BDO Unibank with Mr. Edwin Reyes talked about Phishing and anti-fraud trends in the banking industry here in the Philippines during a special appreciation lunch for bloggers held last week at the BDO Corporate Center Art Gallery.
According to Reyes, fraudsters steal billions of US dollars per year with the banks in the Philippines as the most targeted in Asia.
Here are some notes from his presentation:
What is Phishing?
Phishing is a fraudulent attempt. Actually I should call it practice pa nga eh kasi it’s not just one-off. it’s a fraudulent practice to induce individuals to reveal their sensitive, personal information, such as usernames, passwords, credit card details—yung mga ganyan—by disguising as a reputable company in an electronic communication.
Typically it’s done through email or text messaging and it often directs users to enter personal information at a fake website, the look and feel of which is identical to the legitimate website. These emails frequently use threats or they scare—tinatakot nila yung mga user so that they will actually respond.
The information entered through the fake website becomes stolen user data which includes yung mga login details niyo and other confidential, personal information. The fraudster then uses the stolen data to access legitimate accounts. Pag nangyari yun, they’re free to transfer money to his or her accounts.
Phishing is an example of social engineering. It’s a technique used to deceive users. Parang may pain. They bait. Kaya phishing yan eh, parang nangingisda ka. Except when you’re fishing, you’re trying to get fish. In this case, you’re actually trying to get data. Yun ang ninanakaw sa victim, yung data na yun.
How is phishing done by fraudsters?
In the context of BDO, there are people out there who are sending fake emails that look very real. They send it to as many people as they can hoping to reach BDO clients, so it’s a broad approach.
Some BDO clients will be fooled by what appears to be an authentic communication from the bank. Based on the samples na nakita namin, they look authentic. They have our logo—there are really good ones, using the same font and color schemes, parang tunay talaga. Even the email address looks authentic.
The only clue—and this is important—that will alert the reader to phishing, is the content of the email. BDO will never, never ask for your sensitive, personal information. Never. So pagka mayroon na kayong nakita sa content, asking for those things, then you should be suspicious. It’s probably not BDO.
Once the modus operandi is done, what happens to a client’s account?
They pretty much get everything. Once you go to the fake website and starting entering personal information, that’s it. Ultimately the information that is harvested will be used to steal money from you, from your accounts.
How is BDO thwarting phishing attempts?
There’s what we call a multi-factor authentication. Ang trend is three factors. What you know, which is the the ID and the password, that’s one factor. What you have, which is the device, yung phone mo, without your phone, you know that it’s you, this kind of identifies you as well. The third one is who you are, pwedeng fingerprint, pwedeng mukha mo o facial recognition, so that’s multifactor authentication.
However, BDO cannot prevent the unauthorized use of authentic credentials. Pag binigay niyo po ang username, password, at other personal information to someone else, then that person can now access your account. Fraud is defined, broadly, as unauthorized use of authentic credentials.
So, in relation to multi-factor authentication, BDO also uses a service to take down suspected, phishing websites. Reported phishing attempts are investigated by a BDO cyber security partner. The goal is to take down the website that the phishing email uses to acquire sensitive, personal information.
As I said, i-report niyo lang yan. Pag mayroon kayong nakitang suspected phishing attack, report to [email protected].
All that said, the fraudsters are always a step ahead of us kasi yan ang trabaho nila full-time, so we’re always admittedly catching up.
Pero bakit natin sila pababayaan manalo?
Together, in partnership with our clients, ito yung advocacy natin. This is our fight. We need to thwart these phishing attempts. Dapat equipped tayo sa laban na ito and it starts with awareness. Consumer education is key. As you’ll always hear from us going forward, together with BDO, say NO to phishing.
Tsaka tulungan po tayo. If you know it, you have to share it with us, and then we can help you based also on what we know.
Advocacy natin yan, we should not allow the fraudsters to win. I think most other banks would be in the same position. The industry should be in the same position. There will always be fraudsters who will try to prey on unsuspecting victims, so tulungan po tayo dyan.
If all of us do our part, again report it. Wag po kayong magbibigay ng impormasyon. Hinding hindi kami magtatanong ng ganoon sa inyo, so pagka ganon, suspicious na po iyon, i-report niyo po sa amin, and we’ll do our part. Marami na rin po kaming measures na ginagawa, on the technical side, on the cyber security front, through our partner, and our education programs.