The Bangko Sentral ng Pilipinas (BSP) on Tuesday, Aug. 9, issued another public reminder to stay alert against fraudulent text messages and unsolicited emails, also known as SMiShing which is a variant of phishing.
These malicious texts or emails have links that redirect the mobile user to highly suspicious websites, warned the BSP.
SmiShing is another phishing scam where a fraudster sends a text message to trick a user into clicking on a malicious link. “This malicious link, when clicked, automatically downloads malwares and/or redirects to websites that collect information that may be used for fraud,” said the BSP.
The central bank is again advising the public to protect their personal information and to carefully scrutinize messages even if these appear to be coming from banks, e-money issuers, or known companies or brands.
“The BSP reiterates that legitimate financial institutions will not ask for personal details and/or account credentials (e.g., username, password, OTP or one-time pin/password) from their customers via text messages or by sending links to websites,” said the BSP.
Such websites may have been created by scammers to trick a user into disclosing login credentials, personal data, bank or credit card details or passwords, and to introduce mobile malware, it added.
“While these websites may seem legitimate, fraudulent sites often have errors in spelling, punctuation, capitalization, and grammar. Banks, e-money issuers, and legitimate companies exert extra effort to maintain professional websites without such errors,” said the BSP. “Consumers who experienced SMiShing attempts are advised to report these to their banks or e-money providers immediately,” it also said.
The BSP regularly reminds all of its supervised financial institutions (BSFIs) to implement “robust” measures against cyber fraud and attacks on their retail electronic payments and financial services.
The BSP have intstructed BSFIs to remove clickable links in communications sent to customers via electronic mail or email, and SMS or text messages.
As part of risk analysis, BSFIs are also ordered to implement mandatory notifications for fund transfers exceeding a predefined amount, delays in activating new soft tokens or new device registrations, and a cooling-off period for key account changes.
Other control measures recommended by the BSP are personalized SMS messages and emails for banking services; restrict bank officers or representatives from obtaining critical information such as customer passwords, one-time passwords, or personal information numbers; create dedicated customer assistance teams for fraud cases; conduct education campaigns against online scams; and adopt strong fraud surveillance mechanisms.
Most cyber incidents reported to the BSP target retail customers. These cyber criminals were not even “highly technical” or using advanced tools, said the BSP.
Based on the BSP’s cyber threats surveillance, in 2021 the top three types of cyber incidents reported by BSFIs were: phishing; “card not present” fraud; and identity theft.
The most common cyber fraud is phishing and other variants such as SMiShing and vishing. It leads to account takeover and social engineering attacks. These are intended to manipulate customers into disclosing sensitive personal and account information necessary to execute unauthorized transactions.
The “card not present” is a fraud not involving physical presentation of the card to the merchant and may be conducted online or over the phone.
The BSP has received almost 10,000 consumer complaints in 2021 and while not all are cyber-related, it is a significant chunk on rising threats against financial consumers, both online and offline.