To view or print PDF content, download the free Adobe Acrobat Reader.
FIN-2011-A016 | |
Issued: | December 19, 2011 |
Subject: | Account Takeover Activity |
The Financial Crimes Enforcement Network (FinCEN) is issuing this Advisory to assist financial institutions with identifying account takeover activity and reporting the activity through the filing of Suspicious Activity Reports (SARs).1
Identifying Account Takeover Activity
Cybercriminals are increasingly using sophisticated methods to obtain access to accounts, including the use of malware (malicious software), SQL injection attacks (SQLIA), spyware, Trojans, and worms.2 These attacks aim to deliberately exploit a customer's account and, in many instances, to gain seemingly legitimate access to another customer's account. Through ongoing monitoring, financial institutions may identify inconsistencies with a customer's normal account activity that indicates illicit intrusions into a customer's account. Such irregularities might include, but are not limited to, unusual ATM activity, clustered Automated Clearing House (ACH) transactions in different geographic areas, sudden wire transfers, or changes to customer and account profiles.
Account takeover activity differs from other forms of computer intrusion, as the customer, rather than the financial institution maintaining the account, is the primary target. Computer intrusion may be defined as gaining access to a computer system of a financial institution to: a) remove, steal, procure or otherwise affect funds of the financial institution or the institution's customers; b) remove, steal, procure or otherwise affect critical information of the financial institution including customer account information; or c) damage, disable, disrupt, impair or otherwise affect critical systems of the financial institution.3 In an account takeover, at least one of the targets is a customer holding an account at the financial institution and the ultimate goal is to remove, steal, procure or otherwise affect funds of the targeted customer.
Suspicious Activity Reporting
If a financial institution knows, suspects, or has reason to suspect that a transaction conducted or attempted by, at, or through the financial institution involves funds derived from illegal activity or an attempt to disguise funds derived from illegal activity, is designed to evade requirements under the Bank Secrecy Act ("BSA"), or lacks a business or apparent lawful purpose, the financial institution may be required to file a SAR.4 When completing SARs on suspected account takeover activity, financial institutions should use the term "account takeover fraud" in the narrative section of the SAR and provide a detailed description of the activity. Financial institutions may wish to take the following examples into account when filling out the Suspicious Activity Information section to further enhance the usefulness of their filings:5