Blog
← Back to Blog
June 07, 2016 financial

Hackers Stole $10 Million Through the Banking System. Could It Happen to Your Practice?

Banking and financial security concept

In February, hackers stole $81 million from Bangladesh's central bank through the SWIFT network, the secure messaging system that banks use to transfer money internationally. A typo in one of the fraudulent transfer requests triggered a review that stopped another $850 million in attempted theft. In the months since, additional SWIFT-connected attacks have surfaced, including a $10 million theft from a Ukrainian bank.

These aren't smash-and-grab attacks. They're sophisticated operations that exploit the trust inherent in financial communication systems. And while your practice doesn't use SWIFT, the underlying tactics are the same ones criminals use against small businesses every day.

How the SWIFT Attacks Worked

  1. Initial compromise: Attackers gained access to the bank's internal network (likely through phishing or a compromised vendor)
  2. Reconnaissance: They studied how the bank used SWIFT, learned the procedures, and identified key personnel
  3. Credential theft: They stole the credentials needed to authorize SWIFT transactions
  4. Execution: They sent fraudulent transfer requests that looked legitimate because they came from within the bank's own systems
  5. Cover-up: They manipulated logs and records to delay detection

The Small Business Equivalent

Your practice doesn't move $81 million. But the same attack pattern plays out at a smaller scale every day:

Business Email Compromise (BEC)

An attacker compromises your email account (or impersonates you convincingly). They send a message to your bookkeeper or office manager: "Please wire $15,000 to this account for the equipment purchase we discussed." The request looks legitimate. The email comes from (or appears to come from) the right person. The money is sent.

BEC scams cost businesses $1.2 billion in 2015, according to the FBI. The average loss: $130,000.

ACH Fraud

Attackers who gain access to your online banking credentials can initiate ACH transfers to accounts they control. By the time you notice, the money has been moved through multiple accounts and is gone. Unlike consumer accounts, business accounts have limited fraud protections for ACH transactions.

Protecting Your Practice's Finances

  • Dual authorization: Require two people to approve any wire transfer or ACH payment above a threshold (say, $5,000). This mirrors the multi-signature controls that banks use.
  • Verbal verification: Any email request to transfer money gets verified with a phone call. Always. Use a known phone number, not one from the email.
  • Dedicated banking machine: Consider using a dedicated computer for online banking that isn't used for email, web browsing, or other activities. This dramatically reduces the risk of credential theft.
  • Transaction alerts: Set up real-time alerts for all transactions above a threshold. If money is moving, you should know immediately.
  • Review daily: Check your bank accounts every business day. The faster you catch unauthorized transactions, the more likely you are to recover the funds.

The SWIFT hackers targeted billions. But the techniques work at every scale. Protecting your practice's finances requires the same vigilance, just applied closer to home.