Back to All Articles

FinCEN highlights key red flags for coronavirus pandemic medical scams, cyber-enabled frauds, including fake tests, phantom deliveries

Coronavirus Test Tube held by a medical professional

The skinny:

  • FinCEN has highlighted key trends and red flags tied to COVID-19 frauds and stimulus scams, including fake cures, tests and vaccines, fictitious deliveries, masks and more
  • The U.S. Treasury bureau, and arbiter of the country’s anti-money laundering defenses, also exhorted institutions and individuals to report such schemes as quickly as possible – ideally in less than 24 hours.
  • That way FinCEN has a chance to strike back against more aggressive cyber-enabled frauds, including business email compromise attacks, with domestic and international allies.
  • As a response to the rise in such frauds, scams and schemes, FinCEN stated it has temporarily expanded its “Rapid Response” arm and recouped hundreds of millions of dollars thought lost to criminal groups – a lone bright spot in a pandemic that has taken lives, life savings and hampered the cumulative countercrime efforts of compliance teams, regulators and investigators.
  • FinCEN is also hoping to build on that success with its flurry of COVID-19-related medical scam red flags, including some classic, and other more nuanced tips, such as nudging bank AML teams to sniff out when a company is too new to be able to provide such a depth and breadth of desperately needed supplies – or they are simply an illusory shell.

The U.S. Treasury has highlighted key trends and red flags tied to COVID-19 frauds and stimulus scams, including fake cures, tests and vaccines, fictitious deliveries and masks, and exhorted institutions and individuals to report such schemes as quickly as possible – ideally in less than 24 hours.

The Financial Crimes Enforcement Network (FinCEN), the country’s financial intelligence unit (FIU) and administrator of anti-money laundering (AML) rules, stated that haste and urgency should be paramount for financial institutions related to the coronavirus as fraudsters and cyber hacking groups have increased their attacks against banks, corporates and individuals.

In response, FinCEN has expanded its “Rapid Response” group and is more aggressively reviewing tips, suspicious activity reports (SARs) in its AML database and working more closely with domestic and foreign law enforcement agencies to recover pilfered funds – in one case alone recouping $300 million.

When it comes to various cyber-fueled fusillades, such as business email compromise (BEC) attacks – an attack vector soaring in popularity in recent years and even more potent in the chaos of a global pandemic – FinCEN has successfully assisted in the recovery of approximately $900 million with the assistance of 64 countries.

But to recapture funds stolen from a bank, corporate or person, the bureau has an incredibly short window – something that financial institution fraud, AML and investigations teams must be aware.

While FinCEN does not ensure recovery of BEC stolen funds, FinCEN has “achieved greater success in recovering funds when victims or financial institutions report BEC-unauthorized and fraudulently induced wire transfers to law enforcement within 24 hours.”

The advisory is also notable for financial crime compliance teams and beyond as FinCEN stated the red flags should be shared in and outside of AML, to the upper echelons of the chief executive and chief compliance officer, to cyber defenders and even frontline staff, including bank tellers and customer service agents.

In a series of missives in recent days, FinCEN has highlighted key trends across banks, AML suspicious activity report (SAR) filings and active law enforcement cases evincing possible COVID-19-related medical scams, including:


  • (1) fraudulent cures, tests, vaccines, and services;
  • (2) non-delivery scams; and
  • (3) price gouging and hoarding of medical-related items, such as face masks and hand sanitizer.


Examples of fraudulent medical services include claims related to “purported vaccines or cures for COVID-19, claims related to products that purportedly disinfect homes or buildings, and the distribution of fraudulent or unauthorized at-home COVID-19 tests.”

Some of these scams may be perpetrated by illicit actors “who recently formed unregistered or unlicensed medical supply companies,” according to FinCEN, a critical clue for AML teams and a quick way to winnow out scammers: see how long the business has been around and scrutinize incorporation documents.  

To read FinCEN’s “Advisory on Medical Scams Related to the Coronavirus Disease 2019,” click here.

To read FinCEN’s “Notice Related to the Coronavirus Disease 2019,” click here.

Financial indicators of these scams may include:


  • History of fraud: U.S. authorities, such as the Federal Trade Commission (FTC), the Food and Drug Administration (FDA), or the DOJ, have identified the company, merchant, or business owners as selling fraudulent products.
  • Web of lies: A web-based search or review of advertisements indicates that a merchant is selling at-home COVID-19 tests, vaccines, treatments, or cures.
  • Make it personal: The customer engages in transactions to or through personal accounts related to the sale of medical supplies, which could indicate that the selling merchant is an unregistered or unlicensed business or is conducting fraudulent medical-related transactions.
  • What’s in a name: The financial institution’s customer has a website with one or more indicia of suspicion, including a name/web address similar to real and well-known companies, a limited internet presence, a location outside of the United States, and/or the ability to purchase pharmaceuticals without a prescription when one is usually required.
  • Image control: The product’s branding images found in an online marketplace appear to be slightly different from the legitimate product’s images, which may indicate a counterfeit product.
  • The price is right: The merchant is advertising the sale of highly sought-after goods related to the COVID-19 pandemic and response at either deeply discounted or highly inflated prices.
  • Card sharks: The merchant is requesting payments that are unusual for the type of transaction or unusual for the industry’s pattern of behavior. For example, instead of a credit card payment, the merchant requires a pre-paid card, the use of a money services business, convertible virtual currency, or that the buyer send funds via an electronic funds transfer to a high-risk jurisdiction.
  • Miscreant merchants: Financial institutions might detect patterns of high chargebacks and return rates in their customer’s accounts. These patterns can be indicative of merchant fraud in general.

