigations.

• FinCEN requests that financial institutions cite this advisory by including the keyword: “COVID19-CYBER FIN-2020-A005” in field 2 of the SAR (Institution-to-FinCEN Note) and the description to indicate the link between the suspicious activity being reported and the activities highlighted in this advisory. • Financial institutions suspecting COVID-19-related fraudulent activity should check all corresponding boxes on the SAR form to indicate a link between COVID-19 and the suspicious activity being reported. For example, if the activity involves account takeover involving a COVID-19-related ACH transfer, financial institutions may select SAR fields 38a and 38z and note in the “other” box, “COVID-19 account takeover fraud – ACH.”19

19. For additional guidance on detecting account takeover and instructions for filing SARs on the topic, see FinCEN advisory, FIN-2011-A016, “Account Takeover Activity” (December 19, 2011). • Financial institutions should also include all relevant technical cyber indicators related to cyber events and related transactions on