Aboitiz-controlled Union Bank of the Philippines (Unionbank) on Monday, Dec. 13, said it has started the filing of criminal charges against clients involved in the hacking of BDO Unibank accounts.

Hackers transferred the stolen funds from BDO to Unionbank, based on initial investigation. The Bangko Sentral ng Pilipinas (BSP) and law enforcement agencies are coordinating with the two banks for remedial measures, the reimbursement of affected accounts and for legal actions against the cyber criminals.

“We are collaborating closely with BDO with their investigation of recent fraudulent activities and have already taken immediate action on identified accounts,” said Unionbank in a statement.

“We are likewise working with law enforcement agencies and will not hesitate to take the appropriate legal action against individuals who use their accounts to facilitate criminal activities,” the bank added.

Unionbank assured the public that the bank and the entire banking industry with the relevant government agencies are working together to fight against cybercrimes.

“We urge the public to remain vigilant and informed. Please change your passwords regularly, refrain from sharing your OTPs (one-time passwords) and other sensitive financial data, and be wary of messages, whether through email or SMS, that come from unknown sources,” said Unionbank.

Last Sunday, Dec. 12, both the BSP and BDO issued their assurances to financial customers that the government and the industry remain vigilant agianst cyber crimes. The Bankers Association of the Philippines (BAP) also released a statement that despite daily hits on banks’ cybersecurity, local banks remain healthy, capital-wise.

BDO has started reimbursing clients of losses due to cybersecurity breaches after identifying the use of “sophisticated fraud technique” to hack their online system, and that they have additional security controls to block further attempts to steal depositors’ money.

BSP Governor Benjamin E. Diokno, in the meantime, said the central bank will ensure quick action will be taken to reimburse affected depositors.

BSP Memorandum Order No. M-2020-066 issued last August said the central bank’s cyberthreat surveillance points to SMS-based attacks as a growing and predominant type of attack and that this attack is effective because of the attackers’ ability to deceive bank clients by convincing them of the urgency of an immediate action. SMiShing, for example, is normally executed in combination with SMS spoofing wherein the SMS sender ID is altered so that the message appears to be coming from a financial institution or entity, according to the memo.

The BSP reminded banks to act immediately on customers’ complaints and verification requests in relation to SMiShing and SMS spoofing to minimize financial losses to their clients.

Last month, the BAP announced it will partner with the Department of Justice (DOJ) to hold cyber criminals accountable, prosecuted and jailed within a short period of time for cyber-related crimes such as money mules and phishing.

BAP president Jose Arnulfo Veloso, who is also CEO and president of Lucio Tan-led Philippine National Bank, said the DOJ deal will help implement existing laws against cyber crimes and shorten delays in prosecution. He also said the BAP and DOJ must work together so that existing laws will be enforced to put cyber criminals behind bars.

BAP said phishing, a cybercrime where fraudsters duped customers of banks via emails, phones or texts to hack their security information, has become bolder and that several banks are now investigating complaints to catch and penalize criminals.

BAP has been calling for the quick passage of the Bank Account and E-Wallet Regulation Act under the proposed House Bill No. 9615 to stem the rapid growth of cyber-related crimes in the banking sector. Under the proposed bill, those who are found guilty of phishing will be imprisoned for six to 12 years and fined P200,000 up to P500,000.