skip to main content

FinCEN Releases Second Advisory on COVID-19 Illicit Activity, Including New Red Flags for Common Consumer Fraud Scams 

Money Mule

On July 7, 2020, the Department of Treasury’s Financial Crimes Enforcement Network (FinCEN) released its second advisory to financial institutions about detecting and preventing COVID-19 consumer fraud. The guidance provides financial institutions with 18 new red flag indicators to help identify potential imposter and money mule pandemic fraud. FinCEN plans to continue issuing additional advisories about financial crimes related to the pandemic based on evolving trends. 

Red Flags of Potential COVID-19 Fraud 

FinCEN’s second guidance offers red flags for two different types of COVID-19-related consumer fraud:  imposter scams and money mule schemes. Both involve bad actors deceiving victims by posing as federal government agencies, international aid organizations, or other charities. The red flags are drawn from information obtained from Bank Secrecy Act data, open-source reporting, and law enforcement agencies. As with its prior COVID-19 alert, this guidance stresses that these red flags are meant to aid financial institutions in their decision-making and that no one red flag is necessarily indicative of illicit or suspicious activity. Additionally, financial institutions should, consistent with their risk-based compliance programs, seek additional information, and consider customer-specific facts and circumstances before flagging a transaction as suspicious. 

Imposter Scam Red Flags
Imposter scams, where a criminal contacts a victim posing as an official representative of a reputable entity and then coerces or convinces the victim to provide funds or valuable personal information, engage in behavior that infects the victim’s computer with malware, or spreads disinformation, are not new to the COVID-19 era. However, they are becoming prevalent as criminals pose as representatives from the Internal Revenue Service (IRS), Centers for Disease Control and Prevention (CDC), the World Health Organization (WHO), other health care or non-profit groups, and academic institutions. For example, a common scheme involves contacting a person or business under the guise of verifying information or needing to send a payment in order to receive COVID-19 stimulus payments or benefits, such as Economic Impact Payments (EIPs) under the CARES Act or unemployment benefits. Another scheme involves criminals posing as COVID-19 contact tracers and asking for personal or financial information that are ostensibly necessary for contract tracing. 

As imposter scammers generally contact consumers directly, these red flags are designed to help financial institutions spot potential imposter scams when interacting with customers: 

  1. A customer indicating that a person claiming to represent a government agency contacted him or her by phone, email, text message, or social media asking for personal or bank account information to verify, process, or expedite EIPs, unemployment insurance, or other benefits. In particular, be alert to communications emphasizing “stimulus check” or “stimulus payment” in solicitations to the public, sometimes claiming that the fraudulent entity can expedite the “stimulus check” or other government payment on behalf of the beneficiary for a fee paid by gift card or prepaid card.
  2. Receipt of a document that appears to be a check or a prepaid debit card from the U.S. Treasury, often in an amount less than the expected EIP, with instructions to contact the fraudulent government agency, via a phone number or online, to verify personal information in order to receive the entire benefit.
  3. Unsolicited communications from purported trusted sources or government programs related to COVID-19, instructing readers to open embedded links or files or to provide personal or financial information, including account credentials (e.g., usernames and passwords).
  4. Email addresses in COVID-19 correspondence that do not match the name of the sender, contain misspellings, or do not end in the corresponding domain of the organization from which the message allegedly was sent. For example, government agencies will use “.gov” or “.mil.” Many legitimate charities will use “.org.” WHO emails will contain “” Fraudsters, however, may use “.com” or “.biz” in place of the expected domain.
  5. Email correspondence that contains subject lines that government or industry have identified as being associated with phishing campaigns, or that contains embedded links or webpage addresses for purported COVID-19 resources that have irregular URLs (e.g., slight variations in domain extensions like “.com,” “.org,” and “.us”). Examples of U.S. government-identified COVID-19 phishing email subject lines include “2020 Coronavirus Updates,” “Coronavirus Updates,” “2019-nCov: New confirmed cases in your City,” and “2019-nCov: Coronavirus outbreak in your city (Emergency).”
  6. Solicitations where the person, email, or social media advertisement seeks donations on behalf of a reputable organization, but is not affiliated with the reputable organization (e.g., the solicitor is not recognized or endorsed as an employee or volunteer by the organization, the email address is misspelled or not connected to the organization, or the social media advertisement directs individuals to an unaffiliated website).
  7. A charitable organization soliciting donations that (1) does not have an in-depth history, financial reports, IRS annual returns, documentation of their tax-exempt status, or (2) cannot be verified by using various internet-based resources that may assist in confirming the group’s existence and its nonprofit status.

Money Mule Red Flags
In “money mule” schemes, an individual, sometimes unknowingly or unwittingly, transfers illegally acquired money on behalf of or at the direction of a criminal. During COVID-19, law enforcement has observed criminals using money mule schemes, such as good-Samaritan, romance, and work from home schemes. For example, the FBI reports that in common COVID-19 work from home schemes, a recruiter, under a false charity or company label, approaches a target with an offer of home-based employment, usually through social media advertisements or text messages. Once the target accepts “employment,” he is instructed to move funds through accounts or set up a new account in the target’s name for “business purposes.” The target (now money mule) earns money by taking a percentage of the funds transferred at the instruction of his “employer.” 

