ADVERTISEMENT
Manila Bulletin devider Business devider BSP wants stronger email cybersecurity for banks, non-banks

BSP wants stronger email cybersecurity for banks, non-banks

Published Oct 11, 2022 02:49 pm

The Bangko Sentral ng Pilipinas (BSP) has issued recommendations for all its supervised financial institutions (BSFIs) to reinforce email security controls to effectively block persistent cyberthreats such as business email compromise (BEC), spam, phishing, ransomware and other malware attacks.

In a memo (Memorandum No. M-2022-043), signed by BSP Deputy Governor Chuchi G. Fonacier last Oct. 7, the BSP wants banks to adopt six recommendations for a “robust and layered security controls” as well as industry best practices already laid out in existing BSP rules and regulations on cybersecurity.

But to further enhance email security, Fonacier said BSFIs should adopt, as warranted, the security controls and best practices in safeguarding both incoming and outgoing emails.

In addition, she said BSFIs are expected to promptly report to the BSP any major email-related cyber incidents and crimes as per BSP’s rules on event-driven report and notification (EDRN) and report on crimes and losses (RCL). “In certain instances, BSFIs may need to seek assistance and cooperate with appropriate law enforcement authorities for prompt resolution of cybercrime cases, especially if cases involve public safety and security, pursuant to the Cybercrime Prevention Act of 2012 and other relevant laws and regulations,” said Fonacier.

The BSP recognizes that in the digital transformation initiatives, email is the primary means of communication in core business operations from marketing and sales, and customer support services, to logistics and supplier contracting, among others.

Fonacier said email is also used as one of the main verification and authentication factors linked to a bank, financial, or e-payment account in providing electronic payments and financial services (EPFS).

“Given the central role of email in digital communications, cyberthreats ranging from spam, phishing, ransomware and other malware attacks targeting email platforms and communications continue to confront BSFIs,” said Fonacier.

BEC has been identified as the “most prevalent and costly cyberattacks for financial clients globally”. BEC is a type of cyberattack that utilizes seemingly legitimate email accounts from another organization to fraudulently trick employees of another business into giving their credentials, money, personal information, financial details or other sensitive data, said the BSP.

According to Fonacier, most BEC attacks leverage on spoofing of a corporate or individual’s identity whereby the email address of the legitimate sender is impersonated to mislead the recipient on the sender of the email, thereby making the fraud attempt more effective.

To counter BEC and other email-related cyberattacks, the BSP recommends BSFIs to adopt the following email security controls such as “to identify and cascade whether a virus or malware infection may spread by just opening or selecting an email.”

“While this is not true for most email clients, an assessment should be conducted on the current email platform and version used especially if it enables scripting or automatic downloads and execution, which may heighten the risk of infection,” said the BSP.

Another recommendation to all BSFIs is to always inspect the email header information such as: “Received from (sender) and By (receiver)”; the “From” information which shows the sender’s name and email address; the “Reply-To” which refers to the email address that will receive replies to the email; and “Return-Path” defines where bounced emails will be processed.

The BSP also strongly advises to scrutinize the content of the email. “Phishing emails oftentimes have generic greetings and contain unfamiliar links or attachments or unsolicited requests for personal information. These emails are also unexpected and usually contain a sense of urgency that pushes the recipient to act quickly. It is advisable not to click any attachments or links unless the communication is verified,” said the BSP.

The central bank also recommends the strict adoption of the following email security controls: contact the sender of the message through a different/trusted channel to verify the validity of the email; provide guidance on how to report and handle suspicious or malicious emails based on the entity’s policies; and conduct regular phishing simulations or exercises.

ADVERTISEMENT
.most-popular .layout-ratio{ padding-bottom: 79.13%; } @media (min-width: 768px) and (max-width: 1024px) { .widget-title { font-size: 15px !important; } }

{{ articles_filter_1561_widget.title }}

{{ item.title }}
.most-popular .layout-ratio{ padding-bottom: 79.13%; } @media (min-width: 768px) and (max-width: 1024px) { .widget-title { font-size: 15px !important; } }

{{ articles_filter_1562_widget.title }}

{{ item.title }}
.most-popular .layout-ratio{ padding-bottom: 79.13%; } @media (min-width: 768px) and (max-width: 1024px) { .widget-title { font-size: 15px !important; } }

