BSP reminds banks to step up cybersecurity structure

Published August 25, 2020, 5:00 AM

by Lee C. Chipongian

The Bangko Sentral ng Pilipinas (BSP) is reminding banks to keep up with the evolving threats to cybersecurity especially short message service (SMS) or text-based attacks such as SMiShing or SMS spoofing.

BSP Deputy Governor Chuchi G. Fonacier said cyber-related criminals or cyberthreat actors are “constantly evolving and increasingly focusing their attacks on phishing campaigns”.

 “(They) lure bank and financial clients to give out user credentials and/or sensitive information or click links to malicious websites,” said Fonacier.

She said the BSP and the banking sector are working together for “collaborative initiatives aimed in safeguarding the industry and its financial consumers against these types of SMS-attacks and scams.”

Based on a BSP memo (Memorandum Order No. M-2020-066) that Fonacier signed on August 19, the central bank’s cyberthreat surveillance points to SMS-based attacks as a growing and predominant type of attack and that this attack is effective because of the attackers’ ability to deceive bank clients by convincing them of the urgency of an immediate action. “Smishing is normally executed in combination with SMS spoofing wherein the SMS sender ID is altered so that the message appears to be coming from a financial institution or entity,” according to the memo.

Fonacier said they issued the memo not only as a reminder for banks to step up cybersecurity but also to intensify customer awareness of such threats.

 “The primary intent of the new issuance is to remind BSP-supervised financial institutions (BSFIs) to be on guard of SMS-based attacks and provide necessary guidance to minimize impact such as fraud losses and incidents to the BSFIs and their clients,” she said.

Fonacier said the industry – generally – have appropriate cybersecurity protection such as the multi-factor authentication (MFA) controls as back up safety features because the sending of one-time passwords or OTPs have “inherent vulnerabilities and weaknesses.”

Fonacier acknowledged though that banks “have been stepping up their security posture by implementing relevant security solutions and practices to ward off these attempts. These include increased cybersecurity awareness campaigns, enhanced implementation of MFA controls and calibrated fraud management system rules and parameters, among others.”

 “The BSP, in close collaboration with industry players and other regulatory agencies, continues to closely work together to ensure that the industry is able to anticipate and proactively respond to the changing and uncertain cyberthreat landscape,” she added.

The memo warned that with the shift to digital payments and financial services amid the COVID-19 pandemic, cyber-related crimes and criminals have become “relentless in propagating malicious activities against BSFIs and their clients”.

The BSP also reminded banks that because SMS-based attacks are fast-evolving, BSFIs must implement multi-layer controls and to actively conduct “threat hunting exercises to detect unusual activities” and to shut down these phishing and malicious sites.

The BSP said banks should act immediately on customers’ complaints and verification requests in relation to SMiShing and SMS spoofing to minimize financial losses to their clients.