Reducing fraud is one of the most challenging aspects of the modern financial ecosystem. Cybercriminals continue to adapt their tactics and procedures to gain access to the intricate and highly secure systems of financial institutions. More than ever, payment systems are being targeted by threat actors and it is vital to understand the various attack methods and behaviour to keep your institutions safe from fraud.
Below we define some of the most commons types of fraud, and look at how cybercriminals use social engineering techniques to hack into financial institutions’ payment systems.
1. Institutional payments fraud
Institutional payments fraud involves attacks performed by external parties on a financial institution’s payments infrastructure by installing malware, either remotely or by using the institution’s own staff.
Institutional payments are an attractive vehicle for criminals due to the speed and finality of settlement. Once a payment is made and settled, it’s very hard to recoup any losses. While the overall frequency of institutional payment fraud is lower, the impact is significant both in terms of the amount of funds at risk and the potential reputational damage for the attacked institution.
2. Insider fraud
Insider fraud is committed by an employee or contractor of an organisation or company. Through access to business data and systems, insider fraud often begins with small amounts and, if undetected, increases over time.
Insiders can be recruited by hacker groups or individual cyber criminals, or, in rare cases, can work alone. The motivations of insiders can vary: they may be exploited because of financial hardship, or they may have a grievance with the institution they are attempting to defraud.
To guard against insider fraud, employ a 4eyes principle across your payment flows – where payments must be approved by more than one member of the team. You can also use intelligent solution and tools to flag and intercept suspicious payments.
3. Spear-phishing attacks
Spear-phishing is a type of social engineering attack on an institution. It is targeted to particular individuals within a business to steal specific data or gain access to a computer system, which can also lead to malware being remotely installed on a targeted system. Cyber attackers send fraudulent communications, usually via email, which appear genuine, and result in the individuals carrying out a specific action to unknowingly reveal information or grant access to the attacker.
Spear-phishing attacks differ from more general phishing as they can be highly targeted at specific individuals inside the institution. Attackers may have information about how a team is structured or operates and seek to exploit this knowledge to trick staff into giving them access.
Attackers spend a lot of time and effort creating very convincing fake phishing emails and it can be hard to spot them during a busy day. The best defence against all forms of phishing is instilling a strong culture of cyber-hygiene across the financial organisation and reporting any suspicious emails or communications to cyber security teams.
4. Whaling / CEO fraud
Whaling / CEO fraud, like spear-phishing, targets specific individuals within the institution. However, in this case, the attack targets senior executives of a company. Often the fraudulent communication will appear to be from another senior executive of the company, like the CEO - hence why it is also referred to as CEO fraud.
Once the criminal has login credentials and is able to communicate as if they were a senior exec at the institution, they can instruct teams to make fraudulent payments, often unchallenged due to their seniority
5. Application fraud
Application fraud is carried out by criminals who apply for financial products such as a credit card, loan or bank account in someone else’s name; it is a type of identity fraud or identity theft.
This type of fraud can be difficult to detect as it only becomes apparent when the individual whose identity has been used realises they have unwarranted debts. It can have a devastating impact on its victims’ credit score and future ability to access financial products.
6. Authorised push payments fraud
Authorised push payments fraud is a growing threat to financial institutions and their customers. This type of fraud is when a fraudster tricks an individual into making an authorised payment by fraudulent bank transfer.
The criminal may pose as someone from the individual’s bank or a trusted organisation. Because the fraudster wants to get as large a sum as possible, a common scam is to pose as a conveyancer and target people who are buying a house in order to steal the deposit or full amount.
The fraud landscape is constantly evolving. Stay one step ahead!
The fraud threat is constantly evolving. No one can know how cybercriminals will next exploit the landscape within which the financial industry is required to operate. New tactics, techniques and procedures continue to emerge as cybercriminals discover new weaknesses in financial security systems, or invent clever ways to trick innocent individuals into giving them access to legitimate sources of money.
Financial institutions have a duty to their customers and their business to ensure they are aware of evolving fraud threats, and to protect themselves from fraudsters. All SWIFT customers have access to the Information Sharing and Analysis Centre (ISAC), where the latest intelligence on potential threats and customer security incidents are shared with the global financial community.
In addition to information sharing, ensuring that you have the most effective and appropriate internal strategies and controls in place will help protect your funds and your organisation.
Learn more about SWIFT’s suite of fraud detection and prevention products and community initiatives here, or talk to your SWIFT representative today.
Discover our Fraud solutions
Cyber attackers are innovative and now work with subtlety and sophistication. They cover their tracks and exploit the fact that payments move faster than ever. Work with SWIFT to monitor and protect your core payments on three fronts.