{{ articles_filter_1563_widget.title }}

{{ item.title }}

{{ articles_filter_1564_widget.title }}

{{ item.title }}
.mb-article-details { position: relative; } .mb-article-details .article-body-preview, .mb-article-details .article-body-summary{ font-size: 17px; line-height: 30px; font-family: "Libre Caslon Text", serif; color: #000; } .mb-article-details .article-body-preview iframe , .mb-article-details .article-body-summary iframe{ width: 100%; margin: auto; } .read-more-background { background: linear-gradient(180deg, color(display-p3 1.000 1.000 1.000 / 0) 13.75%, color(display-p3 1.000 1.000 1.000 / 0.8) 30.79%, color(display-p3 1.000 1.000 1.000) 72.5%); position: absolute; height: 200px; width: 100%; bottom: 0; display: flex; justify-content: center; align-items: center; padding: 0; } .read-more-background a{ color: #000; } .read-more-btn { padding: 17px 45px; font-family: Inter; font-weight: 700; font-size: 18px; line-height: 16px; text-align: center; vertical-align: middle; border: 1px solid black; background-color: white; } .hidden { display: none; }
function initializeAllSwipers() { // Get all hidden inputs with cms_article_id document.querySelectorAll('[id^="cms_article_id_"]').forEach(function (input) { const cmsArticleId = input.value; const articleSelector = '#article-' + cmsArticleId + ' .body_images'; const swiperElement = document.querySelector(articleSelector); if (swiperElement && !swiperElement.classList.contains('swiper-initialized')) { new Swiper(articleSelector, { loop: true, pagination: false, navigation: { nextEl: '#article-' + cmsArticleId + ' .swiper-button-next', prevEl: '#article-' + cmsArticleId + ' .swiper-button-prev', }, }); } }); } setTimeout(initializeAllSwipers, 3000); const intersectionObserver = new IntersectionObserver( (entries) => { entries.forEach((entry) => { if (entry.isIntersecting) { const newUrl = entry.target.getAttribute("data-url"); if (newUrl) { history.pushState(null, null, newUrl); let article = entry.target; // Extract metadata const author = article.querySelector('.author-section').textContent.replace('By', '').trim(); const section = article.querySelector('.section-info ').textContent.replace(' ', ' '); const title = article.querySelector('.article-title h1').textContent; // Parse URL for Chartbeat path format const parsedUrl = new URL(newUrl, window.location.origin); const cleanUrl = parsedUrl.host + parsedUrl.pathname; // Update Chartbeat configuration if (typeof window._sf_async_config !== 'undefined') { window._sf_async_config.path = cleanUrl; window._sf_async_config.sections = section; window._sf_async_config.authors = author; } // Track virtual page view with Chartbeat if (typeof pSUPERFLY !== 'undefined' && typeof pSUPERFLY.virtualPage === 'function') { try { pSUPERFLY.virtualPage({ path: cleanUrl, title: title, sections: section, authors: author }); } catch (error) { console.error('ping error', error); } } // Optional: Update document title if (title && title !== document.title) { document.title = title; } } } }); }, { threshold: 0.1 } ); function showArticleBody(button) { const article = button.closest("article"); const summary = article.querySelector(".article-body-summary"); const body = article.querySelector(".article-body-preview"); const readMoreSection = article.querySelector(".read-more-background"); // Hide summary and read-more section summary.style.display = "none"; readMoreSection.style.display = "none"; // Show the full article body body.classList.remove("hidden"); } document.addEventListener("DOMContentLoaded", () => { let loadCount = 0; // Track how many times articles are loaded const offset = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10]; // Offset values const currentUrl = window.location.pathname.substring(1); let isLoading = false; // Prevent multiple calls if (!currentUrl) { console.log("Current URL is invalid."); return; } const sentinel = document.getElementById("load-more-sentinel"); if (!sentinel) { console.log("Sentinel element not found."); return; } function isSentinelVisible() { const rect = sentinel.getBoundingClientRect(); return ( rect.top < window.innerHeight && rect.bottom >= 0 ); } function onScroll() { if (isLoading) return; if (isSentinelVisible()) { if (loadCount >= offset.length) { console.log("Maximum load attempts reached."); window.removeEventListener("scroll", onScroll); return; } isLoading = true; const currentOffset = offset[loadCount]; window.loadMoreItems().then(() => { let article = document.querySelector('#widget_1690 > div:nth-last-of-type(2) article'); intersectionObserver.observe(article) loadCount++; }).catch(error => { console.error("Error loading more items:", error); }).finally(() => { isLoading = false; }); } } window.addEventListener("scroll", onScroll); });
Join Our Newsletters

Sign up by email to receive news.

© 2025 Manila Bulletin The Nation's Leading Newspaper. All Rights Reserved.