Skip to main content

Lessons from the Cosmos bank attack: How to stop fraudulent transactions before they take place

(Image credit: Image Credit: Gustavo Frazao / Shutterstock)

I was both discouraged and disturbed to see the recent headline about the cyber-attack at Cosmos Bank in India: India's Cosmos Bank loses $13.5 million in cyber attack.

When did we as an industry become so desensitized to these types of revelations? It seems like not so long ago that the shock and awe of a story like this would have caused much uproar. Yet the reactions I see these days seem to be little more than a shrug, indicating a fatalistic attitude that hackers will always win and that there’s little anyone can do about it.

That belief is simply not true, which will be illustrated later. First, let’s take another look at the details of the Cosmos Bank heist:

  • India’s Cosmos Bank lost nearly 944 million rupees ($13.5 million) through simultaneous ATM withdrawals in 28 countries.
  • The customer info was stolen through a malware attack on the ATM machines (14,849 transactions in just over 2 hours).
  • A portion of the attack also occurred when the hackers transferred 139 million rupees ($1.9 million) to a Hong Kong based account by issuing unauthorised transactions over the SWIFT network.

Those details alone are bad enough, but now add to them another fact uncovered in the recent UK Business Payments Barometer, sponsored by Bottomline Technologies: of all fraud incidents reported by the researched participants, less than 50 per cent of the lost funds were recovered.

Recovering the funds is only half the challenge Cosmos Bank now faces. An even bigger hurdle will be to rebuild the reputational damage they’ve suffered (an often overlooked result of fraud attacks). That will be particularly difficult for Cosmos, who was also hit in February with three fraudulent remittances of nearly $2 million that were transmitted via the SWIFT network.

What seems truly baffling is why organisations keep finding themselves in this situation. They’re allowing themselves to be exploited when there’s simply no need for it.

What’s particularly puzzling is that statistics in Strategic Treasurer’s 2018 Treasury Fraud and Controls Report seem to indicate a number of important fraud prevention measures are moving in the right direction. Not only are organisations finally taking the threat of fraud seriously, they’re also taking steps to protect themselves. Compared to last year: 

  • 84 per cent surveyed consider the threat level of cyber and payment fraud to have increased.
  • 61 per cent or organisations see themselves as being in a better position to fight fraud.

So where exactly is the disconnect? Organisations recognise the threat of fraud and are taking steps to defend themselves against it, but attacks such as the ones at Bangladesh Bank in 2016, Banco de Chile earlier this year and most recently Cosmos Bank keep happening with frightening regularity. This comment by Strategic Treasurer, an organisation that regularly deals with both banks and corporates in the course of their research, certainly rings true: ʺDespite increased awareness and spend, organisations have proven themselves largely unprepared for a more organised, strategic and persistent threat.ʺ

Recognising that you have a fraud problem is definitely the necessary first step in solving that problem. But recognition alone does not constitute a solution. Neither is simply allocating budget for it. It is encouraging to read that fraud spending budgets are holding steady year-over-year – according to J.P. Morgan’s 2018 AFP Survey – but it doesn’t change the fact that 78 per cent of organisations were targets of payment fraud last year.

Even more concerning is that according to KPMG, internal users were involved in a big percentage of fraud cases, highlighting the stark reality that fraud threats can come from any direction at any time.

Fraud continues to be such an insurmountable threat is because of an inappropriate focus.

Consider this: the temperatures outside are freezing. Your wood burner has a roaring fire in it, the thermostat is cranked up high and you’re wearing your favourite woolly jumper. You seem to be doing all that you can but your fingers are still frozen. What’s the problem then? The windows are wide open - not a great recipe for success. You can pile on all the blankets that you want but until you fix the root cause of the problems, your impending case of hypothermia will be unavoidable.

It’s the same with addressing financial fraud issues. Allocating spend might feel satisfying and appear productive -- and it might even stem the flow in a few areas.  But unless you’re using those funds to close all of the air gaps and address the real issue, the harsh realities of potential payment fraud will continue to plague your business.

Organisations can better safeguard themselves by identifying and stopping fraud before it happens.  This is accomplished by closely examining any potential loopholes related to your people, your processes and your technology.   By combining the right mix of technology, a stringent process and a culture of diligence, you can instil a much more holistic and proactive approach.

That might sound like an obvious and impossible tactic, but it’s entirely possible and simple to do so with the sophisticated behaviour and transaction monitoring solutions that are available today. Proactive behaviour monitoring combined with transaction monitoring is without question the most robust method available to help prevent financial losses and reputational damage related to a fraud incident (not to mention prepare you better for future threats). Solutions such as these leverage the latest in machine learning technology to understand what activity is safe and normal and what is not, then immediately alert to suspicious activity, putting a hold on potentially fraudulent transactions before they can cause any damage.

You have a responsibility to secure each and every payment that passes through your hands -- don’t leave it up to chance! And certainly don’t consider your fraud protection work is done simply because you send an end of day report – by then it is too late for anything to be done. Close those windows and finally invest your fraud protection spend where it will do the most good, addressing the root problem of stopping fraud in flight and before it’s happens.

James Richardson, Cyber Fraud and Risk Management, Bottomline
Image Credit: Gustavo Frazao / Shutterstock

James Richardson
James has worked in the Payments industry in an ever-changing landscape for over 15 years, working with financial institutions and corporates of all sizes. James helps organisations reduce their fraud risk and secure critical payments by sharing insights on industry, trend and technology offerings.