What you need to know about payment messaging fraud

Electronic financial fraud is a growing and difficult to solve problem: a 2019 KPMG survey found that electronic banking fraud is on the increase around the world. The fraud opportunities presented by the SWIFT messaging system have proven particularly lucrative for sophisticated fraudsters, but financial institutions are lagging in their response.

Indeed, in March 2019 the Reserve Bank of India fined 19 banks that had not sufficiently strengthened internal controls to counter SWIFT messaging fraud risks. In this article, we look at the prevalence of SWIFT messaging fraud and examine how fraudsters manage to steal vast sums using the SWIFT network. Finally, we look at possible protective measures.

What is SWIFT messaging fraud?

In May 2019 SWIFT’s 10,000 members sent, on an average day, 33 million international payment messages instructing a transfer of funds. This large number highlights just how important SWIFT is when it comes to greasing the wheels of finance. Carefully verifying each and every message is impossible and unscrupulous actors have found ways to exploit the SWIFT system.

Criminals have repeatedly taken advantage of weaknesses in an institution’s internal controls to manipulate the SWIFT payment messaging system, transmitting funds to accounts controlled by fraudsters. Successful attempts to involve a mix of opportunistic timing, editing the parameters of a payment message and the quick erasure of tracks in order to hamper the recovery of funds.

Examples of recent SWIFT messaging attacks

The last few years have seen several fraud attempts that involve SWIFT payment messaging, with many attempts leading to large losses for the affected parties. That said, in some cases, the funds were recovered successfully. Three of the most notorious examples include:

In February 2016 fraudsters manipulated SWIFT payment instructions between the Bangladesh Central Bank and the Federal Reserve Bank of New York in an attempt to steal US$1bn. 30 transactions were blocked, but Bangladesh Bank still lost US$81m. Some say this is the most spectacular banking fraud in memory.
Taiwan-based Far Eastern International Bank nearly lost US$60m in October 2017, but a recovery effort ensured losses were limited to $500,000. Hackers infected the bank’s computers with malware and assessed its SWIFT terminal to move funds to the hacker’s accounts. The bank was fined $266,254 by Taiwan’s regulator.
Similar in method to the Bangladesh robbery, Ecuadorian institution Banco del Austro SA lost $12m in 2015. Criminals requested payments which Wells Fargo Bank unintentionally permitted, the fraudulent SWIFT messages sent money to 23 shell companies in Hong Kong and in Dubai.

We’ve listed just a few examples of the payment messaging fraud attempts that were successful. Some are foiled: The NIC Asia Bank Fraud in 2017 saw the bank recover most if the stolen funds. Yet many fraud attempts are never reported as institutions fear reputational damage.

Typical attack vectors

Criminals that attempt payment messaging fraud rely on a range of methods to obtain unauthorized access and to circumvent recovery attempts. It is not as if banks are leaving the electronic keys to the safe unattended, after all – even if institutions are sometimes careless.

SWIFT messaging fraud has thus far not depended on compromising the SWIFT network itself, instead, fraudsters use one or more of the following attack patterns:

Malware and network intrusion. SWIFT terminals are not public, so criminals use malware infections, often delivered via social engineering, to get access to otherwise tightly locked corporate systems. Successful attacks can also involve mundane-sounding tactics such as a printer breakdown, which prevents staff from noticing payments before it is too late.

Internal co-operation. It is not unknown for payment messaging fraud to rely on a rogue, internal actor who enables the cyber-crime. Workers who have institutional credentials can remove evidence and otherwise block the ability of anti-fraud systems to counter an attack.

Manipulating payments. Fraudsters can use forged documents to open accounts reflecting an existing entity. Next, criminals rely on an existing relationship between two companies to facilitate payment from one entity to a fake account opened in the name of another. This can also involve manipulating the actual payment messages.

Timing the fraud. Criminals typically make fraudulent transactions outside of business hours on days that precede an official public holiday. Out of hours activity is less likely to be flagged by staff as fraudulent. Doing so gives fraudsters the opportunity to move funds into safe locations so that authorities cannot recover ill-gotten gains.

Organized cyber-crime. Payment messaging fraud is typically pulled off by sophisticated groups that set up corporate entities to hide stolen funds. Programmers are highly paid, and operations are strategic. This concerted effort makes it possible to commit payment fraud in the first instance and reduces the chances that stolen funds are recovered.

Some regions have known fraud patterns. In the Gulf Region fraudsters often make use of a fake account and impersonation to exploit known relationships between two entities. Often the attempted fraud takes place on a Thursday to take advantage of the local weekend.

What protective measures can institutions take?

The high fines already applied to a number of institutions highlight how fraud prevention is not sufficiently front and center, despite the high risk of payment messaging fraud. Some preventative steps to consider include:

Enforcing internal controls. Many of the payment messaging fraud attempts relied on relatively simple lapses in security. Institutions should practice basic information technology hygiene and stay on top of important points including password security, revoking credentials when employees leave and even physical access control.

Choosing autonomous, continuous fraud prevention. A key tenet of SWIFT messaging fraud is its ability to circumvent human fraud detection. Instead, institutions should deploy a degree of autonomous fraud detection that functions around the clock – even when human fraud detectors are off duty.

Comparing transaction behavior. Institutions and their clients have established transaction patterns. By comparing a transaction against a transaction model, fraud detection systems can judge whether a transaction should be set aside for further investigation, or simply cleared to proceed. Machine learning models are highly adaptable and render minimal false positives.

Segregating data storage. Erasing evidence enables criminals to delay any attempt at recovering stolen funds. In many cases funds are lost permanently simply because the stolen funds were moved beyond recovery. Storing messaging data in a secure location can speed up transaction tracing.

Adjusting sensitivity at pre-defined times. Transaction patterns and indeed fraud activity vary by the day of the week, and the time of the day. Institutions can heighten alert levels at predefined times. This may increase false positives but will be effective in stopping opportunistically timed attacks.