FinCEN, the Financial Crimes Enforcement Network, doesn’t publish too many alerts. In fact, for the first half of 2019, it had published only nine news items. So when it published three on a single day in July 2019 on one subject alone, it’s clear that one subject had gotten its attention.
The focus of this attention is a scheme known as business email compromise, or BEC. FinCEN reports that Suspicious Activity Reports for this area have more than doubled from about 6,000 in 2016 to more than 13,000 in 2018. All told, it is estimated that since 2016, there have been more than $9 billion in possible losses to financial institutions and their customers because of BEC.
Business email compromise is when criminals hack into an email account and then send fraudulent payment instructions to either a financial institution or a business associate of the victims. It can also involve those instances where the bad guys compromise the account of an individual, typically high net worth individuals that routinely use email to make arrangements for payments.
FinCEN previously alerted financial institutions about email compromise schemes involving wire transfers. However, if you’re only keeping an eye on wire transfers, you may be missing some SARs. FinCEN is warning that the schemes are now involving other methods of payment, such as virtual currencies, ACH transfers, and purchases of gift cards.
Victims of BEC fraud include governments, educational institutions, and financial institutions themselves. These cases typically involve criminals who spoof bank domains and send what appear to be legitimate messages between bank employees.
Real estate has been a particularly lucrative target for these criminals. The transactions are typically large dollar volumes, and tend to involve either down payments or the final transfer of proceeds upon closing. Three things that make these types of transactions especially vulnerable is that information about these potential activities is public and readily available, communication about these transactions is typically handled via email, and these types of transactions typically lack strong authentication processes.
So what can your financial institution do?
FinCEN advises financial institutions to assess the vulnerability of their business processes to compromise and figure out what they can do to “harden” their systems against email fraud schemes. This might involve authenticating participating parties of an email communication, taking a closer look at how transactions are authorized, and communicating information and changes about transactions.
If you do identify fraudulent activity, one key to enhance your chances of recovery of funds is to report the loss quickly. Odds are much better if the activity is reported to law enforcement within 24 hours.
What’s more, institutions are encouraged to share the information with other financial institutions under protections of the USA PATRIOT Act. FinCEN advises that sharing this information could help prevent billions of dollars in potential losses to financial institutions and their customers.
So what are the SAR requirements when it comes to BEC? Your financial institution is required to file a SAR if it knows, suspects, or has reason to suspect a transaction was either conducted or attempted that involves or aggregates to $5,000 or more in funds derived from such illegal activities. When it comes to BEC, it doesn’t matter whether or not the transaction was successful. FinCEN’s guidance goes on to identify the transaction and scheme details it is looking for in the SAR narrative, including a description and the timing of the suspicious email communications and who were the impersonated parties.
Greater awareness of business email compromise can help make sure that your financial institution and its customers are less likely to fall prey to this emerging threat and help make sure that your institution is not caught unaware in a regulatory review of your Bank Secrecy Act efforts.