Why Banks — And Corporates — Still Feel The Heat From The SWIFT Hack


It’s been more than a year since Bangladesh’s central bank was attacked by cybercriminals that took away $81 million by infiltrating the bank’s connection to the SWIFT network. Since then, there have been revelations about similar attacks at FIs across the globe, and the blame game began, with some fingers pointing to the bank’s own employees, North Korea and SWIFT itself.

In the attack’s wake, SWIFT released its Customer Security Program, providing its bank clients a set of guidelines to follow and enhance their own cybersecurity capabilities. The largely voluntary recommendations were followed by stronger recommendations and pressures on its bank members to get their cybersecurity measures in place, with 16 security standards becoming mandatory for its members by the second half of the year.

But as SWIFT continues to increase its demands from banks to prevent more cyberattacks, Mike Vigue, Bottomline Technologies Corporate Vice President, says more can — and should — be done.

“What concerns me most about fraud is that the criminals have access to the same technologies that we do to try to stop them,” he recently told PYMNTS. “It’s like a game of leapfrog. You need to stay ahead of the criminals — and they’re sophisticated. They know what they’re doing, they know which software banks have implemented to prevent fraud, so they go after the easiest targets.”

The banks with the weakest security controls — like, apparently, the Bangladesh central bank at the time of the attack — will be hit first and hardest, he said.

That heist was a wakeup call, he added.

While the focus for some time had been on ACH and wire fraud, “no one had really focused a lot on the SWIFT network,” he said. “It was always viewed as particularly secure. Well, last year [the Bangladesh bank heist occurred], people’s eyes were opened. People thought it was the most secure way to transfer funds, and it shocked the world when it happened.”

Last month, Bottomline announced its own response to the threat and introduced a payment fraud solution for its customers who are also members of the SWIFT network. According to the company, the tools will help FIs meet SWIFT’s 16 mandates and then go further to protect themselves.

Vigue pointed to SWIFT’s latest cybersecurity efforts, also announced last month, which he said similarly don’t go far enough. For instance, they’ll be targeting smaller institutions on grounds that they have fewer resources to allocate to cybersecurity — but Vigue said it’s the largest banks that handle more transactions and may be bigger targets. SWIFT will also be looking at the transactions data to help FIs identify instances of potential fraud, but Vigue noted that it’s imperative for anti-fraud solutions to examine the individuals initiating transactions and other contextual information in order to be as secure as possible.

Fraud on the Rise

As companies work out their strategies to combat payments fraud, the latest figures suggest cybercriminals are winning the game so far — especially when it comes to B2B payments.

The Association for Financial Professional’s latest figures found the highest levels of corporate payments fraud in 2016 than ever before. Check and wire fraud remain top threats, but Vigue suggested it’s possible that dynamic may change with the rise of faster and real-time payments.

“I think faster payments will result in a larger number of fraud attempted,” he said, being careful not to declare that faster payments would necessarily result in a larger number of successful fraud attempts. But greater attempts could mean higher fraud rates if banks don’t have the right controls in place, he said. “Whether or not fraud will increase depends on the tools the banks put in place,” he added.

SWIFT is watching the evolution of real-time payments closely, as is the rest of the financial services world. Analysts say B2B payments could see significant impacts from the rise in faster payments, so as B2B payments fraud increases, companies are beginning to wake up to the threat of payments fraud too.

“It’s definitely becoming a top concern when you’re looking at your banking relationships from a corporate perspective,” said Vigue, adding that consumers maybe aren’t taking note of the threat as much. “It’s becoming a corporate boardroom discussion in a lot of organizations. They’re taking a hard look at their banking relationships and making sure they’re with the banks they feel most comfortable with.”