Cyber attacks against banks that use web-based ATM control panels are on the rise, according to a warning alert from a federal banking watchdog.
The alert by the Federal Financial Institutions Examination Council says that thieves are targeting “small-to-medium-sized institutions” and changing the controls on ATMs to enable the theft of practically unlimited withdrawals. The vast potential of the scheme has earned it the moniker “Unlimited Operations” from the Secret Service.
The statement released by the FFIEC revealed that one recent attack netted hackers more than $40 million with the use of just 12 debit card accounts. The thieves typically begin the scam by “sending phishing emails to employees at financial institutions,” according to the alert. Once malware has been installed on the bank’s network, the hackers change settings and gain access to the ATM control panels, enabling the withdrawal of huge sums. The “cash-out” phase of the attack takes place quickly, usually lasting somewhere between four hours and two days.
Regulators have asked that banks conduct ongoing information security risk assessments, add additional layers of security and take other measures to prevent against further attacks.
Sign up for Inside TIME. Be the first to see the new cover of TIME and get our most compelling stories delivered straight to your inbox.
