Advisory on Impostor Scams and Money Mule Schemes Related to the 2019 Novel Coronavirus Disease (COVID-19) (FinCEN Advisory FIN-2020-A003 Spanish)

FIN-2020-A003 July 7, 2020

Advisory on Impostor Scams and Money Mule Schemes Related to the 2019 Novel Coronavirus Disease (COVID-19)

Detecting, preventing, and reporting consumer fraud and other illicit activities related to COVID-19 is vital to our national security, as well as to preserving legitimate aid initiatives and efforts and protecting innocent persons from harm.

This advisory should be communicated to: • Chief Executive Officers • Chief Operating Officers • Chief Compliance Officers • Chief Risk Officers • AML/BSA Departments • Legal Departments • Cybersecurity Departments • Customer Service Agents • Bank Tellers

Suspicious Activity Report (SAR) Filing Request: FinCEN requests that financial institutions cite this advisory in field 2 of the SAR (Institution’s Note to FinCEN) and the narrative by introducing the following key phrase: “COVID19 MM FIN-2020-A003” and select field 34(z) of the SAR (Fraud-Other). Additional guidance for completing SARs appears at the end of this advisory.

Introduction The Financial Crimes Enforcement Network (FinCEN) issues this advisory to alert financial institutions to an increase in medical scams observed during the COVID-19 pandemic. This advisory contains descriptions of impostor scams and money mule schemes, case studies, financial indicators, and red flags in both cases, and information on reporting suspicious activities.

This advisory aims to help financial institutions detect, prevent, and report possible illicit activities related to COVID-19. It is based on FinCEN’s analysis of COVID-19-related information obtained from data provided under the Bank Secrecy Act (BSA), public domain reports, and law enforcement agency collaborators. FinCEN will publish COVID-19-related information to help financial institutions improve their efforts to detect, prevent, and report suspicious illicit activities on its website, https://www.fincen.gov/coronavirus (in English), which also contains information on how to register to receive updated information from FinCEN (in English).

FINCEN ADVISORY 2

Red Flags for COVID-19-Related Impostor Scams and Money Mule Schemes

Consumer fraud includes impostor scams and money mule schemes, in which perpetrators deceive victims by posing as federal government agencies, international organizations, or charitable entities. FinCEN has defined the red flags described below to warn financial institutions about these frauds and help them detect, prevent, and report suspicious transactions associated with the COVID-19 pandemic.

Since no single financial indicator or red flag is necessarily an indication of illicit or suspicious activity, before determining whether a transaction is suspicious or indicative of potentially fraudulent activity related to COVID-19, financial institutions should consider other contextual information and related facts and circumstances, such as the customer’s financial activity history, whether the transactions conform to prevailing business practices, and whether the customer presents multiple indicators. Consistent with the risk-based approach to BSA compliance, financial institutions are also encouraged to conduct additional due diligence and investigations when appropriate. Furthermore, some of the red flags described below may apply to multiple fraudulent activities related to COVID-19.

Impostor Scams

In this type of scam, criminals pose as organizations, such as government agencies, non-profit groups, universities, or charitable entities, to offer fraudulent services or otherwise defraud victims. While impostor scams can take multiple forms, the basic methodology involves a person 1) contacting a target under the false pretext of representing an official organization, and (2) coercing or convincing them to provide funds or valuable information, perform an action that causes their computer to be infected with malware, or spread false information1

1. See the Federal Trade Commission (FTC) Activity Blog, “Seven Coronavirus Scams Targeting Your Business,” (March 25, 2020). . In schemes linked to COVID-19, impostors may pretend to be officials or representatives of the Internal Revenue Service (IRS)2
2. For information on general IRS impostor scams, see the FTC article “IRS Impostor Scams,” (January 2020). , the Centers for Disease Control and Prevention (CDC)3
3. See the Internet Crime Complaint Center (IC3) announcement from the Federal Bureau of Investigation (FBI), “FBI Sees Rise in Fraud Schemes Related to the Coronavirus (COVID-19) Pandemic,” (March 20, 2020). , the World Health Organization (WHO), other healthcare or non-profit groups, and academic institutions.4
4. The FTC maintains links to resources related to scams and current trends it has observed. See “Coronavirus-Related Scams” from the FTC.

