SWIFT itself is one of the most secure messaging networks in the world. The scams that attach to it are almost entirely social engineering — fake documents, advance-fee fraud, business email compromise. Here are the ten patterns that account for most losses.
1. Bangladesh Bank Heist (2016). Malware on the bank's SWIFT terminal allowed 81 million USD in fraudulent MT103s. Lesson: SWIFT customer security framework (CSP) is now mandatory; if your bank skimps on CSP it is a red flag.
2. Business Email Compromise (BEC). Attackers compromise email, watch for impending payments, then email "new bank details" to redirect funds. The wire is real; the destination is criminal. Lesson: always verify new payment details by a different channel (phone call).
3. Fake MT103 PDFs in romance scams. "Mum I sent you 50K, here is the MT103 — bank says you have to pay a 500 release fee." The MT103 is invented. Lesson: no legitimate bank charges a "release fee" for an incoming wire to the recipient.
4. Advance-fee fraud ("Nigerian prince" modern variant). Promise of large inbound SWIFT in exchange for an upfront fee. Always fake.
5. Fake "Federal Reserve Clearance Certificate". A fabricated document supposedly required by the Fed to release a wire. There is no such certificate.
6. SBLC / MT760 leasing fraud. "We will lease you a 100M MT760 for 5% upfront." Banks do not lease guarantees.
7. CEO impersonation. Attacker impersonates senior executive ordering an urgent wire. Mitigation: dual-authorisation, callback verification.
8. Bank impersonation phishing. Phone or email claiming to be the bank asking for credentials to "investigate a fraud". The fraud is the call.
9. Charity / disaster relief diversion. Real charity URL with one-character typo, payment goes to attacker.
10. Invoice fraud (supplier impersonation). Vendor receives email with "updated invoice and new bank account". Verify with vendor by known phone number.
See our fake-MT103 verification guide. Key markers: typography, header format, presence of UETR in correct format, ability to verify the UETR on your bank's system (not via the sender's tracker).
Your bank's internal records are authoritative. Ohmyfin queries the public GPI tracker, which has a 124-day retention and depends on banks publishing status. If your bank confirms the wire, trust your bank.
Contact your bank immediately to initiate a recall (MT292). If funds have not yet been credited to the beneficiary, recovery is possible. Once credited, recovery becomes a civil/criminal matter.
Different attack surface. Crypto removes some scams (no leased MT760) but adds others (private-key theft, scam tokens). Both rails require the same caution about who you are sending to.