Warning! You could now be robbed without knowing it



What’s the saddest moment you’ve experienced? For me, it was seeing my friend in anguish when she found out that most of her life savings had been stolen from her hacked bank account. It had been several days before she found out about it.

My dear readers, you, too, are susceptible to being robbed by computer experts operating in the unknown shadowy world of hacking, with just a few keystrokes.

In fact, even the reserves of some of the most well established corporations are exposed to financial crimes. This was proven when a group of daring anonymous thieves stole US$81 million from one central bank while using the Philippines as its cashing site. Investigators believe that the cyber thieves were able to install a form of spyware called RAT (Remote Access Trojan), which allowed them to steal the bank’s credentials without the bank even knowing it. They then bypassed controls by using the bank’s credentials to gain unauthorized access to the US$81 million SWIFT network and by setting up four fraudulent bank accounts in a Philippine bank to which they could transfer the stolen money. By the time the Philippine bank read the message from the central bank about the fraudulent transfer, the money had already been withdrawn and eventually laundered through Philippine casinos.

The numerous testimonies I’ve come across with on financial crime motivate me to mitigate these occurrences. Using my combined experience as a former banker and current consultant specializing in financial crime mitigation, I would like to issue this warning that you and your company can be robbed without you ever knowing it. Where I come in is to offer the proper advice and mitigation processes to ensure your financial security and that of your company.

You can protect your money by practicing the four key principles, which can be abbreviated as SAFE: S – Safe-keep your private information, A – Assign strong passwords and routinely change them, F – Find time to check all your financial accounts as frequently as possible, and E – Establish an alert and limit system.

Safekeeping your money starts with safekeeping your information. Take extra precaution in giving away your personal data. The simplest rule of thumb is not to give your personal information, especially your password.

Speaking of passwords, the next important principle involves assigning a strong password. It should not contain obvious information or personal data such as your address or birthday. Be creative and strengthen it by using as many random combinations of letters, numbers and symbols that are not obvious and have no connections to you or your family. You must then routinely check and change your password, which could be every 90 days or less, or whenever you feel your password could have been compromised.

The third principle is to carefully review your bank and credit card statements as frequently as possible. Make sure you check if the total transaction and remaining balances are correct and if any transactions stand out as being questionable or suspect. If so, contact your bank or credit card companies immediately and ask them to initiate the proper safety protocols. You should also establish a real-time notification and limit system with them that would allow them to contact you in the event of a transaction or purchase that is outside your limits. You can instruct them to set limits on amount per transaction or on the location of the transactions, and notify you through text, email, or phone call to validate any transaction that goes beyond your limits.

When I discussed SAFE with my friend, she realized that she failed to safe-keep her private information when she entered her username and password in a fake banking website developed by the cyber thief. I encourage you to apply the SAFE principles.

Furthermore, as company owners or employees, you can protect your company’s money by applying five principles, which are easier to remember using the abbreviation MONEY: M – Maintain an advanced and secured IT system, O – Operationalize a robust ERM (Enterprise-wide Risk Management) program, N – Need to hire the right ethical professionals, E – Establish the proper KYC (Know Your Customer) and AML (Anti-Money Laundering) policies and systems and Y – Yearn to share and learn from others.

Studies estimate that there is a hacker’s attack every 39 seconds. Given that hackers normally attack a company’s IT system, maintaining an advanced and secured IT system becomes the first paramount safeguard against them. Companies can do this by first investigating their current environment, conducting holistic financial crime risk assessments, buying the right secured IT systems, updating these IT systems accordingly, and independently testing these IT systems.

With financial criminals constantly improving their skills, companies can no longer rely upon secured IT systems alone. Companies should operationalize a robust ERM program that integrates cyber, fraud, and insider threat management systems and processes into a centralized enterprise-wide management program. Running that program requires hiring the right ethical professionals, which can be done in two simple steps. First, assign experts to find several professionals with the right skill set and cleared by the National Bureau of Investigation (NBI). Second, assign a different set of experts to conduct comprehensive background checks on these professionals.

Once hired, the right ethical professionals must be able to follow the “need to have” and “whistleblowing” policies.

The “need to have” policy limits the number of people with access to critical systems (such as SWIFT system for banks) to the minimum necessary by evaluating each user’s need and business justification against the guidelines set in the said policy. The “whistleblowing” policy, on the other hand, educates all personnel to detect suspicious behavior of their peers and to anonymously escalate these suspicious behaviors to the right senior management.

With the right ethical professionals, the company can now establish the proper KYC and AML policies and systems, which require multi-layer and complicated client identification, verification checks, and continuous screening systems and processes to be combined with AML management systems and processes. Even though a robust KYC and AML system will result in an additional administrative burden, the Philippines is requiring that almost all companies, including casinos, to implement robust AML systems to further prevent these crimes. If the company or casino does not have the right capabilities now, they can explore the option of hiring an external company that can do all the KYC and AML processes faster and cheaper. For example, PwC’s Center of Excellence can perform the AML process required by Philippine laws and global standards 30 to 50 percent faster and 20 to 40 percent cheaper compared with some companies doing it on their own.

Finally, studies have shown that international cooperation is one of the most effective global policies to limit cybertheft, prevent cyberattacks, constrict money laundering, and thwart financial crime. During the recently concluded Asean Summit, the government has already moved forward with international cooperation by joining the Asean in agreements and declarations that include prevention and combating of cybercrime and laws in AML and Countering the Financing of Terrorism (CFT). The government will just have to take a step further by establishing additional mechanisms that will encourage all companies to share their experiences and learn from each other.

Warning! You and your companies may unknowingly be robbed if you don’t do anything. My dear readers, before it’s too late, share and implement the MONEY principles to your companies. And for yourselves, start applying the SAFE MONEY principles.

Jonathan L. Uy is a director at the Risk Consulting practice of PricewaterhouseCoopers Consulting Services Philippines Co. Ltd., a Philippine member firm of the PwC network. For more information, please email markets@ph.pwc.com. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.


Please follow our commenting guidelines.

Comments are closed.