PHISHING PUSHES PROLIFERATION OF PROFITEERING PRACTICES IN PANDEMIC
ALL it takes is one click. Someone’s personal information, such as bank account and contact details, can be stolen with just one click on suspicious links and emails.
These are then used by fraudsters to transact—buying items on e-commerce shops or transferring funds to personal accounts for self-benefit, among others— without the consent of the owner.
Long story short, they are stealing money.
Amid the great shift to digital platforms, online phishing and other related scams have been on the rise and the perpetrators are only getting even more ingenious.
These scammers have been preying on the vulnerable and less digital savvy consumers so they can pocket some money, usually out of desperation given the ongoing crisis.
Prevalent cyberattacks
WITH the banks advancing digital use, identity theft and phishing have become the most common types of online fraud in Southeast Asia, including the Philippines, according to study by big data and artificial intelligence (AI) firm Advance.ai.
By assuming someone’s identity—after obtaining personal information—advance.ai said that fraudsters are illegally completing transactions or making purchases. They target sensitive data such as names, addresses and e-mail addresses.
Scammers are able to get such information through phishing. They trick unsuspecting customers into visiting fake websites to steal the users’ password to take over the account. Some even falsely represent themselves as representatives of financial institutions to manipulate customers into providing their sensitive information.
“Some sophisticated fraudsters even intercept communications between customers and merchants (or between customers and banks) in order to siphon off logging-in data or access someone’s account legally via bots,” the Singaporebased consultancy firm said.
Retail attacks
ANOTHER popular phishing technique is through email that appears to be sent by the credit cardholders’ bank, Credit Card Association of the Philippines (CCAP) said in a recent statement.
The industry group said, “these emails have subjects ranging from a new device log-in to a credit card upgrade and their goal is to attain the cardholder’s card details and online banking credentials.”
Ramon L. Jocson, Bank of the Philippine Islands (BPI) Chief Operating Officer, told the Businessmirror that phishing is among the retail attacks that have indeed become prevalent.
Citing an Interpol survey, Jocson said phishing was present in 194 countries and comprised 59 percent of all reported attacks last year. Interpol (International Criminal Police Organization) is an intergovernmental organization.
“The pandemic situation is being used by fraudsters as an opportunity to do phishing attempts since not all customers are aware of cyber fraud and ways on how to spot fraudsters,” Philippine
National Bank (PNB) told this newspaper.
Engineering attacks
THE Bangko Sentral ng Pilipinas (BSP) has increased monitoring for developments relating to the digital economy following an accelerated shift to online transactions. Its findings pointed to an expected conclusion: the cases of reported cybercrimes in 2020 were much higher than the prepandemic levels.
“While their (fraudsters) tactics were constantly shifting from distributed-denial-of-service (DDOS) to malware attacks, these cyber threat actors heavily relied on social engineering attacks such as phishing to facilitate other types of cybercrime,” the BSP told the Businessmirror, noting that phishing has also transformed in the form of voice and SMS (short message services) phishing.
Phishing incidents were the top cybersecurity concern for banks and financial institutions last year, the Central Bank confirmed. According to the National Bureau of Investigation’s Anti Cybercrime Group, meanwhile, cybercrimes doubled in the second half of 2020 compared to the first half.
CCAP noted that lockdown measures prompted payments to shift from card-present or face-toface transactions to card-not-present (CNP), which includes remote payments and other digital means. With this, cases of CNP fraud recorded between April to November of 2020 surged by 29 percent from the same period in 2019.
“Fraud happens more often in cyberspace, given that it is easier to facilitate there,” CCAP Executive Director Alex B. Ilagan said. “It does away with the need to secure a physical card, and more importantly, it is a safer option for the fraudsters because of the anonymity that the internet provides.”
Still undeterred
FOR its part, the Ayala-led BPI said that it took down 300 phishing sites to 500 phishing sites per month last year. Its cybersecurity operations center monitors this type of fraud.
Despite such incidents, the Central Bank said that consumers were not deterred from accomplishing online transactions.
In fact, the BSP noted that around 4 million digital accounts were opened through banks and non-bank electronic money issuers from March 17 to April 30 last year. Accounts opened per day averaged to 113,300 on April 16 to 30 last year, which showed a 39-percent increase from the previous month, it added.
Citing GSMA Intelligence data (based on fourth quarter of 2019 information), Advance.ai noted that the Philippines has smartphone penetration of 159 percent, higher than Indonesia, Thailand, Vietnam and Singapore. However, the country is among the lowest in the region in terms of Internet penetration at 67 percent.
Surge during Covid
NOW, the question is: how come scammers can still mount successful attacks despite numerous warnings and previous incidents?
Fraudsters are keeping up with technological advancements and adapting more techniques to scam potential victims, Union Bank of the Philippines Chief Information Security Officer Jose Paolo G. Rufo told the Businessmirror.
