By John Meyer, Chief Strategy Officer, Abrigo

Phishing BSA Officers

Hack Attempts: BSA Officers are Not Immune

We know that criminals are getting smarter and smarter and the newest hacker attempt just proves that.

An attack vector was reported to us this week from several of our customers whereby a hacker is sending 314(b) information requests with an infected attachment. The message looks something like this:

 Hello Amy 

My name is Elaine Kirk and I’m BSA/AML officer at Interra Credit Union.

We’ve got suspicions transfer from your client, and put it on hold.

According section 314(b) of the USA PATRIOT Act we have to report you about potential money laundering.

Please review the attached document with details of this case.

Regards,

Elaine Kirk

BSA-AML Compliance Officer

Interra Credit Union

The grammar police are throwing up major red flags, but this new attack vector shows something even scarier than just bad grammar: a level of sophistication similar to what bank customers and credit union members are already receiving with business email compromise (BEC) and email account compromise (EAC) phishing emails, but now aimed at BSA/AML professionals. The hackers have determined a vulnerable workflow within financial institutions where we want to stop the bad guys by sharing information. Someone studied how we work to safeguard the United States financial system and is using that information for nefarious goals.

How can you protect your institution from these attacks? First of all, be aware that the BSA/AML profession is not immune to these sorts of incidents. Then, follow these four steps:

  1. Follow your policies. These policies and procedures around email attachments and links in emails (especially from unknown sources) are in place for a reason. You open your institution up to unnecessary risks by not following these rules.
  2. Spread the news. Make sure your staff knows the current phishing scams going around and are aware of what to look for, including email addresses/domains and sender/company names.
  3. Pick up the phone. Do an internet search of the emailing institution (make sure they have a legitimate website!), call the main line and ask to speak with the person who emailed you. This way you can verbally verify if they sent the original email.
  4. Use common sense. If even one thing seems off about the email (especially basic spelling/grammar), take a deeper look before you click or download anything. If you don’t normally expect an attachment with a specific request or task, don’t download or open the attachment. Trust your gut. 

If you have received a suspected phishing email, the FBI Cyber Division is asking you to file a complaint on the IC3 website: https://www.ic3.gov/complaint/default.aspx

Thanks for what all of you do to thwart financial crime and safeguard the U.S.  

John Meyer has been developing solutions to protect and help financial institutions grow for more than 20 years. He has been a critical part of the organization since 2012 when he joined as chief product officer and the company was still known as Banker’s Toolbox. Prior to Abrigo, he was a senior executive with Harland Financial Solutions (now Finastra), where he managed teams providing teller, new account origination, internet banking, item processing, and BSA/CIP solutions for over 2,500 financial institutions. In his early career, John worked for a community bank in Western Pennsylvania. He holds a BS in computer science from the U.S. Military Academy at West Point and an MBA from the University of Washington.