We have spoofing emails that are blocked by Mimecast, do we need to file SAR for such items? Some get through and we block the email (given our employees are well trained. and given the spoofing emails fall under identity theft).
FinCEN has provided a few pieces of guidance regarding email fraud schemes, most recently updated in 2019 ( https://www.fincen.gov/index.php/resources/advisories/fincen-advisory-fin-2019-a005 ).
“With respect to email compromise fraud involving fraudulent payment instructions, a financial institution has a SAR filing obligation regardless of whether the scheme or involved transactions were successful, and regardless of whether the financial institution or its customers incurred an actual loss.”
This appears to be consistent with the language in in the Cyber-Threats Advisory ( https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2016-a005 ), in which the trigger for SAR reporting on a cyber-event revolves around wether the institution “has reason to suspect that a cyber-event was intended, in whole or in part, to conduct, facilitate, or affect a transaction or a series of transactions” and that the series aggregates to $5000 or more.” meaning that email spoofing is likely a reportable event.
If you don't have an actual instance of BEC, then you don't need to report. The fact that you received an email, even if it made it past your filters isn't a reportable offense. That doesn't mean you can't, and shouldn't report if you feel a particular BEC attempt concerns you. However the overwhelming #'s of BEC makes it impossible to report them all.
For COVID-19 Google is blocking 240M emails a day: <a href=" removed link "> removed link That is on a single topic. In most companies the amount of spam is ~98% of all email received. In some comapines that is millions of BEC emails per day. You can't report the fact it was sent.
You do need to report any actual compromises, but don't try and report every BEC received.