Advisories to provide institutions with guidance on potential threats that may affect the U.S. financial banking system.
By Robin Guthridge, CAMS, CRCM
On September 2016, the Financial Crimes Enforcement Network (FinCEN) updated its Suspicious Activity Report (SAR) Key Advisory Terms to add a new key term. FinCEN periodically issues these advisories to provide institutions with guidance on potential threats that may affect the U.S. financial banking system. The advisories also provide guidance to financial institutions on preparing SARs related to the covered activity. This article will discuss the details of the September 2016 advisory, including SAR preparation tips. The most recent advisory term addition, email compromise, was the result of a recent spate of compromised personal and business email accounts. According to the FBI, there have been approximately 22,000 reported cases involving $3.1 billion since 2013. These scams hit not only businesses and individuals, but also financial institutions directly. The scams present themselves as follows: Business email compromise (BEC) fraud, which means the cyber criminal targets a financial institution’s commercial customers, and email account compromise (EAC), which involves a victim’s personal accounts.
According to FinCEN, the email compromise schemes involve three phases. In phase one, the cyber criminal unlawfully accesses a victim’s email account through manipulating the victim to give up confidential identifying information or via computer intrusion. The criminal uses this information to gain access to the victim’s financial institution, account details, and personal and professional contacts. In the second phase, the criminal uses the stolen information to email fraudulent wire transfer instructions to the victim’s financial institution by pretending to be the victim or a trusted employee of the victim. This ruse works because the criminal actually uses the victim’s email account to give the appearance that the victim is the originator of the wire. For the final phase, based on the information provided by the victim or their employee, the financial institution is tricked into conducting wire transfers that appear legitimate but are in fact unauthorized.
Each key term is directly related to a FinCEN advisory detailing the background and use of the key term. FinCEN Advisory FIN-2016-A003 lists three illustrative BEC and three illustrative EAC scenarios. In the first BEC scenario, the cyber criminal impersonates a financial institution’s commercial customer. The criminal hacks into and uses the email account of an employee of Company A to send fraudulent wire transfer instructions to Company A’s financial institution. Based on this request, Company A’s financial institution issues a wire transfer and sends funds to an account the criminal controls. In this scenario, the criminal impersonating the financial institution’s customer prompted the financial institution to execute an unauthorized wire transfer.
In the second BEC scenario, the cyber criminal impersonates a company executive. The criminal hacks into and uses the email account of an executive of Company B to send wire transfer instructions to an employee of Company B who is responsible for processing and issuing payments. The employee, believing the executive’s emailed instructions are legitimate, orders Company B’s financial institution to execute the wire transfer. In this scenario, the criminal impersonating a company executive misled a company employee into unintentionally authorizing a fraudulent wire transfer to a criminal-controlled account. This scenario has happened to several financial institutions when the president was out on vacation or at a conference and the assistant to the president received a wire request from the president’s email account requesting funds to be transferred to a named beneficiary on behalf of the institution.
In the final BEC scenario, a criminal impersonates one of Company C’s suppliers by emailing and informing Company C that future invoice payments should be sent to a new account number and location. Based on this fraudulent emailed information, Company C updates its supplier’s payment information on record and submits the new wire transfer instructions to its financial institution, which in turn directs payments to an account controlled by the criminal. In this scenario, the criminal impersonating a supplier provided fraudulent payment information to mislead a company employee into unintentionally directing wire transfers to a criminal-controlled account.
FinCEN also provides three EAC scenarios in its guidance. The first scenario includes lending and brokerage services. The cyber criminal hacks into and uses the email account of a financial services professional (such as a broker or accountant) to email fraudulent instructions, allegedly on behalf of a client, to the client’s institution or brokerage to wire transfer the client’s funds to an account controlled by the criminal.
The second EAC scenario involves real estate services. The criminal compromises the email account of a realtor or an individual purchasing or selling real estate for the purposes of altering payment instructions and diverting funds of a real estate transaction (such as sale proceeds, loan disbursements, or fees). Alternatively, a criminal hacks into and uses a realtor’s email address to contact an escrow company, instructing it to redirect commission proceeds to an account controlled by the criminal.
The third EAC scenario involves legal services. The criminal compromises an attorney’s email account to access client information and related transactions. The criminal then emails fraudulent transaction payment instructions to the attorney’s financial institution. Alternatively, the criminal may compromise a client’s email account to request wire transfers from trust and escrow accounts that the client’s attorney manages.
The FinCEN advisory provides a list of red flags and guidance on how to authenticate a potentially fraudulent email address. The danger of this type of cyber attack is that these transactions are often irrevocable, which renders financial institutions and their customers unable to cancel payment or recall the funds. Therefore, it is important for financial institutions to have procedures in place to identify potentially fraudulent transaction payment instructions before payments are issued.
About the only good news is that working with the FBI and the United States Secret Service, FinCEN has helped recover hundreds of millions of dollars. Their best success occurred when victims reported unauthorized wire transfers to law enforcement within 24 hours.
Related FinCEN guidance on SAR preparation states that a SAR must be filed for email compromises if the transaction is attempted or completed and if the total amount of loss or potential loss meets the SAR filing thresholds. The thresholds are $5,000 if a subject is identified or $25,000 if no subject is identified. Keep in mind, if the funds transfer request lists a beneficiary, then there is a potential subject for purposes of meeting the $5,000 threshold. In addition, it is important that the SAR be completed using the term “email compromise” and that the related BEC or EAC acronyms be listed in SAR field 31(z), “Other,” and in the beginning of the narrative. For example, “We are filing this SAR because of email compromise against a business customer (BEC).” The narrative should also provide as much information as possible on IP addresses of the email address, including related timestamps.
Financial institutions should take advantage of this helpful resource from FinCEN and use the six scenarios as training tools both internally for employees and externally for business accounts. Furthermore, by making sure the SAR preparers and reviewers are up to date on the key terms and use those key terms consistently in the body of the SAR and the narrative, it will allow law enforcement to track this activity and determine whether there are potential trends when matches in IP addresses or beneficiaries are identified.
Robin Guthridge has a strong background in Bank Secrecy Act (BSA) compliance, leadership, and sales management. In addition to performing BSA, deposit, and loan compliance examinations for various institutions, she has developed, implemented, and presented annual BSA workshops for Wipfli LLP’s clients and prospects and for various state banking associations. Robin uses her firsthand experience in the financial services industry to provide meaningful insight and helpful recommendations in the areas of BSA and deposit compliance. Robin may be contacted at firstname.lastname@example.org. Learn more about Wipfli by visiting our website, wipfli.com/fi