FinCEN has spotted the following indications of Coronavirus-related cyber-crimes for which it hopes financial institutions will watch.

The targeting and exploitation of remote platforms and processes

'Remote' is a word that FinCEN seems to use to mean "away from the office" or perhaps (to use the term the way the Financial Action Task Force generally uses it) "non-face-to-face." No actual definition is given.

Remote identifying processes, which include processes for 'onboarding' customers, verifying their identities and authenticating their identities when they are trying to access their accounts, face two large threats.

• Digital manipulation of identifying documents. Criminals often try to undermine online verification processes by using fraudulent identifying documents, which they can create by manipulating digital images of legitimate government-issued identity documents, altering images and photographs. They typically use either information associated with a real individual’s identity (identity theft) or they create a new fabricated identity that usually consists of a real scrap of identifying information such as a social security number or driver’s license number, with other fake information (synthetic identity fraud).
• Using compromised credentials across accounts. Cyber-criminals commonly undermine weak authentication processes when trying to take accounts over by such means as credential stuffing attacks, where they generally use lists of stolen account credentials (usernames, email addresses, associated passwords) to conduct automated log-in attempts to gain unauthorized access to their victims' accounts.

Financial 'red flags' that pertain to activity of this sort may take the following forms.

• The spelling of names in account information might not match the government-issued identifying documents during the 'onboarding' process.
• Pictures in identifying documents, especially areas around faces, might be blurry.
• Images of identifying documents might have visual irregularities that indicate digital manipulation of the images, especially around information fields likely to have been changed to conduct synthetic identity fraud (e.g. name and address).
• A customer’s physical description on identity documentation might not match other images of him.  
• A customer might refuse to provide supplementary identifying documents or might drag his heels when producing it.
• Customer log-ins might occur from a single device or Internet Protocol (IP) address in many seemingly unrelated accounts, often within a short period of time.
• The IP address associated with log-ins might not match the stated address in the identifying documents, although this is probably de rigeur for a globetrotting HNW.
• Customer log-ins might occur in a pattern of high network traffic with an unusually low number of successful log-ins and an unusually high number of password resets.
• A customer might ring up the bank to change account communication methods and authenticating information, then try very quickly afterwards to conduct transactions to an account into which he has never paid money before.

Phishing, malware and extortion

FinCEN and the police have observed significant increases in broad-based and targeted phishing campaigns, but not ones that are targeted at HNWs. Instead, they seem mainly to be attempting to lure companies, especially healthcare and pharmaceutical providers, with offers of information about the Coronavirus and medical supplies.

Business email compromised schemes

More and more, cyber-criminals have exploited the pandemic by means of these schemes, once again concentrating on the healthcare industry supply chain and not wealth managers. Deliveries of face masks and hand sanitisers are the lure. This is otherwise known as spoofing, the act of disguising a communication from an unknown source as though it is from a known, trusted source. Some time ago in the UK, 'CEO fraud' was in the ascendant, and this certainly did target banks along with the rest of business.