Despite the “sophistication and capabilities” of Bangko Sentral ng Pilipinas supervised financial institutions (BSFIs) in monitoring and preventing digital-related fraud, cyber criminals still find ways to target people’s weakest side: naivety and greed.
“Most of these cyber incidents targeted retail customers, were not highly technical, nor did they require advanced tools,” according to BSP Governor Benjamin E. Diokno on Thursday, May 12. “What they tend to do was exploit human weaknesses,” he said.
Based on the BSP’s cyber threats surveillance, the top three types of cyber incidents reported in 2021 by BSFIs were: phishing; “card not present” fraud; and identity theft.
The most common cyber fraud is phishing and other variants such as smishing and vishing. It leads to account takeover and social engineering attacks. These are intended to manipulate customers into disclosing sensitive personal and account information necessary to execute unauthorized transactions.
The “card not present” fraud, as explained by Diokno, is a fraud not involving physical presentation of the card to the merchant and may be conducted online or over the phone.
In an online press briefing on BSP’s IT risk rules, Diokno said they have observed that cyber attacks and fraudulent schemes affect two or more financial institutions simultaneously.
“These include the originating and receiving banks, as well as non- bank financial institutions such as e-money issuers, virtual asset service providers and remittance companies,” he said.
This is why the BSP amended the IT or information technology risk management rules last March under Circular No. 1140, to strengthen the financial system’s cybersecurity posture and minimize losses from fraud and cyber-criminal activities.
Since cyber attacks and fraudulent schemes affect two or more financial institutions simultaneously, the BSP via the circular wants BSFIs to implement complementary controls as well as “robust” and effective fraud management systems for both originating and receiving institutions. These efforts will serve as early warning mechanisms to reduce fraud losses.
“A holistic and coordinated approach among the industry players is necessary to ensure that funds cannot be easily siphoned off by fraudsters and cybercriminals,” said Diokno.
The new circular amended the existing IT risk management regulation not just to reinforce consumer education and awareness of cyber threats but also to strengthen cybersecurity and minimize losses due to fraud and cybercriminal activities.
Some of the changes to the rules and why it is called “robust” fraud management is the implementation of automated and real-time fraud monitoring and detection systems to identify and block suspicious or fraudulent online transactions.
The circular wants BSFIs' fraud monitoring systems (FMS) to be commensurate to the risks associated with their digital financial and payment platforms. It also noted that as fraud and cyber threats continue to evolve and penetrate BSFIs’ layers of controls, the FMS should be “constantly calibrated” in order to “process surges in transactions, collectively analyze customer profiles/behavior, and detect new fraud patterns.”
Linking and integrating FMS with anti-money laundering systems will likewise form a more “cohesive and comprehensive financial crime prevention system.”
As for consumer awareness and customer education which the BSP said is a key defense against fraud, identity theft and security breach, BSFIs are instructed to ensure that their customers will be able to easily understand any prominent advice on security precautions for e-services.
“To effectively capture customer attention and reinforce their awareness and understanding of risks, BSFIs are encouraged to use interactive platforms or materials, such as video clips, online quizzes and infographics,” said Diokno.
BSFI’s consumer awareness program should be updated regularly. The BSP suggested that in evaluating the effectiveness of a program, BSFIs should do the following: tracking the number of customers who report fraudulent attempts to obtain their authentication credentials; the number of clicks on information security links on websites; and the number of inquiries.
The BSP is giving BSFIs until end-December 2022 to comply with circular standards, and to show its plan of actions including specific timelines and status before achieving full compliance. The BSP will start checking on the manner of compliance by September this year.