Non-delivery scams

In these non-delivery scams, fraudsters often target the most vulnerable and needy operations. Victims can include unsuspecting companies, hospitals, governments, and consumers, according to FinCEN.

These fraudulent transactions occur through “websites, robocalls, or on the Darknet. Some schemes involve shell companies to facilitate transactions.”

In its March warning to the health care industry, the FBI told the medical community to “exercise due diligence and appropriate caution when dealing with unfamiliar vendors and when relying on unidentified third-party brokers in the supply chain.”

Financial indicators of these scams may include:


  • The merchant does not appear to have a lengthy corporate history (e.g., the business was established within the last few months), lacks physical presence or address, or lacks an Employer Identification Number.
  • Additionally, if the merchant has an address, there are noticeable discrepancies between the address and a public record search for the company or the street address, multiple businesses at the same address, or the merchant is located in a high-risk jurisdiction or a region that is not usually associated with the merchandise they are selling.
  • Searches in corporate databases reveal that the merchant’s listing contains a vague or inappropriate company name, multiple unrelated names, a suspicious number of name variations, multiple “doing business as” (DBA) names, or does not align with its business model.
  • The merchant cannot provide shipment-tracking numbers to the customer or proof of shipment to a financial institution so it may process related financial transactions.
  • The merchant claims several last minute and suspicious delays in shipment or receipt of goods. For example, the merchant claims that the equipment was seized at port or by authorities, that customs has not released the shipment, or that the shipment is delayed on a vessel and cannot provide any additional information about the vessel to the customer or their financial institution.
  • The merchant cannot explain the source of the goods or how the merchant acquired bulk supplies of highly sought-after goods related to the COVID-19 pandemic.

FinCEN puts banks, crypto exchanges ‘on notice’ for pandemic fraud intersection

The first foray into detailed pandemic-related red flags is not the first FinCEN has made to illuminate the intersection of the criminal element and the still-raging coronavirus.

Earlier this month, FinCEN put the virtual value sector on notice that as the COVID-19 pandemic fuels new waves of fraud and hacks, criminals are increasingly using crypto coins and related exchanges to purchase malware packages and reap the profits of phishing, ransomware and other cyberattacks.

These illicit actors are also attempting to make it harder for investigators to uncover and cripple their coronavirus-themed scams and schemes by engaging “anonymity-enhanced cryptocurrencies,” also called privacy coins, and going through “tumblers,” tactics that take advantage of crypto exchanges with weak AML programs.

Those were just some of the criminal trends, compliance vulnerabilities and regulatory focal points highlighted by Ken Blanco, director of the Financial Crimes Enforcement Network (FinCEN), during a virtual Consensus Blockchain Conference.

“FinCEN has observed that cybercriminals predominantly launder their proceeds and purchase the tools to conduct their malicious activities via virtual currency,” Blanco said just weeks ago.  

“Your institutions have the opportunity, and obligation, to help identify these illicit criminal networks in your suspicious activity reporting to FinCEN, so that FinCEN can aggregate and analyze this information to identify red flags, permitting industry to spot risks.”

To read Blanco’s full statement, click here.

The missive tacitly put more pressure on crypto exchanges – and other operations that create, sell or move virtual funds – to ensure they are not inadvertently acting as a gateway for organized criminals and hacking collectives to monetize their more aggressive digital fusillades during the pandemic.

See What Certified Financial Crime Specialists Are Saying

"The CFCS tests the skills necessary to fight financial crime. It's comprehensive. Passing it should be considered a mark of high achievement, distinguishing qualified experts in this growing specialty area."


(JD, Washington)

"It's a vigorous exam. Anyone passing it should have a great sense of achievement."


(CFCS, Official Superior

de Cumplimiento Cidel

Bank & Trust Inc. Nueva York)

"The exam tests one's ability to apply concepts in practical scenarios. Passing it can be a great asset for professionals in the converging disciplines of financial crime."


(CFCS, Royal Band of

Canada, Montreal)

"The Exam is far-reaching. I love that the questions are scenario based. I recommend it to anyone in the financial crime detection and prevention profession."


(CFCS, CAMS Lead Compliance

Trainer, FINRA, Member Regulation

Training, Washington, DC)

"This certification comes at a very ripe time. Professionals can no longer get away with having siloed knowledge. Compliance is all-encompassing and enterprise-driven."

Director, Global Risk
& Investigation Practice
FTI Consulting, Los Angeles