An attacker has somehow gotten access to your bank account, through phishing, leaked credentials, malware on your device, or by some form of identity theft. How is it possible for money to be stolen from your account, given that banks have quite strong internal systems for monitoring fraud?

The first category is what can be considered “small scale” operations, where the total theft amount usually is in the low millions of dollars. The way it works is pretty simple: People are recruited to what they think is a legitimate job, where they get paid to be a “money transfer agent”, “local processor” or something similar. It is a tempting job, which you can do from home; all you do is to accept funds and transfer them to a third party.

One example of how this is done is that you are told to take out the money in cash, then do an instant transfer at a Western Union office. A different scenario could be that you are instructed to buy and transfer a cryptocurrency. The real purpose of the job is actually to enable fraud: By transferring the money, the money mule helps to hide the true identity and location from the victim and the authorities. Of course, if a criminal has access to your bank account, you could be used as a money mule without your knowledge; your account could be used to hide the money temporarily.

One limitation with this type of crime is that one mule can break the chain. If one of the money mules discover that they are being exploited and go to the police, the whole operation breaks down. For that reason, money mules are often recruited amongst young people or people who are less knowledgeable about how the payments systems work. As an example; in Norway, you can get a bank account and payment card from the age of 6, which can withdraw up to 1000 euro over four days, even abroad.

The risk management systems used by the banks can, to some degree, recognise unusual patterns in the payments. However, the fraudsters usually spread the payments over multiple money mules, which makes it harder to stop. (Hopefully, an alarm bell would ring if a 6-year-old started withdrawing large amounts in cash!)

The second category of fraud is when it doesn’t involve people at all: If the criminals can automate the transfer from account to account very quickly, without involving money mules, the situation can be much more dangerous.

On the 1st of July 2020, the limit of cross-border SEPA Instant Credit Transfer (SCT Inst transactions) went from 15,000 euro to 100,000 euro. An instant credit transfer is supposed to take a maximum of 10 seconds, with a hard timeout of 20 seconds. This change would allow criminals to create a complicated web of large scale transactions between many people and countries in just minutes. So far, there have not been any public attacks of this type reported, but it is an obvious target for attackers.

The increase in limits on SEPA transfers brings us to the next category of attack: Attacks on companies and banking infrastructure. While new Strong Customer Authentication (SCA) regulation has made consumers a less tempting target, corporate payments have an exemption under article 17 of the PSD2, where the requirements are left to the national authorities.

Another tempting target are the SWIFT credentials used by the bank employees to do large scale money transfers. Back in 2016, SWIFT credentials were used in an attempt to steal up to a billion USD from the Bangladesh Central Bank. It doesn’t take more than one unfaithful employee to enable this type of attack.

In the future, we’re sure to see more automated and fast attacks. Is there anything we as individuals can do to stop this? Perhaps not, but hopefully banks and PSPs will continue to work on securing payments and protecting both individuals and corporations from fraud.