"The threat is very persistent, adaptive and sophisticated – and it is here to stay," SWIFT officials said in a letter seen by Reuters.
The letter, dated 2 November, said that hackers have changed their methods. One tactic involves using software that allows technicians to access computers to provide technical support. The hackers then send payment instructions through the SWIFT network, Reuters said.
"We unfortunately continue to see cases in which some of our customers’ environments are being compromised," the letter said, according to Reuters.
SWIFT warned its members in September about successful hacks that had taken place. While many attacks have been caught by its own security or by that of banks, others have been successful, it said. SWIFT did not say how much had been stolen.
This followed a warning in May that international banks are facing threats from a new wave of malicious software, or malware, that allows attackers to steal money.
In a statement issued to its customers and posted on its website, SWIFT said that the malware attack was believed to be part of a broad and "highly adaptive campaign targeting banks" and that there was evidence that a number of banks have fallen victim to fraud as a result of their security measures being compromised.
Asset recovery expert Alan Sheeley of Pinsent Masons, the law firm behind Out-Law.com, said: "Cyber-attacks are part of everyday business, but this does not mean boards should just accept them and not be proactive against them, or investigate them once attacked. Cyber attacks are not just limited to banks and impact on all businesses in all sectors."
"What is critical is the manner in which the investigation is carried out and the action that follows. All too often businesses react once it is too late and large sums of money or data have been taken. Businesses usually say that they have been aware of weaknesses within their IT systems and it was something that was to be considered, or invested in, in the next financial year. These attacks can have serious detrimental effects for a business’s good name and can result in significant claims being made by injured parties and regulators," he said.
"Once the new General Data Protection Regulation is brought into effect, a company could be fined up to 4% of its total worldwide turnover for general breaches, or 2% for security breaches. This regulation will also have a self-reporting requirement that will need to be complied with," Sheeley said.
"Businesses need a crisis response plan to deal with hackers and the consequences. The plan must include how to instruct appropriate experts, not just their IT department who probably do not have the necessary skills to secure the evidence and identify the vulnerabilities and the weaknesses in the system. It must also include instructing civil fraud solicitors to recover any funds or data that have been lost. Civil fraud solicitors are skilled in obtaining disclosure orders against ISPs to trace the hackers and identify weaknesses in the IT system," he said.
"Businesses should also not assume that the hacker has acted alone, as sometimes employees are involved as well," Sheeley said.