Skip to main content
  • English
    Discover SWIFT
  • Español
    Descubra nuestros contenidos en español
  • Français
    Découvrez notre contenu disponible en français
  • 中文
  • 日本語
Modus operandi of a cyber-attack

Modus operandi of a cyber-attack

22 May 2019 | 3 min read

Cybercrime is big business. Take a look at the steps taken by fraudsters to perpetrate a cyber attack.

The global impact now exceeds $450 billion a year as crime, extortion, blackmail and fraud move online.

And as technology becomes more sophisticated, so do hackers and the tools they use to get their hands on sensitive data. Criminals are targeting the systems and operating software of businesses, governments and key infrastructure in a coordinated and systematic manner.

The financial services industry is a routine target for cyber criminals, more so than any other. Over the past few years, we’ve seen a rise in cyber-attacks and data breaches, as cyber criminals successfully infiltrate companies using everything in their toolkits - from malware and ransomware to social engineering tactics.

There has been a 1,700% increase in cyberattacks reported to the FCA since 2014.

Source: Financial Conduct Authority

Banks under attack

There have been numerous attempted cyber-attacks aimed at manipulating bank payment systems - often with a similar modus operandi. These attacks are followed by compromises of the bank systems over a period of many months, allowing attackers to become familiar with the bank security defences and best cash-out channels.

Cyber criminals seek to corrupt the local environment and payment processes of financial institutions by obtaining valid operator credentials and injecting fraudulent transactions directly into back-office systems. This compromises the back office itself and defeats the very business controls that would ordinarily prevent fraudulent activity.

[ebook] Fighting institutional cyber payments fraud in an evolving payments landscape

What is the modus operandi of a cyber-attack?

Cyber attackers don’t want you to understand what they’re doing. The less you know, the more opportunity they have to fraudulently extract funds from your organisation. A skilled and determined cyber criminal can use multiple entry points to navigate around defences, breach your network in minutes and evade detection for months.

This is how they do it.

1. Reconnaissance and compromise 

The initial reconnaissance period prior to an attack involves criminals researching and gathering information about the target organisation. They look for network ranges, IP addresses and domain names. Attackers also try to find the email addresses of key players in an organisation, or identify vulnerable employees by sending phishing emails. They also scan for network vulnerabilities. These activities can take months, but the attackers are patient.  


2. Obtain credentials

After accessing the network, criminals try to infiltrate further into the network by acquiring access privileges. Attackers use various tools to help them steal credentials, allowing them to upgrade their access to administrator level, and penetrate back-office and operational networks silently. 


3. Submit fraudulent messages

Attackers infiltrate the network using malicious programmes that allow them to hide in multiple systems and inject malware into critical systems. At this point, they can start to submit fraudulent payment instructions by impersonating an operator or approver. 


4. Hide evidence

Once fraudulent payments have been sent, attackers proceed to cover their tracks, hiding evidence of their actions. Using various tools and techniques, they delete or manipulate records, and corrupt systems to confuse forensic experts.