BSA Officials At FIs Targeted By Phishing Campaign


In a reported phishing campaign that began last month, Bank Secrecy Act (BSA) officials at credit unions in the U.S. are said to have been sent emails that appeared to have come from other BSA officers. The emails were reportedly only sent to certain anti-money laundering (AML) contacts, leading some to question if the National Credit Union Administration (NCUA)’s non-public data had been accessed, Krebs On Security reported.

The emails, which were sent to each contact with their names, asked the BSA officers to review a PDF file that was attached to the email to review a transaction. The outlet reported that the file “comes back clean via a scan at,” however, the file’s body was said to include a link to a site that was malicious. It was not clear if any BSA officers had decided to follow the link to the site, according to the report.

The U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) reportedly knows about the emails. It is said to be asking financial institutions (FIs) to ignore them. And, according to the report, “multiple sources” claim that FIs beyond credit unions have received such emails.

The news comes as five federal agencies spoke in October on how credit unions, as well as community banks, can share resources to make BSA compliance streamlined and bolster AML efforts. FinCEN, NCUA, the Federal Reserve Board, the Federal Deposit Insurance Corp. (FDIC) and the Comptroller of the Currency were involved in the discussion.

In a statement at the time, the group said that collaborative arrangements generally are most suitable for banks with a community focus, less complex operations, and lower-risk profiles for money laundering or terrorist financing. The risk profile is bank-specific, and should be based on a risk assessment that properly considers all risk areas, including products, services, customers, entities and geographic locations.