Hack Attempts: BSA Officers Are Not immune

We know that criminals are getting smarter and smarter and the newest hacker attempt just proves that.

An attack vector was reported to us this week from several of our customers whereby a hacker is sending 314(b) information requests with an infected attachment. The message looks something like this:

Hello Amy

My name is Elaine Kirk and I'm BSA/AML officer at Interra Credit Union.

We've got suspicions transfer from your client, and put it on hold.

According section 314(b) of the USA PATRIOT Act we have to report you about potential money laundering.

Please review the attached document with details of this case.

Regards,

Elaine Kirk

BSA-AML Compliance Officer

Interra Credit Union

The grammar police are throwing up major red flags, but this new attack vector shows something even scarier than just bad grammar: a level of sophistication similar to what bank customers and credit union members are already receiving with business email compromise (BEC) and email account compromise (EAC) phishing emails, but now aimed at BSA/AML professionals. The hackers have determined a vulnerable workflow within financial institutions where we want to stop the bad guys by sharing information. Someone studied how we work to safeguard the United States financial system and is using that information for nefarious goals.

How can you protect your institution from these attacks? First of all, be aware that the BSA/AML profession is not immune to these sorts of incidents. Then, follow these four steps:

1. Follow your policies. These policies and procedures around email attachments and links in emails (especially from unknown sources) are in place for a reason. You open your institution up to unnecessary risks by not following these rules.

2. Spread the news. Make sure your staff knows the current phishing scams going around and are aware of what to look for, including email addresses/domains and sender/company names.

3. Pick up the phone. Do an internet search of the emailing institution (make sure they have a legitimate website!), call the main line and ask to speak with the person who emailed you. This way you can verbally verify if they sent the original email.

4. Use common sense. If even one thing seems off about the email (especially basic spelling/grammar), take a deeper look before you click or download anything. If you don’t normally expect an attachment with a specific request or task, don’t download or open the attachment. Trust your gut.

If you have received a suspected phishing email, the FBI Cyber Division is asking you to file a complaint on the IC3 website: https://www.ic3.gov/complaint/default.aspx

Thanks for what all of you do to thwart financial crime and safeguard the U.S.

John Meyer is the Chief Strategy Officer of Abrigo