Security firm Blue41 demonstrated an indirect prompt-injection attack on bunq's banking assistant in which a 2-cent transfer becomes the entire exploit.
The payload hides in the transaction description, a field the attacker controls. When the victim later asks the assistant "show me my recent transactions," the model pulls that description into its context and treats the embedded text as an instruction rather than data, then runs a personalised phishing scenario autonomously. No device access, no malware, no traditional social engineering; the only attacker action is sending a small payment.
The flaw is architectural, not specific to bunq. Any assistant that feeds untrusted third-party text, such as transaction memos, documents, or messages, into an LLM alongside trusted instructions inherits the same exposure, and most financial deployments have no clean way to label which retrieved tokens are safe to obey.