How FIs Can Arm Themselves Against a New Era of Cyber-attacks

With financial crimes at an all-time high, the tactics used to commit these crimes have become increasingly more diverse and sophisticated. And of all the various forms of fraud being committed today, those committed through cyber-attacks are proving to be some of the most difficult to tackle – to say nothing of the adverse impact on banks’ reputations caused by these security breaches.

Even banks with robust cyber-security infrastructure can find themselves compromised – and it could easily be months before they realize it. In particular, criminals have increasingly been targeting banks’ payment messaging infrastructure, infiltrating these systems before laying low, studying their behaviors, and using advanced, carefully developed strategies in order to send fraudulent cross-border payment instructions.

Following a series of such attacks, SWIFT conducted a careful study in order to identify the patterns and tactics of these attackers, so that FIs can more readily assess their risk level and be on the lookout for warning signs of potentially fraudulent transactions.

And even banks with lower risk levels aren’t in the clear: although the sending financial institutions ultimately bear the burden – and the costs – of these cyber-attacks, intermediary banks also have a critical role to play in helping to catch these instances of fraud – especially as the speed of transactions increases with the adoption of new technologies.

But just as criminals and attackers work to study and exploit the weaknesses and security gaps of FIs, banks can better defend themselves by gaining a more in-depth understanding of how these criminals operates – and by arming themselves with more advanced tools and lines of defense.

How today’s cyber-attackers are more adept than ever
Today’s financial criminals understand how FIs operate – and they’re anything but hasty. Attackers often infiltrate their targets long before they carry out their crimes. Once they’ve compromised the target’s IT infrastructure, they generally sit quietly for weeks or months, studying the bank’s behaviors in order to gain rich insights into how the particular institution operates. During this reconnaissance phase, attackers will work to identify gaps in security and due diligence, which they can then exploit in order to carry out their crimes under the radar.

When it’s time to carry out their attacks, these criminals tend to insert the fraudulent payment instructions into the FI’s interface GUI. As a result, the messages don’t appear in the bank’s back-office application – and can easily go undetected. And while the messages would show up in end-of-day and start-of-day reconciliation messages, with the speed of today’s cross-border payment transactions, catching a fraudulent payment at this stage could already be too late.

Today’s financial criminals also understand that less is more: instead of sending payment messages for large amounts – which would naturally attract greater scrutiny – they tend to focus on smaller amounts that could be more easily overlooked.

The complexity of the payment path is also an important tool for attackers. Of the cases of cross-border payment fraud studied by SWIFT in 2017 and 2018, all were routed through at least three banks in three different countries. And an overwhelming majority – 83 percent – were routed to beneficiary or mule accounts in Southeast Asia.

The type of message also matters: fraudulent messages are most commonly sent as single customer credit transfers and MT103 messages. And given that the vast majority of cross-border payments are conducted in US Dollars, it should come as little surprise that fraudulent payment messages mirror global currency transfer trends, with the vast majority of them being conducted in US Dollars and Euros.

Who’s most at risk?
The criminals carrying out these kinds of cyber-attacks aren’t looking for a challenge: in other words, they’re less likely to target large, high-profile FIs with robust, top-of-the-line security systems. As a result, most fraudulent cross-border transactions are conducted by targeting smaller banks that process relatively fewer transactions each day. Financial institutions across Africa, the Middle East and North Africa, Central and Southeast Asia, and Latin America face the highest incidence of these attacks.

What can FIs do to better prevent attacks?
In addition to improving their cyber-security systems and infrastructure, there are actually numerous proactive steps that banks can take to better detect and stop cyber-fraud. Here are just a few of the ways that FIs can be more diligent and aggressive in the fight against fraud:

• Use a diverse array of security tools and tactics: having multiple methods for identifying fraud makes it much more likely to catch fraudulent payment messages
• Always check the sources of payment messages: end-to-end authentication is often one of the easiest ways to check that a payment message is legitimate
• Use Daily Validation Reports to consolidate payment messages: SWIFT’s reporting tools help mitigate the risk of lost messages, and can identify unusual or suspicious behavior
• Look for telltale behavioral markers: log-in attempts outside of working hours, user connections for different workstations, and unauthorized changes to access rights can all be signs of a security breach
• Keep updated lists of trusted beneficiaries: for high-value transactions in particular, it’s important to keep a close eye on payment history

And while taking all these steps can be a bit tedious, there are already third-party solutions that can carry out all of these tasks through a single platform, making payment message diligence easier than ever. Best of all, options like this can learn from past behaviors, thus staying one step ahead of cyber-criminals, and helping FIs better maintain their reputations.