These red flags are designed to help financial institutions detect potential money mule schemes: 

  1. The customer’s personal bank account starts to receive transactions that do not fit his or her transactional history profile, including overseas transactions, the purchase of large sums of convertible virtual currency, or transactions in large flat amounts, or the account generally had a low balance until the customer became involved in a money mule scheme. When asked about the changes in transactions, the customer declines requests for “know your customer” documents or inquiries regarding sources of funds and may mention COVID-19, relief work, or a “work-from-home” opportunity as the source of the income.
  2. The customer opens a new bank account in the name of a business and, shortly thereafter, someone transfers the funds out of the account. The person transferring the funds could be the registered accountholder or someone else and may keep a portion of the money he or she transferred (per instruction of the scammer). While this activity, in and of itself, may not be suspicious, it may become so if the individual provides unsatisfactory answers to the financial institution’s inquiries, declines to provide essential “know your customer” documents, or mentions COVID-19, relief work, or “work from home” opportunities as the source of the funds.
  3. The customer opens accounts in his or her name at multiple banks so he or she may receive money from various individuals or businesses, then moves the money to other accounts at the direction of the customer’s purported employer.
  4. The customer receives multiple state unemployment insurance payments to his or her account, or to multiple accounts held at the same financial institution, within the same disbursement timeframe (e.g., weekly or biweekly payments) issued from one or multiple states.
  5. The customer’s account(s) receives an unemployment deposit from a different state in which he or she reportedly resides or has previously worked.
  6. The customer’s account receives unemployment insurance payments for numerous employees or the accountholder name and ACH payment “remit to” name do not match.
  7. Deposited funds are quickly diverted via wire transaction to foreign accounts located within countries known for having poor anti-money laundering controls.
  8. The customer makes one or more atypical transactions involving an overseas account, especially through unusual payment methods for the customer. When asked about the transaction, the customer indicates it is for a person located overseas who is in need of financial assistance because of the COVID-19 pandemic.
  9. Documentation from the customer shows that the purported employer or recruiter uses a common web-based, free email service instead of a company-specific email. For example, instead of a company- or organization-specific email address, such as or, the email address is from a common and free email address provider.
  10. The customer provides information that his or her purported employer asked the customer to receive funds into his or her personal bank account, so that the employer can then process or transfer funds via wire transfer, ACH, mail, or money services businesses out of the customer’s personal account.
  11. The customer states, or information shows, that an individual, whom the customer may not have known previously, requested financial assistance to send/receive funds through the customer’s personal account, including requests by individuals claiming to be a:

                       a.    U.S. Service member who is reportedly stationed abroad;
                       b.    U.S. citizen working or traveling abroad; or
                       c.    U.S. citizen quarantined abroad.

Reporting Suspected COVID-19-Related Imposter Scam or Money Mule Activity 

Financial institutions are obligated by the Bank Secrecy Act to report known or suspected criminal and fraudulent activity by filing Suspicious Activity Reports (SARs) with FinCEN. FinCEN’s advisory instructs financial institutions to report suspected COVID-19-related illicit activity and potential scams by filing SARs and to reference the advisory in the SAR by noting “COVID 19 MM FIN-2020-A003” in SAR field 2 (Filing Institution Note to FinCEN) and in the narrative portion and selecting SAR field 34(z) (Fraud – other). This designation will help law enforcement focus in on potential COVID-19-related crime in the increasing number of filed SARs. 

Practice Pointers

  • The advisory highlights the importance of a financial institution’s front-line workers who have direct customer interaction, such as tellers and bankers in branches. Spotting imposter scams depends almost exclusively on obtaining information from customers through careful listening and tactful questioning. Financial institutions should train those employees likely to have customer interactions on these new red flags, as they have done for elder financial abuse red flags, so that they are attuned to the warning signs and need for further investigation to help identify and report these scams. 
  • The advisory reinforces the importance of financial institutions continuing to closely follow CDD and KYC protocols, especially for new customers or new accounts, even when dealing with potential shortages of staff and remote work arrangements. Understanding a customer’s work history and business arrangements is critical to making an informed and accurate risk assessment. 
  • Financial institutions are increasingly asked by FinCEN to report more than suspected federal crimes, Bank Secrecy Act violations, money laundering, and terrorist financing by filing SARs, including elder financial abuse and, now, COVID-19-related scams and schemes. Complying with these additional obligations requires reevaluating existing automated transaction screening processes and investing more resources in human monitoring and intelligence gathering. Financial institutions should evaluate their existing protocols in light of FinCEN’s new guidance and make appropriate adjustments.    
  • These red flags are also helpful for customers and consumers who are evaluating pitches, requests, and other contacts from charities and institutions with whom they do not have a prior relationship. 


Disclaimer: This post does not offer specific legal advice, nor does it create an attorney-client relationship. You should not reach any legal conclusions based on the information contained in this post without first seeking the advice of counsel.