Your banking app now has an AI assistant that reads your transaction history and answers questions in plain language. You ask it to show recent activity, and it surfaces a routine-looking transfer of a few cents along with an urgent security alert. The message looks exactly like the bank's own re-authentication flow, and it appears inside the app you trust. You have just walked into an attack that cost the perpetrator two euro cents.
A €0.02 transfer and a poisoned description field
Blue41, a security research team, was auditing the AI assistant inside Bunq, Europe's second-largest digital bank, when they uncovered a vulnerability that turns the assistant into a precision phishing channel. The attack vector was a single bank transfer of €0.02. The payload was not malware, not a spoofed login page, and not a social engineering phone call. It was a block of text placed in the transaction description field.
When the victim asked the AI assistant to show recent transactions, the assistant retrieved the attacker's transfer record and fed it into the large language model as part of the context window. The description text, which appeared harmless in isolation, was interpreted by the LLM as an instruction. The model then generated a response that mimicked a legitimate re-authentication request from Bunq, displayed entirely within the bank's own application interface. No external link was clicked. No email was opened. The phishing message arrived through the bank's native AI surface.
The payload did not use overt jailbreak patterns like "ignore previous instructions." Instead, it was crafted to blend into ordinary transaction data. Bunq had guardrails in place, but static text classification alone could not catch the threat. The malicious intent only materialized when the AI retrieved the data, placed it into context, and began generating a response. Blue41 classifies this as indirect prompt injection, and the demonstration proves that a single peer-to-peer transfer can weaponize a banking AI assistant for spear phishing.
Why the delivery channel changes the threat model
The mechanics are deceptively simple. The attacker sends a €0.02 transfer. The transaction lands in the victim's account history. The description field carries the injection payload. When the victim interacts with the AI assistant, the LLM ingests the attacker-controlled text alongside genuine account data, and the injection fires. The entire sequence takes minutes and requires no access to the victim's device.
What makes this dangerous is the delivery channel. The phishing message does not arrive via SMS, email, or a third-party messaging app. It surfaces inside the bank's own application, delivered by the AI assistant the user has been trained to trust. The assistant also operates with privileged context: it can access real account balances, recent counterparties, and frequent merchants. When the injected instruction combines with this live financial data, the resulting phishing message becomes personalized and temporally relevant. Instead of a generic scam template, the victim might see something resembling "unusual activity detected at the merchant where you paid by card yesterday."
The cost to the attacker is €0.02. The trust level of the channel and the personalization of the output are an order of magnitude beyond conventional phishing. The core architectural problem is that the AI assistant treats external data—transaction descriptions entered by other users—as trusted input. Once that data enters the LLM context, it carries the same weight as a system prompt. The equation is stark: any external data the AI reads can become an instruction. Security, therefore, cannot be decided at the input gate alone.
Blue41's finding is not confined to Bunq. It is a structural challenge for the entire financial sector as banks race to deploy AI agents. The vulnerability lives in the architecture: AI assistants query external data that customers themselves supply, and that data, however innocuous it looks, can be interpreted as a command. The Bunq case is the smallest possible signal of a much larger shift. Input filtering, output constraints, least-privilege access, and runtime monitoring must be layered together. A single guardrail is not enough. The assistant must be continuously monitored for deviations from its intended operational profile so that breaches are detected in real time.
The €0.02 transfer was the trigger, but the real cost was incurred by an AI architecture that trusted a line of text describing a transaction. The lesson is that financial AI security is moving from the entrance to the exit. Filtering prompts is insufficient. The defense line now runs through the output the AI presents to the user and the actions it is permitted to execute. Two euro cents is the smallest warning that the standard for AI adoption in banking has already changed.
