A central facet in the detection of and response to attempted fraud is an up-to-date understanding of the recent trends in cyber-attacks. While the exact methods used in attacks vary, there are tell-tale signs that, if properly understood by both the business and security functions, will help financial organisations spot and stop an attack before suffering financial losses.
This is why SWIFT launched its Customer Security Programme (CSP) in 2016 to provide a forum for industry-wide collaboration against the growing threat from cyber-attacks and to help reinforce and safeguard the security of the wider ecosystem. Through collaboration with industry experts, including anti-virus vendors and incident response teams, we have been able to quickly identify many financial institutions targeted by cybercriminals – in most cases before fraudulent transactions were even sent.
The resulting, anonymised information is then shared in regular updates to the financial community through the SWIFT Information and Analysis Centre (ISAC). Through these initiatives, we issue regular updates on how the tactics, techniques and procedures (TTP) of cyber attackers have progressed, providing valuable insights into how cyber prevention and detection measures should evolve to reduce risk and improve fraud detection and prevention.
The main TTP characteristics identified on the ISAC relate to:
- the evolution in the location of banks targeted by cybercriminals
- the amounts attempted per fraudulent transaction
- reconnaissance practices of attackers
- the timing of attacks to try and avoid detection
- the currencies attackers find most attractive
- the regional locations of the compromised or “mule” accounts used in attempted frauds.
The importance of strong correspondent relationships
While most attacks can now be identified (and stopped) in the preparation phase, in a small number of attempted attacks, fraudulent cross-border payment instructions are successfully issued by attackers from inside the financial institution’s systems. Even then, however, many of these fraudulent instructions can be stopped thanks to the intervention of correspondent banks along the payment chain.
This evidences how, whilst fraud and cyber detection measures are first and foremost the originator’s responsibility, financial institutions involved across the payment flow can also play important roles in identifying and detecting fraud. This role has become increasingly important as the speed of cash pay-outs continues to increase. Indeed, in some cases, cash pay-outs have taken place within a matter of hours of the initial attack.
In addition to playing an active role in SWIFT’s CSP and CSI initiatives, financial institutions should ensure they adopt the appropriate tools and technology to reduce the risk of successful cyberattacks.
SWIFT’s Payment Controls Service was launched in 2018 to help our customers improve their response to cyber threats. The service allows financial institutions to monitor and report on their payments in real time, giving them a fuller overall understanding of their payments’ behaviour.
Financial institutions use Payment Controls to create simple alerting rules that screen for and stop payments that fit particular combinations of amounts, currencies, corridors or countries. These flagged payments require extra confirmation to ensure they are not the result of an attack on the bank.
Payment Controls enable the better enforcement of organisational risk policies and allow financial institutions to adapt their rule configuration as transaction patterns and potential risks evolve over time. These flexible rules are based on the global intelligence gathered through the CSP and CSI programmes and can be easily be adjusted to ensure that Payment Controls can quickly become a key part of an institutions defences.
Validate your activity to guard against deleted internal records
Daily Validation Reports from SWIFT are another way to spot suspicious payment flows quickly. These mitigate the risk of lost records - where an attacker has deleted evidence of their fraudulent payments - by providing independent daily activity and risk reporting of your previous day’s inbound and outbound SWIFT transactions. This allows financial institutions to validate their daily payments activities, assess any uncharacteristic transactions and review and investigate potentially risky flows. Reports are delivered via a separate online channel, direct to compliance or operations teams for monitoring
Despite recent successes in detecting and preventing attacks, it is critically important for industry participants and their security partners to understand how the attackers continue to evolve, and just how quickly they are able to adapt their attack patterns to avoid detection.
SWIFT’s unique position within the financial community has given us detailed up-to-date knowledge about the threats facing the industry. We actively share this knowledge through our community programmes and continue to design and enhance effective tools to help spot, stop and defend against attacks before they happen.