Fake BSA / FinCEN / OFAC SDN sanctions-screening blocked-property lure — "Wire blocked under OFAC SDN sanctions match; submit OFAC license attestation and treasury-attestation within 14 days or funds released to Treasury under specially designated property forfeiture" targeting compliance officers + small-bank BSA staff. 2026 OFAC SDN list churn (Russia / Iran / cartel cross-border) + FinCEN BSA E-File sanctions hits give attackers a real and credible compliance pretext. Highest-stakes (+6) wire-fraud + treasury-attestation pressure cluster. Real OFAC blocked-property notices come through formal Treasury channels (postal letter + ofac.treasury.gov portal with OFAC-license-issued credentials), never via inbound email link demanding attestation upload to forfeit-or-release a wire under 14-day pressure. Distinct from R7/R8 FinCEN BOI (CTA) — this signal is specifically the OFAC SDN / blocked-property / treasury-attestation framing. Source: GC1 R9 multiagent council top-5 P0 (S1 fin specialist).

Fake BSA / FinCEN / OFAC SDN sanctions-screening blocked-property lure targeting compliance officers and small-bank BSA staff. The phish narrative arrives as: "A wire transfer in your account triggered an OFAC SDN sanctions match — funds have been blocked, submit OFAC license attestation and treasury attestation within 14 days or funds released to Treasury under specially designated property forfeiture," or "FinCEN BSA E-File reports a sanctions screening hit — submit OFAC attestation and TFI license to release the wire." 2026 OFAC SDN list churn (Russia / Iran / cartel cross-border designations from the Treasury OFAC office) + FinCEN BSA E-File sanctions hits + the post-Anti-Money-Laundering-Act-of-2020 enforcement uptick give attackers a real and credible compliance pretext. Highest-stakes (+6) wire-fraud + treasury-attestation pressure cluster — combines wire-fraud-pressure SACRED guard, financial-coercion cluster, and high-stakes B2B-compliance scope. Lookalike OFAC / FinCEN / Treasury portals harvest the compliance officer's SSO credentials, the bank's BSA E-File login (catastrophic — gives attackers legitimate-looking access to file fake CTRs / SARs to hide downstream fraud), and the alleged wire details (amount, beneficiary, originator, intermediary banks). Real OFAC blocked-property notices come through formal Treasury channels (postal letter to the bank's designated OFAC compliance officer of record + access via ofac.treasury.gov portal with credentials issued through the OFAC license-application process); FinCEN BSA E-File access uses BSA-issued tokens, never inbound email link demanding attestation upload to forfeit-or-release a wire under 14-day pressure. Distinct from R7/R8 FinCEN BOI (Beneficial Ownership Information / Corporate Transparency Act) — this signal is specifically the OFAC SDN / blocked-property / treasury-attestation / wire-released-to-Treasury framing. Fires when body references OFAC / SDN / specially designated / sanctions hit-screening-match / blocked property / FinCEN / BSA / TFI / wire blocked / treasury attestation AND contains license / attestation / 14 days / forfeit / released-to-Treasury / submit / action-required urgency. Excludes treasury.gov, fincen.gov, ofac.treasury.gov, home.treasury.gov, sanctionssearch.ofac.treas.gov, and the broader .gov umbrella. Auto-classified as danger via the `-spoof` suffix. Source: GC1 R9 multi-agent council top-5 P0 (S1 fin specialist).