As holidays beckon, bank clients reminded of anti-fraud steps
STOCK PHOTO
MANILA, Philippines—Last week, unknowing BDO Unibank account holders fell victims to an online banking scam, which resulted in huge monetary losses.
According to social media posts of some victims, they discovered that unauthorized fund transfers were made using their accounts to move money to a UnionBank of the Philippines (UBP) account of a certain “Mark Nagoyo.”
Some affected users likewise detailed that they suddenly received e-mail and text notifications about the unauthorized bank transfers made in their accounts.
A public group named “Mark Nagoyo BDO Hacked,” now with over 2,200 members, has been created following the incidents.
When translated into English, the word “nagoyo” means to make fool out of someone.
According to the Bangko Sentral ng Pilipinas (BSP), nearly 700 BDO accounts have been affected by the fraudulent transactions.
What we know so far
On Dec. 15, Henry Aguda, UBP’s chief technology and operations officer, confirmed that six “persons of interest” have been identified in relation to the cyber fraud attack against the banking giant.
“We’ve already identified persons of interest and we’ve already filed the necessary information with the PNP and the NBI,” Aguda said at a press briefing.
“We will be providing the necessary information to them as well as to the BSP,” he added.
According to Aguda, the UBP has already started collaborating closely with BDO.
“We are collaborating closely with BDO. In fact, we’ve started collaborating even over the weekend and we are pursuing the investigation of the fraudulent activities. We have already frozen the money in the identified accounts in Union Bank,” he said.
“We are coordinating with our counterparts, with BDO on how to proceed with the frozen accounts,” he added.
READ: Bank fraud probe tags 6 ‘persons of interest’
The BSP earlier revealed that it has traced two to four persons behind the “Mark Nagoyo” account, where funds taken BDO accounts had been transferred.
“The real persons behind ‘Mark Nagoyo’ have been identified,” said BSP Technology Risk and Innovation Supervision Department Director Melchor Plabasan in an interview over One News on Dec. 14.
“I think BDO and UnionBank will definitely file charges if these persons allowed their accounts to be used for these fraudulent activities,” he added.
The suspicious individual accounts, according to Plabasan, were opened only last October.
Based on initial reports, the affected BDO account users were not victims of a phishing scam since they did not click or enter suspicious links or share their one-time PIN (OTP) with other people prior to the incident.
According to BDO, the victims have been affected by a “sophisticated fraud technique.”
BSP Governor Benjamin Diokno on Dec. 14 said the recent fraudulent fund transfers may be a case of an inside job, noting that the incidents occurred while the banks were transitioning to a new system.
READ: Inside job a probability in recent hacking of bank accounts, says BSP
“I’m sure there is an employee involved because given the extent of hacking, there are many cases and it all came at the same time, right? So, I think there’s an inside job,” he said.
Still, Diokno said the BSP will continue to investigate the incidents, along with BDO and UBP.
Banks ensure users
BDO has already announced that clients who were affected by the unauthorized activities will be reimbursed.
“We have requested our clients to go to their branch of account and submit documentation to get the refund. The bank will shoulder the losses perpetuated by this cybercrime incident,” BDO Unibank said in a press statement on Dec. 14.
READ: 700 BDO clients assured of reimbursement
The bank management has also assured clients that they have already implemented additional security measures to prevent further incidents of fraudulent transactions and to protect bank credentials.
“Most recently, we have required our online banking users to update their passwords. Changing their password improves account security and prevents fraudsters from accessing their hard-earned money,” the statement released last Dec. 12 stated.
“Changing their password improves account security and prevents fraudsters from accessing their hard-earned money,” the bank said.
“We thank our clients for their patience and cooperation in protecting their online bank accounts. We assure our affected innocent clients that we will reimburse their losses,” it added.
READ: BDO to reimburse clients hit by online banking fraud
Diokno, meanwhile, assured bank clients that the BSP has already coordinated with BDO and UBP regarding the incidents.
“The BSP has been monitoring the surge in complaints posted on social media platforms since the early part of this week. We are in close coordination with BDO as well as UBP on this incident to ensure that remedial measures are being undertaken, including reimbursement of affected consumers,” Diokno said on Twitter.
“Rest assured that we continue to collaborate and engage stakeholders to ensure the safety and integrity of the financial system as well as the protection of financial consumers. BSP will do everything to ensure the safety and integrity of the financial system as well as the protection of financial consumers,” he added.
Hackers to face punishment
The cybercriminals who were involved in the hacking of BDO deposit accounts are bound to face economic sabotage charges, Anakalusugan Rep. Michael Defensor said in a statement.
