Scams and frauds remain a serious threat to financial institutions and consumers, especially these days when fraudsters are becoming more sophisticated as the technologies and methods they employ advance over time. Innovations that allow people to conveniently manage financial tasks and transactions via digital channels have ironically opened opportunities for fraudsters to deceive the banking public.

Jonathan John B. Paz, BPI鈥檚 enterprise information security and data privacy officer

According to Jonathan John B. Paz, enterprise information security and data privacy officer of the Bank of the Philippine Islands (BPI), as banks increasingly rely on digitalization to achieve expanded reach, personalization of banking, development of services, and improving the efficiency of operations, security vulnerabilities increase correspondingly.

鈥淯sers have become so used to online and mobile banking that there鈥檚 a tendency to take basic security hygiene for granted, exposing themselves to greater risks of account takeover 鈥 enabling fraud,鈥 Mr. Paz told 大象传媒 in an e-mail.

With changes in technology, fraudsters have a broader scope to exploit the weakest links in security. These weaknesses range from customers鈥 bad habits of using weak passwords, failing to protect sensitive data up to a bank鈥檚 security vulnerabilities.

As a result, financial institutions and their clients are now more exposed to various risks, such as phishing, identity theft, card skimming, vishing, SMSishing, viruses and Trojans, spyware and adware, social engineering, Web site cloning, and cyber stalking.

Mr. Paz said that it is not surprising that the financial industry continues to be one of the most attacked sectors globally due to the sheer number of targets, including access to personal and financial records, payment systems, personal online banking facilities, and ATMs.

In the local banking scene, phishing is by far the most favored modus operandi, according to Mr. Paz. 鈥淧hished credentials and other sensitive information such as credit card details, e-mail access and mobile numbers enable fraud to be committed against unwitting individuals,鈥 he said.

Phishing, as defined by the Bangko Sentral ng Pilipinas (BSP), is a form of identity theft whereby someone steals or uses personal or sensitive information of another person without his or her knowledge or permission, through hacking into one鈥檚 personal account, hijacking one鈥檚 data and taking over one鈥檚 online identity, to commit fraudulent acts or crimes, or conduct unauthorized business.

This kind of cyberattack may be done by various methods other than e-mail, such as text messages, chat rooms, electronic fake banner advertisements or message boards, fake mailing lists, fake job search sites and job offers, and fake browser toolbars.

Once the scammers have obtained the confidential information of a certain individual, it becomes possible for them to withdraw money or purchase items under the victim鈥檚 name, open a new bank or credit card account, use an account to illegally deal with other people, or encash checks on his or her behalf.

The increasing number of scam and fraud cases have disturbing effects not only on the banking public but also on financial institutions and the banking industry in general.

鈥淏y impersonating banks, fraudsters can degrade the trust that exists between the client and institution, specifically in the services being offered by the latter,鈥 Mr. Paz said.

鈥淎 client once victimized through account takeover may never take to online banking the same way again. If these types of incidents become widespread enough, this will undermine the whole project of digitalization not only for one specific bank but for the entire industry as well,鈥 he added.

Just as fraudsters are always coming up with new and more sophisticated methods of deception, banks are doing their part to protect their clients against different frauds.

Recently, local banks have shifted to chip-based or EMV cards, which are believed to be more secure compared with cards with magnetic stripe technology.

Some banks are also using biometrics technology for their mobile app-based services, such as fingerprint and voice authentication, to keep unauthorized people from gaining access to the accounts of their clients.

In addition to these, Mr. Paz said that banks have to become proactive in managing the risks of fraud by embedding a culture of risk awareness and management in developing and maintaining systems and the processes that support these systems.

鈥淲e need to make sure that not only do we identify and address the vulnerabilities of these systems and processes on a continuing basis. We also need to know the enemy聽鈥 what their capabilities, methods and targets are and the ecosystems they operate in 鈥 through a robust threat intelligence capability,鈥 he added.

Amid the rising cybersecurity risks in the electronic space, the BSP, according to Mr. Paz, has been proactive in recognizing the dangers of putting banking services online. He said that the institution had issued a number of circulars and other regulatory requirements in order to ensure that the industry is better prepared to identify, assess and manage cyber risks without unnecessarily stifling innovation, which is necessary to bring more people into the banking system.

In November of last year, BSP issued stricter rules to boost cybersecurity measures. In a statement, the BSP said that the Monetary Board 鈥 its highest policy-making body 鈥 approved pioneering guidelines on information security management that place renewed focus on cybersecurity. This seeks to address the growing concerns with the fast-evolving cyber threats that continue to confront global as well as domestic financial communities.

According to the central bank, the amended rules highlight the role of the BSP-supervised financial institutions鈥 board and senior management in spearheading sound information security governance and strong security culture within their respective networks.

The new guidelines also cover key elements of cyber resilience, such as participation in information sharing and collaboration fora, enhancing situational awareness capabilities, and adoption of advanced cybersecurity controls and countermeasures.

A good example is the creation of 24/7 security operations center, which is equipped with advanced technologies and manned by competent analysts, to proactively monitor emerging and highly sophisticated cyber threats and attacks.聽鈥 Mark Louis F. Ferrolino

RELATED ARTICLESMORE FROM AUTHOR