The Bangko Sentral ng Pilipinas (BSP) has directed banks and financial institutions to implement control measures against cyber fraud and attacks amid the massive shift to electronics and digital channels.
BSP Deputy Governor Chuchi Fonacier said attacks on retail customers using mobile, internet, and web applications have risen as financial transactions increasingly shift due to the COVID-19 pandemic.
Fonacier said the most prevalent among the schemes employed are account takeover and social engineering attacks that involve phishing and its variations such as smishing and vishing.
“These are intended to manipulate customers into disclosing
sensitive personal and account information necessary to execute
unauthorized transactions. Fraudsters are adept in exploiting
legitimate application features and business rules as well as in
bypassing layers of controls,” Fonacier added.
According to the regulator, BSP supervised financial institutions (BSFIs) should conduct continuing risk assessment of its product features, business rules and application controls, and implement appropriate enhancements and mitigation, as necessary.
The central bank added that there should be a consistent and industry-wide approach in countering the aggressive phishing campaigns.
These measures include the removal of clickable links in emails or SMS sent to retail customers followed by an information campaign that the BSFI will no longer be sending clickable links.
Customer notification through existing mobile or email registered with the BSFI whenever there is a request to change a customer’s mobile number, email address, or account credentials.
Fonacier said banks and financial institutions should implement a mandatory fund transfer transaction notification to customers through SMS and/or email for
transactions exceeding a predefined amount as well as hold or delay before activation of a new soft token on a mobile device.
The BSP said there should be a cooling-off period before the implementation of
requests for key account changes such as those for the mobile number and email address.
According to the BSP, there should also be a personalized SMS or email OTP messages for device registration, fund transfer, and profile update, among others.
Furthermore, any BSFI officer or representative should be restricted from
manually obtaining or inquiring about critical authentication information such as customer password and/or one-time password/pin (PIN).
Banks should also establish a dedicated and well-resourced customer
assistance teams that deal with feedback on potential fraud cases on a priority basis as well as conduct of regular customer education campaigns
against online scam and phishing schemes.
Lastly, Fonacier said BSFIs should adopt a strong fraud surveillance mechanisms to ensure prompt responses in dealing with the growing
threat of online scams.