FINCEN ADVISORY 3

Perpetrators may use impostor scams to defraud or deceive vulnerable individuals, including the elderly and unemployed, by requesting payments (such as digital payments and virtual currencies), donations, or personal information via email, robocalls, text messages5 5. For information on COVID-19-related impostor scams conducted via text messages or phone calls, see the Federal Communications Commission (FCC) page, “Coronavirus-Related Scams – Consumer Resources,” (May 20, 2020). The FTC and FCC have sent warning letters to multiple Voice over Internet Protocol (VoIP) service providers for allegedly routing fraudulent robocalls related to the pandemic. See the FTC press release, “FTC and FCC Send Joint Letters to Additional VoIP Providers Warning against ‘Routing and Transmitting’ Illegal Coronavirus-Related Robocalls,” (May 20, 2020). , or other communication methods. For example, an impostor may contact potential victims by phone, email, or text message and imply that the victim must verify personal data or send payments to scammers in exchange for benefits or stimulus payments related to COVID-19, including Economic Impact Payments6 6. Economic Impact Payments may be administered in the form of Automated Clearing House (ACH) deposits, U.S. Department of the Treasury checks, or prepaid debit cards. See the U.S. Department of the Treasury (Treasury) press release “Treasury is Delivering Millions of Economic Impact Payments by Prepaid Debit Card,” (May 18, 2020). under the Coronavirus Aid, Relief, and Economic Security Act (CARES Act)7 7. The FTC, the IRS, and the Treasury Inspector General for Tax Administration separately published information on impostor scams, particularly those related to Economic Impact Payments. See the FTC blog, “Do you want to receive your coronavirus economic impact relief check? Scammers do too,” (April 1, 2020) and “Coronavirus checks: flattening the curve of scams:” (April 8, 2020); the IRS newsletter, “IRS Issues Warning on Coronavirus-Related Scams; Beware of Schemes Tied to Economic Impact Payments,” (April 2, 2020) and the IRS Economic Impact Payment Information Center, (April 8, 2020); as well as the Treasury Inspector General for Tax Administration press release, “TIGTA Urges Taxpayers to ‘Be On High Alert’ For Coronavirus Relief Payment Scams,” (April 7, 2020). . Another case involves impostors contacting victims while pretending to be government or healthcare representatives involved in COVID-19 contact tracing activities, implying that the victim must share personal or financial data as part of that effort8 8. See the U.S. Department of Justice (DOJ) press release “U.S. Attorney Warns Public of COVID-19 Contact Tracing Frauds,” (May 28, 2020). . Multiple examples can be cited, including phishing schemes, in which impostors send communications that appear to come from legitimate sources to obtain personal and financial data from victims and possibly infect their devices, by convincing the target to download a malicious attachment or click on fraudulent links.9 9. See the Cybersecurity and Infrastructure Security Agency (CISA) alert from the Department of Homeland Security (DHS) and the UK’s National Cyber Security Centre (NCSC), “COVID-19 Exploited by Malicious Cyber Actors” (April 8, 2020); and the DHS article, “Common Scams: Know How to Spot a Fake.” Additionally, see the WHO cybersecurity article, “Beware of Criminals Pretending to be WHO” (April 2020). See also the FTC blog, “COVID-19 Scams Targeting College Students,” (May 27, 2020); and the DOJ press release, “Federal Law Enforcement Encourages the Public to Remain Vigilant to Covid-19 Scams,” (April 22, 2020).

