A sophisticated spear-phishing gang has stolen as much $1 billion from banks and other financial institutions in the past two years, according to computer security company Kaspersky Lab.

On 14 February Kaspersky reported that the gang, which it dubbed ‘Carbanak’, had stolen directly from banks, rather than taking the more usual route of stealing the identities of bank customers. The gang sent emails to bank employees designed to trick them into opening malicious attachments. These opened backdoors that allowed the hackers to install other tools on their victims’ computers, enabling them to monitor the behaviour of clerks to understand their routines. This monitoring extended to key logging and even to capturing video footage from infected machines, Kaspersky said.

With this information, the Carbanak gang was able to instruct ATMs to dispense money without a PIN number. It could also increase the amount of money recorded within individual accounts, removing the difference without the account-holder noticing. Hundreds of institutions were targeted worldwide. The gang remains at large.

Kaspersky, of course, has a business interest in highlighting security threats. Its report was based on information from law-enforcement authorities and its own research. If the information is accurate, the scale of the attacks is unprecedented and represents a huge challenge to financial institutions worldwide. The news broke a day after US President Barack Obama addressed a cyber-crime summit in California’s Silicon Valley.

“Everybody is online, and everybody is vulnerable,” Obama told an audience of senior executives and security professionals on 13 February. The same day he signed an executive order designed to forge closer information-sharing between technology companies and the US government.