Compliance Blog

Jul 15, 2020
Categories: FinCen BSA

FinCEN’s Recent Advisory on Imposter Scams and Money Mule Schemes Related to COVID-19

In an attempt to help financial institutions detecting, preventing, and reporting potential COVID19-related criminal activity and scams resulting from the vulnerabilities created by the pandemic, on July 7, 2020, the Financial Crimes Enforcement Network (FinCEN) issued an advisory on Imposter Scams and Money Mule Schemes Related to COVID-19. In the advisory, FinCEN warns financial institutions about potential indicators their members may be victims of these types of scams. It also provides descriptions, financial red flag indicators, and information on reporting suspicious activity.

Financial Red Flag Indicators of COVID-19: Imposter Scams

According to FinCEN, in this type of scam the criminals have been impersonating organizations -such as government agencies and universities- “to offer fraudulent services or otherwise defraud victims.” The agency explains that the basic methodology usually involves the following pattern:

“(1) contacting a target under the false pretense of representing an official organization, and

 (2) coercing or convincing the target to provide funds or valuable information, engage in behavior that causes the target’s computer to be infected with malware, or spread disinformation.”

This last one may include, for example, “the solicitation of payments (digital payments and virtual currency), donations, or personal information via email, robocalls, text messages, or other communication methods.” The advisory explains that scammers have also contacted victims implying they must “share personal or financial information as part of COVID-19 contact tracing efforts.” Some scammers have even taken advantage of the generosity of the public and have embezzled donations aimed to help people affected by COVID-19.

FinCEN provides a list of seven financial red flag indicators of imposter scams, including:

  1.        A customer or member indicating that a person alleging to represent a government agency contacted him or her “asking for personal or bank account information to verify, process, or expedite EIPs, unemployment insurance, or other benefits.”
  2.        A customer or member receiving a document that seems to be a check or a prepaid debit card from the Department of the Treasury, instructing the person “via a phone number or online to contact the fraudulent government agency to verify personal information in order to receive the entire benefit.”
  3.        A customer or member receiving “[u]nsolicited communications from purported trusted sources or government programs related to COVID-19, instructing readers to open embedded links or files or to provide personal or financial information, including account credentials (e.g., usernames and passwords).”
  4.        A customer or member receiving emails with COVID-19 correspondence from email addresses  that “do not match the name of the sender, contain misspellings, or do not end in the corresponding domain of the organization from which the message allegedly was sent.”
  5.        A customer or member receiving emails containing “subject lines that government or industry have identified as being associated with phishing campaigns, or that contains embedded links or webpage addresses for purported COVID-19 resources that have irregular URLs (e.g., slight variations in domain extensions like ‘.com,’ ‘.org,’ and ‘.us’).”
  6.        A customer or member receiving solicitations seeking “donations on behalf of a reputable organization, but is not affiliated with the reputable organization...”
  7.        “A charitable organization soliciting donations that (1) does not have an in-depth history, financial reports, IRS annual returns, documentation of their tax-exempt status, or (2) cannot be verified by using various internet-based resources that may assist in confirming the group’s existence and its nonprofit status.”

Financial Red Flag Indicators of COVID-19: Money Mule Schemes

As explained in the advisory, these schemes generally span the spectrum of using unwitting (a person unaware that he/she is part of the scheme), witting (a person who chooses to ignore red flags), or complicit (a person who is aware) money mules. Some examples of the money mule schemes authorities have detected during the pandemic include the good-Samaritan, romance, and work from-home schemes. FinCEN provided eleven financial red flag indicators of COVID-19 money mule schemes. Such indicators include the following: 

  1.        A member starts receiving transactions that “do not fit his or her transactional history profile, including overseas transactions, the purchase of large sums of convertible virtual currency, or transactions in large fiat amounts, or the account generally had a low balance until the customer became involved in a money mule scheme.  When asked about the changes in transactions, the customer declines requests for ‘know your customer’ documents or inquiries regarding sources of funds, and may mention COVID-19, relief work, or a ‘work-from-home’ opportunity as the source of the income.”
  2.        A member “opens a new account in the name of a business and, shortly thereafter, someone transfers the funds out of the account. The person transferring the funds could be the registered accountholder or someone else and may keep a portion of the money he or she transferred (per instruction of the scammer).”
  3.        A member “receives multiple state unemployment insurance payments to his or her account, or to multiple accounts held at the same financial institution, within the same disbursement timeframe issued from one or multiple states.”

SAR Filing Request

In the advisory FinCEN requested that financial institutions reference the advisory in SAR field 2 (Filing Institution Note to FinCEN) and the narrative by including the following key term:

“COVID19 MM FIN-2020-A003”

By doing so, credit unions would “indicate there is a connection between the suspicious activity being reported and the activities highlighted in this advisory”. Additionally, FinCEN instructs credit unions to “include the type of fraud and/or name of the scam or product (e.g., imposter scam or money mule scheme) in SAR field 34(z)" and “to report certain types of imposter scams and money mule schemes using fields such as SAR field 34(l) (Fraud- Mass-marketing), or SAR field 38(d) (Other Suspicious Activities- Elder Financial Exploitation), as appropriate with the circumstances of the suspected activity.”

Financial institutions are instructed to send any questions or comments regarding the contents of the advisory to the FinCEN Regulatory Support Section at

Some of our member credit unions have been victims of some type of scam during the pandemic. With the rise of scams and illicit activity during COVID-19, credit unions may want to proceed with additional caution when reviewing transactional activity or new accounts, as well as provide training to staff, to ensure all business lines are vigilant and ready to effectively identify and stop some losses when possible.