Graphic by Ed Lustan
“The act of breaking into a bank’s computer system and stealing money from at least 50 deposit accounts constitutes economic sabotage,” said Defensor, citing Republic Act No. 11449, “which increased the penalties for the unlawful use of electronic access devices such as cards, codes, personal identification numbers (PINs), user names, and passwords, among others.”
“Under the law, the offense is punishable with life in prison plus a fine of up to P5 million,” he added.
Graphic by Ed Lustan
Defensor said he expects the BSP and the National Privacy Commission (NPC) to impose separate administrative fines on banks whose systems were breached, causing depositors to lose money and their sensitive personal information.
“Actually, it is not true that the banks themselves are absorbing the financial losses from cyberattacks,” the lawmaker said.
He likewise stated that the depositors are the ones who usually pay for the bank’s financial losses whenever money from an account gets stolen.
“In fact, every time the banks seek an increase in their automated teller machine (ATM) withdrawal or credit card fees, they always claim that they need the higher charges to pay for financial losses due to fraudulent transactions,” he added.
‘High alert’ this holiday season
Defensor, in the same statement, urged the BSP to require banks to “routinely go on high alert against potential cybercriminal activities” especially on weekdays and holidays.
“We already know that most cyberattacks on banks happen on weekends and holidays, so the practical solution is for them to heighten their vigilance on these slow days,” he said.
The lawmaker mentioned the $101 million Bangladesh Bank cyber heist in 2016, which took place on a weekend when the bank’s offices were closed.
During that year, the then-unidentified hackers initiated fake transfer orders that sought to move nearly $81 million in funds stolen from Bangladesh Bank’s New York Fed account and mostly transferred to accounts at Rizal Commercial Banking Corp. (RCBC) in the Philippines.
The transaction was channeled to a foreign exchange dealer, Philrem Service Corp., and transferred to accounts at other banks and to local casinos before being moved out of the Philippines.
READ: What went before: $81-million Bangladesh bank cyberheist
“We also want banks to put end to their practice of going on slow mode when it comes to providing customer support on weekends and holidays,” said Defensor.
“Banks must respond instantly to customer complaints of potential hacking of their bank or credit card accounts 24 hours a day, seven days a week,” he added.
Secure accounts against hacks, scams
To keep their clients safe against unauthorized transactions, fraud, and scams, BDO has previously released some tips. These were:
Graphic by Ed Lustan
- Do not share personal information—These include bank account numbers, usernames, passwords, and OTPs. Scammers can steal identities, access online bank accounts, and steal money using these pieces of information.
“The bank advises all to be prudent in posting personal info on social media channels. If profile is public, best keep it on private mode for added protection,” BDO said.
- Do not click on website links—Fraud attacks, according to BDO, can come in the form of emails, SMS messages, phone calls, or messages via social media channels and a website link.
- “Do not click on these links. These links will lead to a website identical to a legitimate company’s official site. Here, scammers can harvest personal information,” the bank’s management said.
Meanwhile, the Department of Information and Communications Technology (DICT) advised the public to “be wary of unverified and unproven COVID-19 websites or applications that require you to give your personal data.”
“These websites and applications might be used by online scammers. Cybercriminals will do anything to obtain personal information, especially your financial and banking details.”
- Do not share OTPs—OTPs sent out through text messages are considered as an added layer of protection, especially for banks and account holders.
- Be cautious at all times
The Philippine National Police (PNP) likewise reminded the public to be extra vigilant and careful with their online and social media transactions.
“When using social media, be careful not to accept random friend requests. Cybercriminals often create fake accounts to befriend you. Trust no online friends unless you know them personally,” the PNP-PIO said last week.
“A common method of cybercriminals is to hack into personal computers or gadgets to send them e-mails with infected attachments. It is important to note not to respond to these dubious e-mails with embedded links. Don’t open links and attachments when in doubt. Such communication may be classified as phishing e-mails,” it added.
READ: PNP: Be careful online; beware of cybercrime, bank fraud
The Bankers Association of the Philippines (BAP) has recently released a statement, which says:
“An important reminder: You will never be a victim of cybercrime if you would never give your personal information, such as one-time password, to other people. If you do not give your personal information to others, cybercriminals will never be able to steal your money.”
The statement, however, was answered by then National Privacy Commission chief Raymund Liboro who told the banking community to not blame the victims.
READ: Don’t blame victims of hacking, National Privacy Commission chief tells banks
“I hope this is not the mindset of the entire banking system,” Liboro said in an interview.
“Privacy and cyber self-management must be matched with greater accountability from banks. Banks must work toward building cyber resilience instead of putting the blame on customers,” he continued.
“Socially engineered cybercrimes rely on human weaknesses and instincts—the same instincts that banks rely on in promoting their own products and services,” he added.
