Report a security issue
Identifying fraudulent transactions
SWIFT is aware that scammers fabricate fictious payment confirmations, letters of credit or other financial documentation to mislead and defraud their victims.
In some of these scams fraudsters encourage corporates and banks to partner with them based on forged documents, including transcripts or prints of messages purporting tohave been transferred over SWIFT. We have seen scammers attach such forged message scans or materials as PDFs to their emails, or insert them into other documents. SWIFT presents examples of such fraudulent materials in the SWIFT ISAC Bulletins 10105 and 10111.
In other cases, we have seen authentic messages being misused or misrepresented to further scammers’ fraudulent aims. SWIFT describes fraudulent patterns in a number of SWIFT ISAC Bulletins, amongst which Bulletin 10133 (“Trade Finance Trickery”).
If you have any doubts about a transcript or print of a message (allegedly) sent over SWIFT, we recommend that you consult the financial institutions identified as sender or receiver of that message or otherwise referred to in the transaction. Financial institutions connected to SWIFT are able to confirm whether they sent or received a specific message over SWIFT and, more generally, can advise about the nature of transactions.
If the financial institution is identified by their Business Identifier Code (BIC), you may consult the Online BIC Directory (www.iso9362.org) to identify the financial institution concerned.
SWIFT customers shall contact Customer Support in case of a (suspected) forged SWIFT message or, more generally, in case of doubt about any documentation allegedly issued by SWIFT.
If you want to know whether an organisation is a SWIFT customer and has access to the SWIFT messaging network, please write to firstname.lastname@example.org. Please note that this address is exclusively reserved to such requests and other types of requests to this address will not be answered.
How to report a security issue or vulnerability to SWIFT
At SWIFT, our priority is the confidentiality, integrity and availability of our services. Our dedicated specialists work around-the-clock to optimise and secure our systems.
But, alongside our continued efforts around security, the threat landscape evolves daily and there will always be new types of threats against which the community needs to safeguard. Both SWIFT and its customers must remain constantly vigilant and proactive to counter the threats to our common security.
Have you discovered a vulnerability in our systems? Please help by reporting it to us so that we can improve the security of our systems together.
We will only use your personal information in accordance with the SWIFT Privacy Statement.
You can report your findings by sending an e-mail to email@example.com
We recommend that you secure your email transmission by using the following public PGP key.
In addition, we ask that you:
- Describe your finding as clearly and completely as possible.
- Provide any supporting information, material or attachments to support and validate your finding, to allow us to recreate or reproduce it as quickly and efficiently as possible.
- Describe the likely or potential consequences of your finding.
- Suggest mitigations or workarounds if possible.
- Keep all information and communication regarding your finding confidential, and do not disclose it to anyone outside of SWIFT.
- Do not engage in any activities that will adversely affect the confidentiality, integrity, or availability of the systems that relate to your finding.
A team of security experts will investigate your finding and you will receive a confirmation receipt of your email within one working day.
We value your contribution and thank you in advance.