buguroo | Online Banking Fraud Blog

The Salami Attack in Cyber Crime

Written by Mateusz Chrobok | Jan 18, 2021 1:13:10 PM

In 1940, the leader of the Hungarian Workers' Party, Mátvás Rákosi, devised a strategy to eliminate the other parties with the intention of creating a communist regime in that country. This strategy consisted of accusing certain rival politicians, who were their competition, of being fascist sympathizers. 

This forced the opposition party to finally expel them from their ranks, which weakened the rival party in the long run. Once he finished with this play, the same strategy was repeated with others until he seized power.

Rákosi spoke of "cutting them off like slices of salami”

Many centuries earlier, San Tzu already spoke of this technique in the book "The Art of War", where he explained that united enemies with whom there is cohesion can be very dangerous, so a weakening tactic consists of separating them, attacking them in a divided way to fragment this union and make them less powerful.

Tzu spoke of the famous "divide and conquer”.

This "salami attack" technique, applied outside of political or military contexts, can be extrapolated to other areas, where, in the end, the objective is slowly achieved by breaking down the final goal into many subgoals, in such a way that no huge effort is required at the beginning but rather a climbing action through the achievement of intermediate goals.

But this strategy also carries another connotation, that of going unnoticed, of attacking in a sibylline way without attracting too much attention. For example, Rákosi didn't attack all opponents of a party, he didn't accuse the party of being fascist, which would have generated a huge public scandal. He preferred to produce general discomfort and discrepancies within the rival party itself, without making too much noise on the outside that could expose his attack and reveal his true intentions.

The same strategy is frequently applied in the criminal field, mainly in theft and fraud. Individuals or companies are vigilant of or on the lookout for the commission of major thefts in terms of quantity or value, which means that security systems mainly protect bulky or large products. For example, if we are going to rob a mall, steal from the jewelry section or take a 60-inch plasma TV without paying for it, we're going to have a very hard time. However, stealing a perfume or a CD can be relatively easy.

Criminals are aware of this, so when it comes to carrying out thefts and choosing their targets, they assess the balance between cost and benefit. We might think that the theft of a perfume or a CD wouldn't be a big deal for a shopping center in terms of economic losses, but if it occurs repeatedly due to it being easier to pull off, the final losses can be very significant.

The ant robbery

A similar technique is called "ant robbery", where the products or amounts that are stolen are very small (hence the word "ant" in the name), meaning they don't usually attract much attention. In addition, this type of theft is usually carried out by the employees themselves or internal personnel, making it very difficult to detect.

Before we used to say that in terms of losses, these events weren't a huge deal, however, this type of continuous theft can be dangerous to the survival of a company.

In fact, it is estimated that ant robberies account for 25% of a company's unknown losses. When it comes to stock, these losses reduce companies' inventory by 15%. And we don't need to imagine an Amazon warehouse, as the employee who takes home a pen, stapler or makes photocopies for their children's schoolwork is also contributing to these losses.


This strategy, in addition to its ease and convenience, has another positive effect for the criminal from a legal point of view. As the things being stolen are small objects of little value, the penalties or legal consequences in the event of being detected are much less, and sometimes the boundary is blurred between legal and illegal. If an employee steals a computer from your company, it's clear that there are grounds for their dismissal, but if they have been taking pens, paper and using the photocopier over the fifteen years they've been working at the company, is it also considered theft?

This process has also bypassed the virtual-analog barrier and is now perfectly installed on the internet. The internet, despite being a space with a high level of anonymity and permissibility when it comes to committing crimes, is increasingly protected and is generating more "security awareness" among users and companies, making them more vigilant and alert.

Large thefts or scams are now quickly detected, which is why cybercriminals have had to slightly modify their modus operandi.

Let's imagine that today you get up and go to breakfast at your usual spot. After eating your favorite breakfast, you go to pay by credit card as you do every day. The waiter gives you a polite smile as they tell you the operation hasn't gone through. Surprised, you swipe the card twice with the same result, until you end up reaching for your wallet and getting out some coins to pay for breakfast.

While finishing your cup of coffee, you open up your banking application and discover, to your surprise, that your bank account is completely empty. Imagine that later, after several calls to the bank and having filed a police report, you discover that your bank card has been cloned and some cyber scammer is moving your savings all around the world until transferring all your money to an account in Nigeria.


You've clearly realized that you've been robbed, right? Imagine that this same thing has happened to another 50,000 clients of the same bank, whose cards have been cloned through hundreds of sabotaged ATMs. It seems logical to think that the bank would detect this fraud and take the corresponding measures.

Now, imagine you get up again, go to the same bar again, and have the same breakfast. When you get ready to pay by card, you do so without any problem and go to work with a big smile after a spectacular breakfast. Your life continues as normal and you don't realize that you've been robbed. It turns out that your card has been cloned as in the previous case, but instead of emptying your account, what the criminals have done is steal €27.38. That is, instead of emptying your account by transferring the total amount in it, say €27,827.38, they have only transferred €27.38 out of that amount. Would you notice this theft? You could even lower the amount to €7.39 or cut the salami into even thinner slices and say they only took out €0.38.

Would you realize that you had been robbed? Would the bank notice or detect it?

Imagine that this also happens to the other 50,000 clients of your bank. Would they realize it? Now imagine that this situation is repeated every month with you and with the 50,000 clients. Small amounts, only the decimals that are in their account that day.

With this experience, you can get an idea of what the salami attack consists of within the context of cyber fraud.

Since we're imagining things, now imagine a virus that modifies banking operations and makes the last two decimal places of all operations carried out by a bank in one day disappear. Two decimal places may seem like almost nothing, but multiplied by the hundreds of thousands of transactions carried out by a bank, the final amount is very enticing.

In the United states, there was a very famous case where more than 1 million fraudulent charges of between $0.25 and $9 were made over several years. These charges were made by fake companies and redirected to accounts created by cyber scammers abroad. Of all the charges, only 79,000 people became aware of the scam.

So, from now on, check your bank movements in detail, even those of a minimal amount. Don't let them be turned into a slice of salami.