THE Bangko Sentral ng Pilipinas (BSP) told banks to boost their efforts to prevent phishing attacks that have led to losses for their clients amid the rise in digital transactions.

Memorandum No. M-2022-015 signed by BSP Deputy Governor Chuchi G. Fonacier on March 22 laid down supplementary controls that supervised financial institutions can implement to help prevent unauthorized transactions.

“BSP-supervised financial institutions should conduct continuing risk assessment of its product features, business rules and application controls, and implement appropriate enhancements and mitigation, as necessary,” it said.

“Fraudsters are adept in exploiting legitimate application features and business rules as well as in bypassing layers of controls,” the BSP said.

The central bank identified account takeovers and social engineering attacks as the most prevalent schemes by fraudsters.

“These are intended to manipulate customers into disclosing sensitive personal and account information necessary to execute unauthorized transactions,” it said.

To counter the aggressive phishing schemes, the BSP suggested ways for financial institutions to step up their guard.

For one, the BSP said banks should remove clickable links in e-mails and messages sent to retail clients. This should be complemented by a campaign to ensure users know that clickable links have been phased out.

The BSP said financial institutions should also have a customer notification measure coursed through mobile or e-mail whenever there is a request to change a mobile number, e-mail address, or account credential.

Sending personalized one-time personal identification number (PIN) messages to clients for services like device registration, fund transfer, and profile update, among others were also suggested.

The BSP said officials or representatives of financial institutions should be restricted from requesting or obtaining passwords and other critical authentication like one-time passwords. These institutions should also have a dedicated customer assistance team that will focus on and prioritize fraud cases.

Control measures include mandatory transaction notification for fund transfers beyond a predefined account as well as a cooling-off period for account changes is also recommended after a thorough risk analysis and assessment.

To boost financial consumer awareness, the BSP said banks should conduct regular customer education campaigns that discuss online scams and phishing schemes, as well as prevention.

The BSP said financial institutions should be equipped with surveillance mechanisms that will promptly address the growing threat of online scams.

Financial institutions are encouraged to tap existing information sharing platforms within the industry to investigate and recover funds lost to fraud incidents. They are likewise encouraged to cooperate with law enforcement agencies to resolve cybercrime cases.

In January, the Bankers Association of the Philippines partnered with the Department of Justice to boost information sharing and training to prevent financial cybercrimes.

“Banks have been recently proactively implementing measures designed to help clients protect themselves from cybercrime. One example is the removal of clickable links in SMS messages and e-mails that banks send to clients,” the BAP said in a Viber message.

The industry group said ensuring cybersecurity is a shared responsibility of the government, the banking industry, and the public.

Unauthorized withdrawals in illegal transfers reached over P1 billion during the pandemic, Justice Secretary Menardo I. Guevarra has said.

BSP Governor Benjamin E. Diokno earlier said financial institutions may have to reassess their spending on cybersecurity as more users shift to digital transactions. He said a major cyberattack may have a possible systemic implication to the Philippine financial system. — Luz Wendy T. Noble