FINCEN ADVISORY 4

Scammers may also pose as legitimate charities or create fake charitable entities, exploit public generosity, and misappropriate donations intended for COVID-19 response activities.10 10. Multiple U.S. Attorney Offices warn about criminal activity that may exploit legitimate relief initiatives for their own illicit benefit, requesting donations for fake charities or crowdfunding sites. See the U.S. Attorney’s Office for the Southern District of Georgia, “U.S. Attorney Warns of Coronavirus Scams Targeting Vulnerable Victims,” (March 25, 2020); the U.S. Attorney’s Office for the Eastern District of Oklahoma, “Department of Justice Requests Citizens be Aware of And Report COVID-19 Fraud,” (March 24, 2020); and the U.S. Attorney’s Office for the Middle District of Tennessee, “U.S. Attorney and FBI Urge the Public to Report Suspected Fraud Related to Tornado Destruction and COVID-19,” (March 23, 2020). Additionally, the Securities and Exchange Commission (SEC) noted the possibility of charitable investment frauds arising, in which perpetrators falsely claim that investments will provide financial support or medical treatment to those in need, but instead the money is stolen. See SEC investor alerts and bulletins, “Frauds Targeting Main Street Investors -- Investor Alert” (April 10, 2020). See also FTC information on avoiding scams on behalf of charities, “Make Your Donations Count for the Coronavirus Crisis,” (May 5, 2020). To deceive the public, criminals often use methods such as social media accounts, door-to-door fundraising, flyers, mailings, phone and robocalls, text messages, websites, and emails that mimic legitimate charities and non-profit organizations. These operations may include terms such as “relief,” “fund,” “donation,” and “foundation” in their titles to give the impression of being a legitimate organization.11 11. See the FTC article, “How to Donate Wisely and Avoid Charity Scams.”

Since many scammers target customers rather than financial institutions directly, institutions should be alert to possible suspicious activities when interacting with their customers. Below are some red flags for impostor scams:

• A customer indicates that a person pretending to be a representative of a government agency contacted them by phone, email, text message, or social media to request personal or bank account data in order to verify, process, or expedite an Economic Impact Payment, unemployment insurance, or other benefits12 12. For more information on Economic Impact Payments, see the IRS website, “Economic Impact Payment Information Center” (June 30, 2020). . In particular, be alert to communications emphasizing the “stimulus check” or “stimulus payment” in requests to the public, sometimes arguing that the fraudulent entity can expedite the process of obtaining the “stimulus check” or other government payment on behalf of the beneficiary for a fee to be paid via gift card or prepaid card.

FINCEN ADVISORY 5

• Email correspondence containing a subject identified by the government or industry as linked to phishing companies or containing hyperlinks or web addresses to supposed COVID-19 resources with irregular URLs (for example, minimal variations in domain extensions such as “.com,” “.org,” and “.us”). Some examples of email subjects identified by the U.S. Government as COVID-19-related phishing are “2020 Coronavirus Updates,” “Coronavirus updates,” “2019-nCov: New confirmed cases in your City,” and “2019-nCov: Coronavirus outbreak in your city (Emergency).”13 13. See the CISA alert from DHS CISA and the UK’s NCSC, “COVID-19 Exploited by Malicious Cyber Actors,” (April 8, 2020).

