Blog

Attacking the SWIFT Banking System

Fraud is a major concern for banks, but its sharp increase over the past two years has drawn heightened attention from global regulators. Driven by the COVID-19 pandemic and security gaps left by rapid digital transformation, online fraud and scams have surged globally. In 2023, the UK alone recorded losses of over £1.17B due to fraud. Fraudsters have adopted more advanced tactics, including investment scams, online shopping scams, dating scams, and payment redirection scams, where they pose as legitimate businesses to redirect payments to fraudulent accounts. Of the total fraud losses, £485.2M stemmed from authorized push payment (APP) fraud, with purchase and investment scams being the most common types.

While attacks against the SWIFT banking system are fewer in numbers than other types of financial fraud, they average tens of millions of dollars per incident. In this article we will review a recent survey of banks describing an increase in attacks against SWIFT and review several successful heists that leveraged cyber attacks to compromise the SWIFT system.

A Brief Introduction to SWIFT Banking

The SWIFT (Society for Worldwide Interbank Financial Telecommunication) banking system is used by banks and other financial institutions to securely exchange information about financial transactions. Founded in 1973, SWIFT is headquartered in Belgium and serves as a standard communication platform that enables institutions across the world to conduct secure, standardized, and automated messaging for financial transactions. SWIFT is a member-owned cooperative, governed by its member financial institutions.

SWIFT is essential to global commerce, connecting over 11,000 financial institutions in more than 200 countries. As of December 2022, institutions exchange an average of over $44M daily payment messages through SWIFTNet, making it a cornerstone for cross-border transactions. SWIFT plays a critical role in international banking and finance, facilitating over $40 trillion in global payments in 2018 alone.

Increasing Attacks Against The SWIFT Banking System

The majority of banks report an increasing number of cyber attacks related to their SWIFT system.

  • Since 2016, over 80% of banks in the U.S., Europe, 90% of those in GCC countries, and 100% of Asia-Pacific banks have experienced cybercriminal attempts to misuse the SWIFT messaging network for cross-border fraud

  • A significant majority (84%) of SWIFT-related fraud attempts were cyberattacks carried out through computer hacking

  • Roughly 14% of banks reported insider involvement in SWIFT fraud

  • Fewer than half of the banks feel "very confident" in detecting all SWIFT fraud attempts since 2016

  • Two-thirds of banks report an increase in SWIFT cyber fraud attempts since 2016

  • Approximately 20% of banks lack fundamental policies to counteract SWIFT fraud, including principles like least-privilege access and user-behavior monitoring

Historical Cases of Fraud Using the SWIFT Banking System

Let's cover some of the most prominent cases of fraud against the SWIFT banking system. 

  • $12.2M from Banco del Austro, or BDA, in Ecuador (2015): Attackers gained remote access to BDA's systems outside of normal hours, and used stolen SWIFT credentials to impersonate the bank. They then sent fraudulent SWIFT instructions to Wells Fargo, authorizing transfers totaling $12.2M to accounts in locations like Hong Kong, Dubai, and Los Angeles. BDA blamed Wells Fargo for not flagging the transactions, arguing that the unusual timing and large amounts should have triggered alerts.

  • $1.36M from Tien Phong Commercial Joint Stock Bank, in Vietnam (2015): Attackers compromised Tien Phong's internal environment, establishing unauthorized access. Once inside, attackers obtained valid operator credentials with high-level permissions to create, approve, and send SWIFT messages from the bank’s systems. The attackers then impersonated authorized bank personnel, enabling them to submit fraudulent SWIFT transactions without raising immediate suspicion. To further mask their activities, the attackers covered their tracks by deleting or manipulating logs and records to avoid detection.

  • $81M from Central Bank Of Bangladesh (2016): Attackers infiltrated the bank's computer network, and installed custom InfoStealer malware. They then issued 35 fraudulent SWIFT transfer requests to the Federal Reserve Bank of New York, aiming to transfer $951M. The Bangladeshi bank’s SWIFT-connected printer, which automatically printed records of transactions, was disabled by the attackers, preventing bank employees from receiving notifications of the fraudulent transactions. The attack was carefully timed just before Bangladesh's weekend, which falls on Friday and Saturday, to delay detection and during the Chinese New Year holiday, further slowing responses by the recipient Filipino bank. The stolen funds were quickly laundered through casinos and foreign exchanges in the Philippines. Investigations linked the attack to North Korea's Lazarus Group.

