In February 2016, Bangladesh Bank was the victim of a widely publicised cyber attack on its infrastructure which was connected to SWIFT. Following the attack, SWIFT launched its Customer Security Programme to drive collaboration in the industry against cyber threats. Three years on, how has it fared? Patrick Brusnahan writes

The quest for collaboration in cyber security continues. At the start of 2018, SWIFT aimed to increase its collaboration with industry experts, for example, anti-virus vendors and incident response teams.

Go deeper with GlobalData

Data Insights

The gold standard of business intelligence.

Find out more

SWIFT claims that these efforts resulted in the quick identification of financial institutions targeted by cyber criminals. Furthermore, it managed to do this before fraudulent transactions were sent.

In SWIFT’s report, Three years on from Bangladesh: Tackling the adversaries, the firm examined the trends observed between 2018 and 2019. These included telltale signs and how they become crucial in detecting and responding to attempted attacks.

Dries Watteyne, head of the cyber security incident response team at SWIFT, said: “SWIFT’s threat intelligence sharing has highlighted the changes to cyber criminals’ tactics, techniques and procedures used in attempted attacks, enabling industry participants to understand, and respond to, the increasingly sophisticated nature of cyber threats.

“It is encouraging that detection rates of attempted attacks are increasing, but we need to be mindful that malicious actors adapt rapidly. The industry must continuously strengthen and diversify its defences, investigate incidents and share information.”

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Brett Lancaster, head of customer security at SWIFT, said: “These cases show how SWIFT solutions including our Daily Validation Reports tool, our Payment Controls Service and the gpi Stop and Recall facility can all have real, positive impact. They also evidence the importance of implementing security controls and of understanding and mitigating against cyber risks presented by counterparties. This is why more and more customers are turning to SWIFT’s KYC-Security Attestation utility to consume that information.”

Targets

SWIFT does not reveal who the main targets are of cyber attacks, but has narrowed it down to a few themes.

In most cases, financial institutions targeted are based in countries with a very high risk level on the Basel AML Country Corruption List. Over the last fifteen months, a large chunk of the attacks targeted firms in Africa, Central Asia, South East Asia, and Latin America.

However, in every case, it was smaller banks in terms of cross-border transactions per day.

In the vast majority of cases investigated, the interface GUI was used to insert the fraudulent transaction. As a result, instructions would not have been present in payment back office applications. Therefore, it would have been detectable through verification of end-of-day/start-of-day statement reconciliation messages.

Amounts

Fraudsters are constantly playing a balancing game. The larger the fraudulent transaction attempted, the greater the reward, but also the larger chance that detection systems are triggered.

Since the incident with Bangladesh Bank, SWIFT believes the amounts sent in individual fraudulent transactions have “evolved”.

The report states: “Up until early 2018, we typically saw per transaction amounts of ten or tens of millions USD, however since then attackers have significantly reduced average per transaction amounts to between $0.25m and $2m – presumably to help avoid detection.”

However, fraudulent transaction amounts tended to be significantly higher than the “average” amounts sent over them in the prior 24 months.

Currencies

Dollars account for the majority of cross-border traffic and, as a result, it was the currency most used in investigated incidents. It accounted for close to 70% of fraudulent messages created since the Bangladesh Bank attack.

However, since the incident, there has been an increased usage of European currencies, such as GDP and EUR. In addition, a small number of Asia Pacific currencies, HKD, AUD and JPY mainly, made up around 5%.

Most the beneficiaries of these attacks were based in Asia Pacific, 83% of them according to SWIFT. The remaining 17% was split across Europe, the Middle East and North America.

The report concludes: “The industry should continuously increase the strength and diversity of its defences and ensure it understands the nature of the changing threat. This means being proactive in limiting criminal opportunities linked to systems and business practices, it means ensuring proper preparedness and understanding counterparty cyber risk.”