The Bangko Sentral ng Pilipinas (BSP) has issued recommendations for all its supervised financial institutions (BSFIs) to reinforce email security controls to effectively block persistent cyberthreats such as business email compromise (BEC), spam, phishing, ransomware and other malware attacks.
In a memo (Memorandum No. M-2022-043), signed by BSP Deputy Governor Chuchi G. Fonacier last Oct. 7, the BSP wants banks to adopt six recommendations for a “robust and layered security controls” as well as industry best practices already laid out in existing BSP rules and regulations on cybersecurity.
But to further enhance email security, Fonacier said BSFIs should adopt, as warranted, the security controls and best practices in safeguarding both incoming and outgoing emails.
In addition, she said BSFIs are expected to promptly report to the BSP any major email-related cyber incidents and crimes as per BSP’s rules on event-driven report and notification (EDRN) and report on crimes and losses (RCL). “In certain instances, BSFIs may need to seek assistance and cooperate with appropriate law enforcement authorities for prompt resolution of cybercrime cases, especially if cases involve public safety and security, pursuant to the Cybercrime Prevention Act of 2012 and other relevant laws and regulations,” said Fonacier.
The BSP recognizes that in the digital transformation initiatives, email is the primary means of communication in core business operations from marketing and sales, and customer support services, to logistics and supplier contracting, among others.
Fonacier said email is also used as one of the main verification and authentication factors linked to a bank, financial, or e-payment account in providing electronic payments and financial services (EPFS).
“Given the central role of email in digital communications, cyberthreats ranging from spam, phishing, ransomware and other malware attacks targeting email platforms and communications continue to confront BSFIs,” said Fonacier.
BEC has been identified as the “most prevalent and costly cyberattacks for financial clients globally”. BEC is a type of cyberattack that utilizes seemingly legitimate email accounts from another organization to fraudulently trick employees of another business into giving their credentials, money, personal information, financial details or other sensitive data, said the BSP.
According to Fonacier, most BEC attacks leverage on spoofing of a corporate or individual’s identity whereby the email address of the legitimate sender is impersonated to mislead the recipient on the sender of the email, thereby making the fraud attempt more effective.
To counter BEC and other email-related cyberattacks, the BSP recommends BSFIs to adopt the following email security controls such as “to identify and cascade whether a virus or malware infection may spread by just opening or selecting an email.”
“While this is not true for most email clients, an assessment should be conducted on the current email platform and version used especially if it enables scripting or automatic downloads and execution, which may heighten the risk of infection,” said the BSP.
Another recommendation to all BSFIs is to always inspect the email header information such as: “Received from (sender) and By (receiver)”; the “From” information which shows the sender’s name and email address; the “Reply-To” which refers to the email address that will receive replies to the email; and “Return-Path” defines where bounced emails will be processed.
The BSP also strongly advises to scrutinize the content of the email. “Phishing emails oftentimes have generic greetings and contain unfamiliar links or attachments or unsolicited requests for personal information. These emails are also unexpected and usually contain a sense of urgency that pushes the recipient to act quickly. It is advisable not to click any attachments or links unless the communication is verified,” said the BSP.
The central bank also recommends the strict adoption of the following email security controls: contact the sender of the message through a different/trusted channel to verify the validity of the email; provide guidance on how to report and handle suspicious or malicious emails based on the entity’s policies; and conduct regular phishing simulations or exercises.