“The wealth of information and anonymity in the Internet increased their ability to collaborate with other syndicates to continuously hone their skills and toolsets,” he explained.
Rufo said that fraudsters are even creating localized and holiday-themed phishing emails to entice the customers with false rewards. These emails, as mentioned, will then lead to phishing sites.
BPI’S Jocson, meanwhile, observed that fraudsters are becoming more meticulous when it comes to crafting deceiving emails.
He said that phishing emails were “easy to spot” before because they usually contain grammatical errors or wrong spellings, among others. Some scammers now, he noted, have learned to “polish their prose and improve their visuals” so they can appear legitimate.
As Rufo mentioned, Jocson observed a surge in Covid-themed phishing emails in the past year. These usually offer Covid-19 cure, preferential priority for vaccines and other related matters, he said.
“Lastly, the sophistication has also been reflected in how these criminal groups are organized - we have seen them layering the activities to the extent that most of the phishing site design/build and harvesting of data is outsourced,” Jocson added.
These instances are not only in the Philippines. Advance.ai Chief Commercial Officer Bernardi Susastyo said fraud criminals in Southeast Asia have also adapted to sharpen their strategies in exploiting the digital world.
The big data company agreed that fraudsters are more equipped with tools for identity theft today, allowing them to commit more financial scams. This could result in economic losses and hamper the progress of the digital economy at the same time, Advance.ai added.
Factors for fraud
APART from lack of awareness, Advance.ai cited inefficiencies in identity verification among the top factors for online fraud.
Identity verification should be addressed to improve the risk management of the banks and financial institutions, it noted.
Fintechalliance.ph Chairman Angelito M. Villanueva said banks should implement digital identification using the electronic-kyc (know your customer) procedure to protect their clients’ identity and other relevant data.
“The digital ID system would minimize or prevent occasions of fraud,” Villanueva told this newspaper. “An effective digital ID gives assurance, protection, and control over personal data.”
This would be realized with the “aggressive implementation of the Philippine Statistics Authority (PSA) in the deployment of the national ID system called Philsys,” he added. PSA aims to register about 50 to 70 million Filipinos this year.
In addition, Jocson said that banks have implemented multifactor authentication, encryption and stricter onboarding processes, among others, to prevent potential identity theft.
Rule-based engines
CONTROLLING and mitigating risks to allow sustainable development of the digital economy has become a more serious undertaking, Advance.ai said, noting that fraud exists given the opportunity.
With this, financial services firms have relied on new-generational technologies—such as Ai—to counter cyberattacks, in addition to automating usual daily tasks and analyzing data, among others.
“Businesses will need to assess their readiness to manage online fraud risk and tap on the power of big data, AI technology and other advanced risk assessment technologies to help them better safeguard their assets and promote greater economic financial inclusion at the same time,” Susastyo said.
For Jocson, AI is also superior compared to rules-based engines and machine learning because it learns from the behavior and patterns of the user.
AI has the ability to take specific actions and alternative paths when dealing with fraudulent transactions as well, he noted.
“If there is an unusual behavior or pattern, the AI not only flags it as a possible fraud transaction, but can even take additional measures in either preventing the fraud, or recommending other compensating controls before the transaction is approved,” Jocson explained.
“Furthermore, the data provided by the AI can also help inform the measures we take or the communications that we release to strengthen cybersecurity,” the BPI official added.
Enhance systems
UNIONBANK’S Rufo, for its part, said that AI has been helpful in identifying fraud.
In fact, the Aboitiz-led bank has blocked thousands of fraudulent credit card transactions via its AI platforms since the beginning of the year.
“AI works by analyzing your purchase history, and compares it with fraudulent behavior to give it a score on how legitimate or fraudulent your application is,” Rufo said.
Apart from Unionbank, the Central Bank said other banks and financial institutions are also now testing or are in the early stages of AI implementation to beef up their fraud management system.
The BSP explained that such a system, with the help of AI and machine learning, will be able to collect, monitor and analyze transactions to point out fraudulent and suspicious activities. Doing so will allow early detection and even prevention of online scams, it added.
On the other hand, Villanueva emphasized the need to enhance information and data security systems as well as to prevent future scams.
“Periodic updates should be done on the system since scammers become very creative each day and before we know it, they would have invented the new modus,” he added.
Education as key
THE Central Bank understands that while the digital world is prone to scams, transitioning to it is a must to improve both the customer experience and financial inclusion.
Last year, it launched a digital payments transformation roadmap, aiming to convert 50 percent of the total volume and value of retail payments to digital by 2023. In addition, the Central Bank is targeting to have 70 percent of Filipino adults financially included within the same time frame.
“To fully optimize the value and benefits of digital platforms, the BSP ensures that risks are appropriately managed and consumer protection is upheld,” the regulator vowed.
This is why BSP has a consumer education campaign #E-safety to highlight the roles of financial consumers in protecting their digital identity and transactions.