  • $4.4M from NIC Asia Bank (2017): Hackers compromised the bank’s SWIFT server and installed malware during a holiday, and initialized fraudulent transfers to accounts in multiple countries, including the U.S., U.K., Japan, and Singapore. The attackers exploited SWIFT credentials to send unauthorized payment orders via intermediary banks. Immediate actions by the Central Investigation Bureau of Nepal and coordination with the central bank helped NIC Asia Bank recover around $3.9M. An investigation revealed that staff had misused a computer dedicated to SWIFT operations, leading to tighter security protocols.

  • $60M Far Eastern International Bank (FEIB) (2017): Attackers compromised the bank’s SWIFT-connected systems by deploying a range of malware to access its SWIFT terminal and initiate fraudulent transfers. Using stolen administrative credentials, they issued SWIFT messages to transfer $60M to accounts in the U.S., Cambodia, and Sri Lanka. To delay the bank’s response, they deployed Hermes ransomware as a distraction across the network. Other malware included Bitsran, which spread across devices and disabled antivirus processes. The attacks were again linked to North Korea's Lazarus Group. Weak endpoint security and access controls allowed the attackers to infiltrate, maintain persistence, and exploit the bank's SWIFT system. The attackers initially stole $60M , however, most of the funds were recovered, leaving around $3M unaccounted for.

Using SWIFT Payment Controls (PCS) to Prevent Fraud

Here is a set of key security controls provided by SWIFT's Payment Controls to help prevent fraud. These controls allow financial institutions to leverage both internal and network-wide insights, increasing their ability to detect, block, and respond to fraud effectively across accounts and transactions.

  • Anomaly Detection on Repeated Payments: Identifies suspicious transactions by flagging repeated payments of the same amount and currency between accounts, helping detect potential fraud or human errors.

  • Monitoring of New Accounts: Detects transactions involving newly established accounts on the SWIFT network, which may signal fraud or operational mistakes, such as errors in beneficiary account details.

  • Account-Based Network Insights: Uses anonymized account-level data from the broader SWIFT network to detect unusual account behavior, which can reveal fraud patterns not visible to individual institutions.

  • Real-Time Screening and Blocking: Screens outgoing SWIFT ISO 20022 messages (e.g., MT103, MT202) based on configured rules, allowing for real-time interception of suspicious payments to prevent financial or reputational damage.

  • Customizable Rules Based on Risk Appetite: Institutions can configure specific rules aligned with their risk tolerance, business objectives, and payment policies, creating tailored detection parameters.

  • Hosted Solution for Security Resilience: Operates independently from institutions' internal systems to provide protection in case of a cyberattack or operational disruption.

  • Behavioral Pattern Learning: Uses intelligent technologies to learn transaction patterns over time, continually improving fraud detection capabilities.

Conclusion

Fraud within SWIFT banking has grown significantly, fueled by vulnerabilities exposed through digital transformation, insider attacks, and nation-state APT actors. Though SWIFT-specific attacks are fewer, they are highly impactful, with incidents averaging millions per heist. This article reviews recent survey findings on rising cyberattacks targeting SWIFT and examines notable cases, including the Bangladesh, Banco del Austro, and NIC Asia Bank heists, where attackers exploited SWIFT vulnerabilities. Enhanced by complex malware and insider access, these heists demonstrate the critical need for robust fraud prevention tools and swift response protocols to safeguard the SWIFT network.

Would you like to learn more?

Download our buyer’s guide to learn everything you need to know to successfully plan, scope and execute your penetration testing projects

Featured Posts

See All

October 24 - Blog

Packetlabs at SecTor 2024

Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.

September 27 - Blog

What is InfoStealer Malware and How Does It Work?

InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.

September 26 - Blog

Blackwood APT Uses AiTM Attacks to Target Software Updates

Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.