FinCEN Issues Fraudulent Email Scheme Warning

September 8, 2016

The Financial Crimes Enforcement Network (FinCEN) warned companies—including title and escrow companies—to guard against the growing number of email fraud schemes involving wire transfers.

Email compromise fraud schemes occur when criminals compromise the email accounts of victims to send fraudulent wire transfer instructions to financial institutions in order to misappropriate funds. The main types of email compromise fraud include:

  • Business Email Compromise (BEC): Targets a financial institution’s commercial customers.
  • Email Account Compromise (EAC): Targets a victim’s personal accounts.

These schemes are among the growing trend of cyber-enabled crime adversely affecting financial institutions. Since 2013, there have been approximately 22,000 reported cases of BEC and EAC fraud involving $3.1 billion. Earlier this year, the Federal Trade Commission issued a warning about phishing schemes targeting wires for closings. For more, check out the article Cyber Snipers Zero In on Industry.

According to FinCEN, financial institutions and other companies involved in real estate transactions can play an important role in identifying, preventing and reporting fraud schemes by promoting greater communication and collaboration among their internal anti-money laundering (AML), business, fraud prevention and cybersecurity units.

To help guard against a growing number of email fraud schemes the Federal Bureau of Investigation (FBI) and the U.S. Secret Service (USSS) developed a list of red flags that companies may use to identify and prevent email fraud schemes.

Red Flags

  • A customer’s seemingly legitimate emailed transaction instructions contain different language, timing, and amounts than previously verified and authentic transaction instructions.
  • Transaction instructions originate from an email account closely resembling a known customer’s email account; however, the email address has been slightly altered by adding, changing, or deleting one or more characters. For example:

Legitimate email address

    • john-doe@abc.com

Fraudulent email addresses

    • john_doe@abc.com
    • john-doe@bcd.com
  • Emailed transaction instructions direct payment to a known beneficiary; however, the beneficiary’s account information is different from what was previously used.
  • Emailed transaction instructions direct wire transfers to a foreign bank account that has been documented in customer complaints as the destination of fraudulent transactions.
  • Emailed transaction instructions direct payment to a beneficiary with which the customer has no payment history or documented business relationship, and the payment is in an amount similar to or in excess of payments sent to beneficiaries whom the customer has historically paid.
  • Emailed transaction instructions include markings, assertions, or language designating the transaction request as “Urgent,” “Secret,” or “Confidential.”
  • Emailed transaction instructions are delivered in a way that would give the financial institution limited time or opportunity to confirm the authenticity of the requested transaction.
  • Emailed transaction instructions originate from a customer’s employee who is a newly authorized person on the account or is an authorized person who has not previously sent wire transfer instructions.
  • A customer’s employee or representative emails a financial institution transaction instructions on behalf of the customer that are based exclusively on email communications originating from executives, attorneys, or their designees. However, the customer’s employee or representative indicates he/she has been unable to verify the transactions with such executives, attorneys, or designees.
  • A customer emails transaction requests for additional payments immediately following a successful payment to an account not previously used by the customer to pay its suppliers/vendors. Such behavior may be consistent with a criminal attempting to issue additional unauthorized payments upon learning that a fraudulent payment was successful.
  • A wire transfer is received for credit into an account, however, the wire transfer names a beneficiary that is not the account holder of record. This may reflect instances where a victim unwittingly sends wire transfers to a new account number, provided by a criminal impersonating a known supplier/vendor, while thinking the new account belongs to the known supplier/vendor, as described in the above BEC Scenario 3. This red flag may be seen by financial institutions receiving wire transfers sent by another financial institution as the result of email-compromise fraud.

Guidance to U.S. Financial Institutions

FinCEN has partnered with the FBI and the USSS to help financial institutions recover funds stolen as the result of BEC schemes. Through this partnership, FinCEN has successfully assisted in the recovery of hundreds of millions of dollars in the past year. While the recovery of BEC stolen funds is not assured, FinCEN has had greater success in recovering funds when victims or financial institutions report BEC-unauthorized wire transfers to law enforcement within 24 hours.

To request immediate assistance in recovering BEC-stolen funds, financial institutions should file a complaint with FBI’s IC3 at www.ic3.gov, or contact the nearest USSS field office through www.secretservice.gov/field_offices.shtml. Contacting law enforcement for fund recovery assistance does not relieve a financial institution from its Suspicious Activity Report (SAR) filing obligations.

Tips on Filing Suspicious Activity Reports

A financial institution may be required to file a SAR if it knows, suspects, or has reason to suspect a transaction conducted or attempted by, at, or through the financial institution involves funds derived from: illegal activity; attempts to disguise funds derived from illegal activity; is designed to evade regulations promulgated under the Bank Secrecy Act (BSA); lacks a business or apparent lawful purpose; or involves the use of the financial institution to facilitate criminal activity. With respect to email-compromise fraud, a financial institution may have a SAR filing obligation regardless of whether the scheme or involved transactions were successful, and regardless of whether the financial institution or its customers incurred an actual loss, according to FinCEN.

When filing a SAR, financial institutions should provide all pertinent available information, including cyber-related information in the SAR form and narrative. Specifically, providing the following information is highly valuable to law enforcement and FinCEN in investigating BEC and EAC fraud:

Wire transfer details:

  • Dates and amounts of suspicious transactions;
  • Sender’s identifying information, account number, and financial institution;
  • Beneficiary’s identifying information, account number and financial institution; and
  • Correspondent and intermediary financial institutions’ information, if applicable.

Scheme details:

  • Relevant email addresses and associated Internet Protocol (IP) addresses with their respective timestamps and
  • Description and timing of suspicious e-mail communications


Contact ALTA at 202-296-3671 or communications@alta.org.