“Amid the rise in the use of digital financial platforms through mobile and internet banking applications, cyber threat actors try to exploit consumers through targeted social engineering scams such as phishing,” BSP said. “To mitigate this, the BSP in coordination with the BSFIS [BSP supervised financial institutions], launched a more intensive consumer awareness and education campaigns as a strong first line of defense against phishing attacks.”
Device monitoring
VILLANUEVA commended the initiatives of the Central Bank and the Securities and Exchange Commission in ensuring robust and advanced anti-cybercrime tools and policies.
Still, there are other matters that the BSP should address to prevent fraud transactions further.
Apart from the National ID System, BPI’S Jocson pointed to the need for mandatory registration of mobile phone numbers. The CCAP agrees with Jocson. Earlier, the industry group pushed for the speedy approval of a bill aimed at requiring the registration of all SIM (subscriber identity module) cards used in mobile phones in a bid to reduce credit card scams. The CCAP was referring to House Bill 7233 or the SIM Card Registration Act.
The proposed bill requires the SIM card owners to declare their full name, birthdate, gender and address. Such information will allow authorities to identify the SIM card holders in case their device was used for illegal schemes, CCAP told the Busines Mirror in a recent interview.
“This [bill] will minimize, if not totally stop, the use of prepaid mobile phone numbers for committing credit card fraud because it will eliminate the cloak of anonymity provided by prepaid SIM cards,” Ilagan said.
Jocson added that the existing Cybercrime Law should also be amended to include phishing, mule accounts and economic sabotage, among others.
Online awareness
FIGHTING fraud is a shared responsibility of the regulators, banks and consumers, Rufo said.
This is why consumer education is a must to ensure that users know how to react when they receive phishing emails, he explained.
PNB said it is important for consumers to know how these crimes look like so they can be aware.
“We educate all our colleagues in the bank and all our clients regularly by alerting them and sending them advisories regarding cyber fraud through various platforms,” the Tan-led bank added.
To raise awareness about online scams, Metropolitan Bank & Trust Co. (Metrobank) launched in November last year a financial education initiative dubbed “Scam Proof.”
It is an online platform that consolidates information about different online scams and fraudulent activities and how to avoid them. Both consumers and institutions can also report any fraud cases through the digital channel so the public can be warned of potential illicit schemes.
Apart from Metrobank, the Philippine Savings Bank, BDO Unibank Inc., RCBC, Citibank Philippines and CCAP contributed content about online scams.
Villanueva, meanwhile, gave some simple tips that the consumers should always remember.
For example, banks will never ask for passwords and account numbers of their clients. Always reach out to your bank to verify emails that appear to be suspicious, he also said, adding that it may also be for the best to just delete them without even opening.
More vigilance
WHILE phishing has become more prevalent in the past year, Rufo said that it was not entirely new.
“If you can recall the Nigerian Prince phishing and scamming has been in existence since the Internet era began and it did not really deter the growth of the Internet, the adoption of email, and to where we are now, the migration of a lot of people and services online,” he said.
The “Nigerian prince” scam is probably one of the longest-running Internet frauds today; and still lures vulnerable victims.
This illicit scheme victimizes consumers by sending an email claiming it came from a royalty overseas. A big investment opportunity or fortune is then offered by the scammer, who is asking for help to get it out of the country via the recipient’s bank account. If the recipient agreed, his or her bank account would likely then be emptied by the fraudster.
“What every institution has to take part in is that the growth of technology comes with educating the public on the risks that comes with it, which includes phishing and online scams, so that they are able to navigate the cyber space peacefully while being cognizant of who could be the potential troublemaker online,” Rufo noted.
“Technology, digitization and online banking won’t stop, it will continually grow as it provides a lot of convenience and safety especially with the pandemic still around,” he added.
He also likened phishing and other online scams to the physical world’s “budol-budol” or swindling. Classic examples are when “fake electricians or fake Internet installers knock on your door and then steal your things once they are inside [your home],” he said.
“To protect our home from these scams, we tell our family, don’t talk to strangers,” Rufo said, noting that the same should be done in the digital world: do not engage with strangers on fake websites.
“Phishing is your online ‘budol-budol,’” the Unionbank official quipped.
Stalking next prey
CONSUMERS are being warned that online scams are here to stay, especially because fraudsters are taking advantage of the uncertainty of the times due to the pandemic.
“Many have lost their jobs and other sources of income. People are becoming desperate to earn money,” Villanueva said, explaining this is a great motivation for fraudsters.
At the same time, the Fintechalliance.ph head noted that people are likely to be lured by get-rich-quick schemes promising high returns in a short period of time. To this, he reminded the public to avoid making hasty decisions and practice due diligence first before putting your money in investment opportunities.
“Scammers are just lurking in the dark like wolves waiting for the next prey,” he said.
All it takes is one click.