According to a new report (“How Banks Are Combating the Rise in SWIFT Cyber Fraud”) from EastNets, the problem of SWIFT fraud may be more widespread and dangerous than originally thought. In the aftermath of the epic $81 million SWIFT fraud attack on Bangladesh Bank in 2016, the SWIFT interbank messaging platform immediately put new safeguards in place in order to neutralize risk. However, EastNets surveyed 200 banks worldwide and found that 4 in 5 of these banks had experienced at least one SWIFT fraud attempt since 2016, and the problem appears to be growing on an annual basis.
Key findings on SWIFT fraud
Despite best efforts by SWIFT to upgrade the security profile of its network, it appears that SWIFT cyber fraud is actually on the rise, not the decline, since 2016. Of those surveyed, 2 out of 3 banks said that SWIFT cybercrime had increased since the Bangladesh Bank incident of 2016. Moreover, only 2 in 5 banks are “very confident” that they have detected every attempt at SWIFT cyber fraud, opening up the prospect that the SWIFT fraud issue might actually be worse than described in the report.
Despite this spike in SWIFT cybercrime activity, most banks and financial services providers are taking a hands-off approach to dealing with this problem. According to the EastNets report, a “significant portion” of the banks surveyed said that they still did not have prevention policies in place to address SWIFT fraud. In many ways, they appear to be relying on the SWIFT network to do all the heavy lifting – or they might simply be burying their heads in the sand, hoping that the problem just goes away.
One problem, says EastNets, is that “insider risk” is on the rise. In other words, hackers on the outside are combining forces with employees at banks in charge of sending or receiving SWIFT payments in order to approve certain financial transactions or to override any red flag signals the security system might be generating. According to the SWIFT fraud report, 1 in 7 banks have experienced at least one SWIFT fraud attempt involving an employee.
While the problem of SWIFT fraud is worldwide, the problem appears to be particularly acute in the Asia-Pacific region. This, of course, was the region where the epic Bangladesh Central Bank fraud took place (which involved accounts the bank had the Federal Reserve Bank of New York). Asia is also a prime destination for “beneficiary accounts” linked to hackers. Of the money stolen from the SWIFT network, 83% is forwarded to beneficiary accounts in Asia, and 10% to Europe. Moreover, the risks involving banks in Asia-Pacific are highlighted by the fact that almost 100% of banks and financial services providers in the Asia-Pacific region using the SWIFT payment network have been victimized at least once by SWIFT fraud. In other words, it’s not a matter of “if” SWIFT fraud is going to occur in Asia, but “when.”
Recommendations and best practices to avoid SWIFT fraud
While the EastNets report paints a dismal picture of SWIFT fraud on a global basis, it also offers a few recommendations, insights and best practices for dealing with this growing problem. For example, EastNets suggests that “internal collaboration” between the various departments of a bank is more important than ever in order to spot fraud. Only 20% of the banks surveyed said that internal departments collaborate “very strongly” to prevent SWIFT cyber fraud.
In addition, the leaders in preventing SWIFT fraud generally tend to use sophisticated software solutions to help spot, detect or monitor suspicious transactions. These sophisticated solutions include behavioral analytics tools and attack simulations. In addition, the leaders in preventing SWIFT fraud also have policies and procedures in place to prevent SWIFT fraud.
SWIFT steps up its security response to prevent fraud
On the surface, the EastNets report would appear to show the SWIFT network, which has over 11,000 financial institutions as SWIFT users, in a very poor light. It would seem to suggest that the entire SWIFT messaging system is broken, and that new, more innovative financial messaging services might be the answer. Just as SWIFT replaced Telex in the mid-1970s due to its more secure messaging and authentication features, is it time for a new system to replace SWIFT? Some security analysts, for example, have suggested that new solutions based around blockchain technology might be the answer.
Yet, SWIFT has actually done a lot to boost the information security of the messaging system for its member banks since 2016. As SWIFT has pointed out in the past, it’s not so much that the system has been “hacked,” but rather, that elaborate social engineering techniques used by hackers have been very effective in manipulating SWIFT messaging protocols. In 2019, SWIFT published a detailed report (“3 Years On From Bangladesh”) that highlighted the changing tactics of cyber attackers in how they send and receive money. At one time, these cyber attackers tried to get fraudulent transactions approved outside of banking hours (e.g. weekends, nights) in order to evade detection. But now banks are much better at spotting these transactions, so cyber attacks have tried to “blend in” during core banking hours. Moreover, cyber attackers are getting much better at targeting smaller sums of money (less than $2 million at a time), rather than amounts in the tens of millions of dollars. Again, it’s all about blending in and evading detection.
In October 2018, too, SWIFT announced a new “Payments Controls” feature that would be very easy to implement and use, and that could be used to monitor and protect core payments across the global financial system. One upcoming feature is even more innovative: “stop and recall” would enable banks to stop a SWIFT transaction and reverse it once they have flagged it as suspicious. This could really reduce cross-border fraud.
Hackers vs. bankers
At the end of the day, the story of SWIFT fraud is once again a story of hackers trying to stay one step ahead of the bankers. Since 2016, it appears that hackers have had the upper hand. EastNets notes that the total size of SWIFT-related combined losses since 2016 is close to $380 million. Going forward, banks and financial industry institutions are going to need to be much more vigilant if they hope to avoid a repeat of the Bangladesh Bank attack that called into question the integrity of the entire SWIFT system.