Digital transactions have gained a significant boost from the Covid-19 pandemic, benefiting businesses and consumers alike, but the increased uptake has also raised cybercrime risks.
Pandemic-related lockdowns have created so much demand for fast, efficient and safe financial transactions that one e-money issuer saw a 1,000 percent year-on-year increase in remittances, the Better Than Cash Alliance has said.
Some large retailers are also experiencing 2 to 3 million more monthly site visits relative to the first quarter of 2020 while Bangko Sentral ng Pilipinas (BSP)-supervised financial institutions (BSFIs) acquired five times as many merchants in the first half of 2020 as they did in all of 2018.
The country's biggest banks have reported increased transactions via their digital channels. Bank of the Philippine Islands (BPI), for example, has said that at the height of the lockdowns, electronic channels accounted for up to 95.1 percent of all transaction, up significantly from the prepandemic 85.2 percent. With the lockdowns having eased, the number is holding at 92.3 percent, it claimed.
The downside is that cybercriminals are also taking advantage of the massive shift to digital, with the BSP saying in March that the banking sector was facing the highest level of threat from cybercrime and violations of the Electronic Commerce Act of 2000. In addition, phishing incidents remained the top cybersecurity concern for BSFIs last year, it added.
"Given this evolving threat, the BSP in close collaboration with BSFIs, remains on the lookout for social engineering attacks such as phishing and online scams, wherein fraudsters lure BSFIs' employees, customers, business partners and suppliers, among others, to give out their account details and other sensitive personal information," the central bank told The Manila Times.
Its cybersecurity surveillance, the BSP added, includes monitoring potential attacks that may have geopolitical motivations.
"To enhance overall situational awareness and proactive response to cyber-incidents, the BSP urges BSFIs to remain vigilant and to constantly improve cybersecurity defenses and capabilities necessary to combat highly evolving and sophisticated cyber threats, including those perpetrated by advanced threat actors or nation-states," it said.
Underscoring the importance of cyber resilience and multilayered controls, the BSP said its regulatory and supervisory framework prescribes relevant anti-money laundering and terrorist financing standards such as the use of stringent levels of verification during digital know-your-customer procedures, activation of fraud management rules and systems, and timely submission of suspicious transaction reports.
The central bank added that it was also continuously enhancing its risk-based supervision so that appropriate supervisory and policy responses are crafted depending on the size, nature, and magnitude of cyber risks facing BSFIs.
"Moreover, we continue to engage and have a healthy dialogue on cybersecurity promotion and operational resilience with supervised institutions, other financial regulators and other stakeholders."
The central bank is finalizing a draft circular mandating the adoption of robust fraud management systems and rules for all BSFIs. It aims to address fraudulent payments and financial transactions that involve two or more institutions such as those in multilateral clearinghouses and exchanges.
The upcoming circular will also require enhanced due diligence procedures at receiving institutions such as temporarily holds on funds to prevent fraud. It also mandates the integration of cyber education and awareness as part of the digital onboarding process for electronic payments and financial services applications.
"To further strengthen cyber resilience, the BSP is in the initial stages of developing a Cybersecurity Maturity Model framework which provides BSFIs guidance regarding continuing improvements in their cyber capabilities," the central bank said.
Ramon Jocson, BPI executive vice president and Bankers Association of the Philippines (BAP) cybersecurity committee vice chairman, said a top concern of lenders today was increased credential theft and account takeovers.
"The proliferation of DIY (do it yourself) kits on the web - on phishing, harvesting of credentials and spoofing - have made it easier for cybercriminals to target banking clients," Jocson told The Manila Times.
Based on the BAP's CyberSecurity Operations Centers, cyberattacks come from three sources: state-sponsored, wholesale, and retail.
In response, BAP member banks are continuously publishing alerts and notices, warning clients about various modes of attacks and reminding them never to click on links or accommodate calls that ask for personal and sensitive information that includes passwords, personal identification numbers, and one-time passwords, Jocson said.
"Collectively, the BAP has also implemented the Cybersecurity Incident Database project, which is a collaborative, threat-reporting and analytics platform. This allows the member banks to readily identify emerging/developing threat patterns so they can collectively mitigate," he said.
Lito Villanueva, Rizal Commercial Banking Corp. executive vice president and chief innovation and inclusion officer, said the industry needed to be prepared for a whole arsenal of assaults.
"Constant sweep of the systems in place and assessment of possible vulnerabilities should be in place. As much as we innovate our products, so should we on our mitigating actions," added Villanueva, who is also chairman of Fintech Alliance.PH.
For him, strengthening the system is imperative and this will need a concerted effort by all stakeholders.
"The Bangko Sentral ng Pilipinas, this year, has created a new sector that is tasked to safeguard the payments and cash ecosystem. This is one hard evidence of the proactive stance of the government to keep the industry safe," he noted.
Villanueva added that players were also beefing up their defenses through the latest tools and techniques, including securing cloud platforms, data encryption and access management, among others.
"Financial education, especially to new users, is also imperative to this cause. As mentioned, a concerted effort by all stakeholders is required to win this fight," he said.