PH posts highest number of phishing in SEA - study


PH posts highest number of phishing in SEA - study

By EMMIE V. ABADILLA

The Philippines registered the highest number of phishing attempts in Southeast Asia (SEA) from February to April this year, with seven in 10 (68.95 percent) targeting finance-related transactions, according to a study.

The country's payment systems, such as credit cards, debit cards, and mobile payment apps or e-wallets, accounted for one in two (58.50 percent) of those phishing attempts.

This was the latest findings of cybersecurity firm Kaspersky after detecting and blocking phishing attacks against three financial categories, from banks, e-commerce stores to payment systems.

Percentage of financial-related phishing attacks in SEA from February to April 2022

Phishing attempts in the Philippines were higher than in Indonesia (65.90 percent), Singapore (55.67 percent), Thailand (55.63 percent), Malaysia (50.58 percent), and Vietnam (36.12 percent).

On the other hand, the same data showed that phishing attempts in local banks was the lowest in the region at only 2.17 percent, while phishing attempts versus e-commerce shops in the country was the second lowest among SEA countries at 8.28 percent.

However, the rise of ‘Super Apps' in the region plus increased adoption of digital transactions are making things worse, observed Kaspersky General Manager for Southeast Asia Yeo Siang Tiong.

"Super Apps are mobile applications that combine all popular monetary functions, including e-banking, mobile wallets, online shopping, insurance, travel bookings, and even investments,"

"Putting our data and digital money in one basket can trigger an aftermath snowball, with the impact of a phishing attack swelling at an unforeseeable rate,” he warned.

Super Apps are traditional banks and service providers’ way of standing out in a rather crowded industry.

As they try to work with third parties and incorporate their services into a single mobile app, the attack surface expands, opening up more doors to a malicious exploit.

So far, phishing has remained as the most effective trick in cybercriminals’ sleeves.

It is a known way to crack into a user’s or even a company’s network by playing on a user’s emotions.

If one app contains all the financial details of a user, a simple phishing link asking for his credentials can compromise all the data available in the app.

“Cybercriminals follow the money trail, so it is important for banks, app developers, and service providers to integrate cybersecurity from the beginning of application development," he admonished.

"We expect hackers to target the rising Super Apps, both its infrastructure and its users through social engineering attacks."

Hence, all fintech companies should deploy a secure-by-design approach in their systems and continuously provide proactive education for their users.

For enterprises, the most important method of protection is to keep in mind that cybersecurity is a “living” strategy, not a static platform. It should be constantly upgraded, updated and improved.

Banks and service providers need to ensure a security team or security experts who keep their cyber defense infrastructure updated and can provide support in case of a cyber attack.

Also, they should have access to "threat intelligence" - the latest IT security trends and threats.

Threat intelligence paints a more accurate picture of the bank’s digital presence and informs senior stakeholders about ongoing risks and vulnerabilities.

In addition, they should ensue any third party vendors’ cybersecurity systems are also updated.

Banks need to take proactive measures to warn their customers against falling prey to cybercriminals who impersonate the banks, even if the attacks happen outside their systems.

Even prompts to reply like texting “UNSUBSCRIBE” or “STOP” can be a trick to identify active phone numbers. Attackers depend on people's curiosity or anxiety over the situation at hand, but users can choose not to engage.

Users must avoiding opening any links or contact information in the email or message. They should go directly to contact channels where possible.

Urgent notices can be verified directly on online accounts or via an official phone helpline.

Users should likewise looking out for mistakes, typos and strange characters in the text.

Some threat actors either struggle with English or make mistakes intentionally (such as using numbers to replace certain alphabets, saying “Bank L0an” instead of “Bank Loan”) to bypass spam filters.