FinCEN advisory lists financial ‘red flag’ indicators of COVID-19 imposter scams, money mule schemes

Financial institutions were urged to be alert to the financial “red flags” that may indicate COVID-19-related imposter scams or money mule schemes in a Treasury financial crimes enforcement unit advisory Tuesday that also gives instructions on how to report such suspicious activity.

The Financial Crimes Enforcement Network (FinCEN) advisory (FIN-2020-A003), acknowledging that many scammers will be directly approaching consumers, not financial institutions, provides examples of red flag indicators that may help tip off an institution to a fraud being attempted through a customer account. “As no single financial red flag indicator is necessarily indicative of illicit or suspicious activity, financial institutions should consider additional contextual information and the surrounding facts and circumstances,” it notes.

FinCEN notes that in imposter scams, criminals impersonate organizations such as government agencies, non-profit groups, universities, or charities to offer fraudulent services or otherwise defraud victims. In the case of schemes connected to COVID-19, imposters may pose as officials or representatives from the IRS, the Centers for Disease Control and Prevention (CDC), the World Health Organization (WHO), other healthcare or non-profit groups, and academic institutions.

It also noted that during the COVID-19 pandemic, U.S. authorities have detected recruiters using money mule schemes such as good-Samaritan, romance, and work-from-home schemes. They also have identified criminals using money mules to exploit unemployment insurance programs during the COVID-19 pandemic. The advisory notes that the “mule” is someone who – knowingly or not, complicit or not – transfers illegally acquired money on behalf of or at the direction of someone else.

The advisory presents 18 potential red flag indicators of potential imposter scams or mule schemes. Among them:

Imposter scams –

  • A customer indicating that a person claiming to represent a government agency contacted him or her by phone, email, text message, or social media asking for personal or bank account information to verify, process, or expedite EIPs [Economic Impact Payments under the CARES Act], unemployment insurance, or other benefits. In particular, be alert to communications emphasizing “stimulus check” or “stimulus payment” in solicitations to the public, sometimes claiming that the fraudulent entity can expedite the “stimulus check” or other government payment on behalf of the beneficiary for a fee paid by gift card or prepaid card.
  • Receipt of a document that appears to be a check or a prepaid debit card from the U.S. Treasury, often in an amount less than the expected EIP, with instructions to contact the fraudulent government agency, via a phone number or online, to verify personal information in order to receive the entire benefit.
  • Unsolicited communications from purported trusted sources or government programs related to COVID-19, instructing readers to open embedded links or files or to provide personal or financial information, including account credentials (e.g., usernames and passwords).
  • Email addresses in COVID-19 correspondence that do not match the name of the sender, contain misspellings, or do not end in the corresponding domain of the organization from which the message allegedly was sent. For example, government agencies will use “.gov” or “.mil.” Many legitimate charities will use “.org.” WHO emails will contain “” Fraudsters, however, may use “.com” or “.biz” in place of the expected domain.
  • Email correspondence that contains subject lines that government or industry have identified as being associated with phishing campaigns, or that contains embedded links or webpage addresses for purported COVID-19 resources that have irregular URLs (e.g., slight variations in domain extensions like “.com,” “.org,” and “.us”). Examples of U.S. government-identified COVID-19 phishing email subject lines include “2020 Coronavirus Updates,” “Coronavirus Updates,” “2019-nCov: New confirmed cases in your City,” and “2019-nCov: Coronavirus outbreak in your city (Emergency).”

Mule schemes –

  • The customer’s personal bank account starts to receive transactions that do not fit his or her transactional history profile, including overseas transactions, the purchase of large sums of convertible virtual currency, or transactions in large fiat amounts, or the account generally had a low balance until the customer became involved in a money mule scheme. When asked about the changes in transactions, the customer declines requests for “know your customer” documents or inquiries regarding sources of funds, and may mention COVID-19, relief work, or a “work-from-home” opportunity as the source of the income.
  • The customer opens a new bank account in the name of a business and, shortly thereafter, someone transfers the funds out of the account. The person transferring the funds could be the registered accountholder or someone else, and may keep a portion of the money he or she transferred (per instruction of the scammer). While this alone may not be suspicious, it may become so if the individual provides unsatisfactory answers to the financial institution’s inquiries, declines to provide essential “know your customer” documents, or mentions COVID-19, relief work, or “work from home” opportunities as the source of the funds.
  • The customer opens accounts in his or her name at multiple banks so he or she may receive money from various individuals or businesses, then  moves the money to other accounts at the direction of their purported employer.
  • The customer receives multiple state unemployment insurance payments to his or her account, or to multiple accounts held at the same financial institution, within the same disbursement timeframe (e.g., weekly or biweekly payments) issued from one or multiple states.
  • Deposited funds are quickly diverted via wire transaction to foreign accounts located within countries known for having poor anti-money laundering controls.
  • The customer states, or information shows, that an individual, whom the customer may not have known previously, requested financial assistance to send/receive funds through the customer’s personal account, including requests by individuals claiming to be a U.S. servicemember stationed abroad, a U.S. citizen working or traveling abroad, or a U.S. citizen quarantined abroad.

Financial institutions reporting such activity are asked, when preparing their suspicious activity report (SAR), to reference Tuesday’s advisory in SAR field 2 (Filing Institution Note to FinCEN) and the narrative by including the following key term: “COVID19 MM FIN-2020-A003” and select SAR field 34(z) (Fraud – other). The advisory provides further instructions for noting the type of activity being reported.


FinCEN Coronavirus Updates