Scams and frauds remain a serious threat to financial institutions and consumers, especially these days when fraudsters are becoming more sophisticated as the technologies and methods they employ advance over time. Innovations that allow people to conveniently manage financial tasks and transactions via digital channels have ironically opened opportunities for fraudsters to deceive the banking public.

Jonathan John B. Paz, BPI’s enterprise information security and data privacy officer

According to Jonathan John B. Paz, enterprise information security and data privacy officer of the Bank of the Philippine Islands (BPI), as banks increasingly rely on digitalization to achieve expanded reach, personalization of banking, development of services, and improving the efficiency of operations, security vulnerabilities increase correspondingly.

“Users have become so used to online and mobile banking that there’s a tendency to take basic security hygiene for granted, exposing themselves to greater risks of account takeover — enabling fraud,” Mr. Paz told BusinessWorld in an e-mail.

With changes in technology, fraudsters have a broader scope to exploit the weakest links in security. These weaknesses range from customers’ bad habits of using weak passwords, failing to protect sensitive data up to a bank’s security vulnerabilities.

As a result, financial institutions and their clients are now more exposed to various risks, such as phishing, identity theft, card skimming, vishing, SMSishing, viruses and Trojans, spyware and adware, social engineering, Web site cloning, and cyber stalking.

Mr. Paz said that it is not surprising that the financial industry continues to be one of the most attacked sectors globally due to the sheer number of targets, including access to personal and financial records, payment systems, personal online banking facilities, and ATMs.

In the local banking scene, phishing is by far the most favored modus operandi, according to Mr. Paz. “Phished credentials and other sensitive information such as credit card details, e-mail access and mobile numbers enable fraud to be committed against unwitting individuals,” he said.

Phishing, as defined by the Bangko Sentral ng Pilipinas (BSP), is a form of identity theft whereby someone steals or uses personal or sensitive information of another person without his or her knowledge or permission, through hacking into one’s personal account, hijacking one’s data and taking over one’s online identity, to commit fraudulent acts or crimes, or conduct unauthorized business.

This kind of cyberattack may be done by various methods other than e-mail, such as text messages, chat rooms, electronic fake banner advertisements or message boards, fake mailing lists, fake job search sites and job offers, and fake browser toolbars.

Once the scammers have obtained the confidential information of a certain individual, it becomes possible for them to withdraw money or purchase items under the victim’s name, open a new bank or credit card account, use an account to illegally deal with other people, or encash checks on his or her behalf.

The increasing number of scam and fraud cases have disturbing effects not only on the banking public but also on financial institutions and the banking industry in general.

“By impersonating banks, fraudsters can degrade the trust that exists between the client and institution, specifically in the services being offered by the latter,” Mr. Paz said.

“A client once victimized through account takeover may never take to online banking the same way again. If these types of incidents become widespread enough, this will undermine the whole project of digitalization not only for one specific bank but for the entire industry as well,” he added.

Just as fraudsters are always coming up with new and more sophisticated methods of deception, banks are doing their part to protect their clients against different frauds.

Recently, local banks have shifted to chip-based or EMV cards, which are believed to be more secure compared with cards with magnetic stripe technology.

Some banks are also using biometrics technology for their mobile app-based services, such as fingerprint and voice authentication, to keep unauthorized people from gaining access to the accounts of their clients.

In addition to these, Mr. Paz said that banks have to become proactive in managing the risks of fraud by embedding a culture of risk awareness and management in developing and maintaining systems and the processes that support these systems.

“We need to make sure that not only do we identify and address the vulnerabilities of these systems and processes on a continuing basis. We also need to know the enemy — what their capabilities, methods and targets are and the ecosystems they operate in — through a robust threat intelligence capability,” he added.

Amid the rising cybersecurity risks in the electronic space, the BSP, according to Mr. Paz, has been proactive in recognizing the dangers of putting banking services online. He said that the institution had issued a number of circulars and other regulatory requirements in order to ensure that the industry is better prepared to identify, assess and manage cyber risks without unnecessarily stifling innovation, which is necessary to bring more people into the banking system.

In November of last year, BSP issued stricter rules to boost cybersecurity measures. In a statement, the BSP said that the Monetary Board — its highest policy-making body — approved pioneering guidelines on information security management that place renewed focus on cybersecurity. This seeks to address the growing concerns with the fast-evolving cyber threats that continue to confront global as well as domestic financial communities.

According to the central bank, the amended rules highlight the role of the BSP-supervised financial institutions’ board and senior management in spearheading sound information security governance and strong security culture within their respective networks.

The new guidelines also cover key elements of cyber resilience, such as participation in information sharing and collaboration fora, enhancing situational awareness capabilities, and adoption of advanced cybersecurity controls and countermeasures.

A good example is the creation of 24/7 security operations center, which is equipped with advanced technologies and manned by competent analysts, to proactively monitor emerging and highly sophisticated cyber threats and attacks. — Mark Louis F. Ferrolino