FINCEN ADVISORY 6

Money Mule Schemes

A “money mule” is a person who transfers money obtained illegally on behalf of another person or under their direction14 14. See the FBI document, “Money Mule Awareness,” (July 2019). For more information on “money mules” in general, see the FinCEN article, “Updated Advisory on Email Compromise Fraud Schemes Targeting Vulnerable Business Processes,” (July 16, 2019); “FinCEN Analysis: Bank Secrecy Act Reports Filed by Financial Institutions Help Protect Elders from Fraud and Theft of Their Assets” (December 4, 2019); and DOJ, “Justice Department Announces Landmark Money Mule Initiative” (December 4, 2019). . Money mule schemes, including those related to the COVID-19 pandemic, encompass the spectrum of using involuntary, knowing, or accomplice “money mules”15 15. For more information on involuntary, knowing, or accomplice persons participating in money mule schemes, see the FBI document, “Money Mule Awareness” (July 2019). . An involuntary or unaware “money mule” is a person who is unaware that they are part of a broader criminal scheme. The person is motivated by trust placed in a genuine romance, job, or offer16 16. For examples of how an involuntary “money mule” is recruited and used, see idem, p. 4. . A “knowing” money mule is a person who chooses to ignore obvious alerts or acts by deliberately turning a blind eye to their money movement activity. The person is motivated by obtaining a financial benefit or by reluctance to acknowledge the role they play17 17. For examples of how a “knowing” money mule is recruited and used, see idem, p. 5. . An “accomplice” money mule is a person who is aware of their role as a “money mule” and is complicit in the broader criminal scheme. The person is motivated by obtaining a financial benefit or by loyalty to the criminal group18 18. For examples of how an “accomplice” money mule is recruited and used, see idem. . During the COVID-19 pandemic, U.S. authorities detected recruiters using money mule schemes, such as the good Samaritan, romance, or work-from-home schemes19 19. The FBI has published information on how criminals are exploiting the COVID-19 pandemic to steal money, access personal and financial data, and use people as “money mules.” See the FBI press release, “FBI Warns of Money Mule Schemes Exploiting the COVID-19 Pandemic” (April 6, 2020). In work-from-home schemes, for example, recruiters for COVID-19 money mules may approach targets with a false identity of a charity or company, offering a legitimate job and the pretext of providing work-from-home employment. This is often done through internet advertisements or social media, emails, or text messages. When they accept the “job,” the target receives instructions to move funds through bank accounts or to create a new account in their name for the “company.” The target (i.e., the “money mule”) earns money by receiving a percentage of the funds they helped transfer following the “employer’s” instructions. For more information on fraudulent job offers, see the FTC blog, “Are you looking for a job after coronavirus layoffs?” (April 13, 2020). . U.S. authorities also identified criminals using “money mules” to exploit unemployment insurance programs during the COVID-19 pandemic. 20 20. See articles from the Washington State Employment Security Department, “Statement from Commissioner Suzi LeVine on the rise in unemployment imposter fraud attempts” (May 14, 2020) and “Update on imposter fraud from Commissioner Suzi LeVine” (May 18, 2020).

FINCEN ADVISORY 7

Red flags for COVID-19 money mule schemes include the following:

FINCEN ADVISORY 8

Suspicious Activity Reporting Information

Instructions for Filing Suspicious Activity Reports (SARs)

The filing of Suspicious Activity Reports (SARs), along with the effective implementation of due diligence requirements by financial institutions, is crucial to identifying and ending financial crimes, including those related to the COVID-19 pandemic. Financial institutions should provide all relevant and available data in the SAR and in the description. Compliance with the instructions below will improve FinCEN’s and law enforcement agencies’ ability to properly identify actionable SARs using the FinCEN Query system and extract information to support COVID-19-related investigations.

• FinCEN requests that financial institutions cite this advisory by including the key phrase: “COVID19 MM FIN-2020-A003” in field 2 of the SAR (Institution’s Note to FinCEN) and the narrative to indicate the link between the suspicious activity being reported and the activities highlighted in this advisory.

FINCEN ADVISORY 9

• Financial institutions should also select field 34(z) (Fraud-Other) of the SAR as the type of associated suspicious activity to indicate a link between the suspicious activity being reported and COVID-19. Such institutions should include in field 34(z) of the SAR the type of fraud or the name of the scam or product (for example, impostor scams or money mule schemes). Additionally, FinCEN encourages financial institutions to report certain types of impostor scams and money mule schemes in fields 34(1) (Fraud-Mass Marketing) or 38(d) (Other Suspicious Activities – Elder Financial Exploitation) of the SAR, as appropriate based on the suspicious activity. • See the announcement titled FinCEN’s “Notice Related to the Coronavirus Disease 2019” (COVID-19), which contains information on reporting crimes related to COVID-19 and reminds financial institutions of certain obligations stipulated in the BSA.

For More Information

Financial institutions should send their questions or comments regarding the content of this Advisory to the Regulatory Support Section of FinCEN by writing to frc@fincen.gov.

FinCEN’s mission is to protect the financial system from illicit use, and to combat money laundering and promote national security through the collection, analysis, and dissemination of financial intelligence and the strategic use of its financial authorities.