FinCEN Lists Red Flags for COVID-19 Fraud and Cybercrime

By Valentina Pasquali

A financial institution in Virginia recently alerted the Secret Service after growing suspicious of a foreign government’s $320 million payment for what investigators later determined were nonexistent face masks, according to U.S. officials.

The case is one of three that the Treasury Department’s Financial Crimes Enforcement Network cited Monday in outlining transactional patterns that may signal attempts by fraudsters to profit from increased demand for medical supplies amid the global coronavirus pandemic, which has killed more than 90,000 in the U.S. after claiming its first official casualty in China late last year.

Drawing from intelligence, Bank Secrecy Act filings and public information, FinCEN concluded in the 9-page advisory that COVID-19 scams typically take one of three forms: sales of fake tests, vaccines or other alleged cures for the disease, peddling of nonexistent healthcare products or services, and hoarding and price gouging of legitimate goods such as hand sanitizer.

The guidance can help compliance officers notice the schemes as they are occurring, Gregory Lisa, a former senior official with FinCEN, told ACAMS

“The muscle memory of a financial institution’s personnel, training and technology that handles day-to-day compliance isn’t necessarily equipped to handle the convergence of all those issues, especially when dealing with recently-formed remote-working arrangements, staff shortages and other logistical issues,” Lisa, now a partner at Hogan Lovells in Washington, D.C., said.


The financial institution in Virginia, which FinCEN did not identify by name, took action after a business client received a $317 million wire without having first notified the lender that such a large payment was forthcoming, according to the advisory. The client had opened the account only a day before the payment arrived.

The client, a healthcare telemarketer, was acting as an intermediary between a foreign government seeking to purchase more than 30 million face masks from a “conglomerate of doctors” that purported to have 50 million of them ready to ship from Houston.

“The investigation revealed that … Company A [the telemarketer] appeared to be a victim,” FinCEN noted in the advisory. “USSS [U.S. Secret Service] interviewed the Chief Executive Officer of Company B [the seller] who admitted that there were no masks.”

Unusual transactions, especially through newly opened bank accounts, are among nearly two dozen red flags listed by FinCEN in the advisory, alongside the use of personal accounts for commercial purposes, corporate names that slightly vary from those of well-known brands, and payments for medical supplies between firms operating in other industries.

Financial institutions should directly reference the advisory with the code ‘COVID19 FIN-2020-A002’ when submitting suspicious activity reports, or SARs, flagging such schemes, according to the bureau, which said it plans to issue several additional guidance documents to help institutions flag financial crimes directly related to the pandemic.


FinCEN Director Ken Blanco hinted at the possible content of future guidance in online remarks on how cybercriminals have exploited the COVID-19 crisis.

Cryptocurrency firms, for instance, should screen for attempts to access existing accounts with stolen credentials, as well as to submit “deep fakes,” manipulated identity documents, photographs or other visuals to pass due diligence checks while using the names of legitimate clients, Blanco said at the Consensus Blockchain Conference.

Cybercriminals may separately use the disease as bait to embezzle charitable contributions for phony relief efforts or pocket money from vulnerable populations duped into buying medical products and services with little knowledge or information, Blanco said in his May 13 speech, adding that pandemic-related cybertheft appear to frequently involve cryptocurrencies.

Weaknesses in virtual private networks, remote desktop setups and other applications and arrangements that companies and governments have turned to while working remotely are also susceptible to “wide-scale” attacks, including through phishing, malware, online extortion and business email compromises.

“This type of cybercrime in the COVID-19 environment is especially despicable, because these criminals leverage altered business operations, decreased mobility, and increased anxiety to prey on those seeking critical healthcare information and supplies, including the elderly and infirm,” Blanco said.

Such schemes are hardly new, but the pandemic has made them especially attractive as more and more individuals now transact entirely through digital means, including fledgling companies that may lack the means to handle a sudden spike in new customers.

Firms should refrain from relying entirely on automated processes to onboard customers, said Brian Stoeckert, a partner with Stratis Advisory in San Francisco.

“They should also take steps to understand the activity within 30 days of entering into a new relationship … and continually reevaluate the kind of information they collect at any point in time,” he said.

Contact Valentina Pasquali at

Topics : Anti-money laundering , Counterterrorist Financing , Info. Security/Cybercrime , Cryptocurrencies
Source: U.S.: FinCEN
Document Date: May 19, 2020