SWIFT On Cybercrime’s Evolution Post-Bangladesh Bank Heist

Three years after fraudsters made off with $101 million from a Bangladesh bank, cyber threats have evolved, according to a new report by SWIFT.  The bad guys wait quietly for weeks and months and then strike. They’re also trying to sneak under the radar with lower-value transactions, according to the findings

Headlines swirling around cyber fraud usually center on the size and scope of heists, where the bad actors make off with breathtaking sums — in the hundreds of millions of dollars. Indeed, one of the more brazen thefts occurred three years ago when hackers took roughly $101 million from the Bangladesh central bank account housed within the U.S. Federal Reserve.

That theft serves as a demarcation point for financial messaging service SWIFT, which, in a report released on Wednesday (April 10), found that fraudsters are trying to make off with smaller amounts of ill-gotten gains to fly under the radar of authorities and financial executives.

In its “Three years on from Bangladesh: Tackling the adversaries” report, SWIFT found that, in terms of attempted fraudulent transactions, the smaller range runs from $250,000 to $2 million. That’s hardly small change, but is a far cry from the “tens of millions” of dollars that marked past attempts, said SWIFT — where that much higher threshold had been in place until early last year. The attempts to make off with smaller amounts has been “presumably to help avoid detection,” said the report. The targeted institutions, unnamed in the report, were smaller banks, as measured in cross-border transactions per day.

“The higher the value of the instruction, the higher the risk of triggering fraud-detection systems,” SWIFT said. “Since the cyber incident in Bangladesh, the amounts sent in individual fraudulent transactions [have] evolved, making them harder to detect.”

Tracing The Money Flows

In terms of where the fraudulently obtained money has been going, the report said 83 percent of transactions have been funneled through “beneficiary accounts” tied to banks based in the Asia-Pacific, with another 10 percent in Europe — and all this is just since July 2018. The lenders targeted were in countries that have ranked highly on corruption lists, such as those in Africa and Latin America.

“In each such attack we investigated, most of the transactions issued were handled by one or two receiver banks, and were intended for the same beneficiary country. During the most recent investigations, the number of fraudulent transactions issued averaged around 10 per incident within a two-hour period,” according to the findings.

The Timing Is All

Hackers have also been issuing fraudulent transactions during work hours on business days, a change from when they’d been previously been sending messages outside of business hours. Moving toward daytime hours means the fraudulent transactions are being sent across the SWIFT network in the hopes that they will blend in (and be successful) alongside legitimate messages. SWIFT added that the attackers have taken to operating “silently for weeks or months” after penetrating a target financial institution or account, with the idea of gaining insight into patterns or behaviors that will help them get away with fraudulent transactions.

Elsewhere, SWIFT found that the U.S. dollar has accounted for the majority of cyber fraud incidents, which makes sense, given the dollar’s pre-dominance in cross-border transactions. In the report, the data showed that U.S. dollars were used in 70 percent of fraudulent transactions, with the euro in another 21 percent.