MANILA, Philippines—From February to April this year, nearly seven out of 10—or 68.95 percent—phishing attacks recorded in the Philippines targeted finance-related transactions, according to cybersecurity firm Kaspersky.
Data from Kaspersky Security Network (KSN) showed that cases of finance-related phishing attempts from February to April this year were highest in the Philippines among Southeast Asian countries.
The portion of finance-related phishing attempts during the same period was 65.90 percent in Indonesia, 55.67 percent in Singapore, 55.63 percent in Thailand, 50.58 percent in Malaysia, and 36.12 in Vietnam.
A separate report released by Kaspersky last April showed that the Philippines was the most hit by phishing attacks last year in the region.
Around 9.9 percent of Filipinos were exposed to phishing attempts in 2021, beating Malaysia (8.49 percent), Thailand (7.93 percent), Indonesia (7.70 percent), Vietnam (7.45 percent), and Singapore (3.30 percent).
READ: Phishing attempts in PH dropped in ’21, says Kaspersky
Phishing, according to the cybersecurity firm, “is a type of Internet fraud that seeks to acquire a user’s credentials by deception. It includes theft of passwords, credit card numbers, bank account details, and other confidential information.”
“Phishing messages usually take the form of fake notifications from banks, providers, e-pay systems, and other organizations,” explained Kaspersky.
“The notification will try to encourage a recipient, for one reason or another, to urgently enter/update their personal data. Such excuses usually relate to loss of data, system breakdown, etc,” it added.
Finance-related phishing attacks
Kaspersky detected and blocked phishing attacks against three financial categories in the region last year. These categories included banks, e-commerce stores, and payment systems.
Statistics from KSN showed that in all three categories during the same three-month period, there were one in two—58.50 percent—phishing attempts against payment systems in the Philippines such as credit cards, debit cards, and mobile payment applications or e-wallets.
The number was highest among incidents recorded in other Southeast Asian countries—Malaysia (38.02 percent), Singapore (37.48 percent), Indonesia (27.76 percent), Thailand (22.22 percent), and Vietnam (20.26 percent).
Same data from the cybersecurity company revealed that phishing attempts against banks in the Philippines were only 2.17 percent—the lowest among other Southeast Asian countries—while phishing attempts versus e-commerce shops in the country were the second-lowest among the other countries at 8.28 percent.
“The percentages are from anonymized data based on the triggering of the deterministic component in Kaspersky’s Anti-Phishing system on user computers,” Kaspersky said in a statement.
“The component detects all pages with phishing content that the user has tried to open by following a link in an e-mail message or on the web, as long as links to these pages are present in the Kaspersky database,” the firm added.
Earlier this year, six teachers from Metro Manila, Calabarzon (Cavite, Laguna, Batangas, Rizal, Quezon), Central Luzon, Negros, and Mindoro reportedly lost at least P26,000 to P121,000 each through unauthorized withdrawals from their payroll accounts in the Land Bank of the Philippines (LBP).
On the other hand, LBP denied any hacking incident in its systems and said that the teachers’ accounts were illegally accessed through phishing.
READ: Some teachers lose P26K to P121K each in alleged bank hacking — group
In December last year, nearly 700 BDO Unibank accounts have been hit by the fraudulent transactions.
According to social media posts of some victims, they discovered that unauthorized fund transfers were made using their accounts to move money to a UnionBank of the Philippines (UBP) account of a certain “Mark Nagoyo.”
BDO announced that clients who lost money to the fraudulent activity would be reimbursed. The bank management has also assured clients that it has already implemented additional security measures to prevent further fraudulent transactions and to protect bank credentials.
READ: NBI arrests 2 Nigerians, 3 others for ‘Mark Nagoyo’ bank hacking
Dangers of ‘Super Apps’
Siang Tiong Yeo, general manager for Southeast Asia at Kaspersky, also warned about the rise of “Super Apps” in Southeast Asia amid the rising use of digital transactions in the region.
“Alongside the increased adoption in digital transactions here in Southeast Asia, we also see the rise of ‘Super Apps’ in the region. These are the mobile applications that combine all popular monetary functions including e-banking, mobile wallets, online shopping, insurance, travel bookings, and even investments,” Yeo explained.
“Putting our data and digital money in one basket can trigger an aftermath snowball, with the impact of a phishing attack swelling at an unforeseeable rate,” he added.
Super Apps, according to Kaspersky, are a way for traditional banks and service providers to stand out in a crowded or competitive industry.
The cybersecurity firm, however, noted that as traditional banks and service providers work with third parties and incorporate their services into a single mobile app, the attack surface expands, opening up more doors to a malicious exploit.
Kaspersky said that a simple phishing long asking for the Supper App user’s credentials could compromise all data available in the app.
“It is known that cybercriminals follow the money trail, so it is important for banks, app developers, and service providers to integrate cybersecurity from the beginning of application development. We expect hackers to target the rising Super Apps, both its infrastructure and its users through social engineering attacks,” said Yeo.
“We urge all fintech companies to deploy a secure-by-design approach in their systems and to continuously provide proactive education for their users in this period where phishing attacks continue to thrive.”
Protection and prevention
To prevent being a victim of phishing attacks—especially amid the rise of Super Apps, mobile banking, and online payments during the pandemic—Kaspersky has recommended individuals protect themselves through:
- Not responding to messages from unknown senders asking for their credentials. “Even prompts to reply like texting ‘UNSUBSCRIBE’ or ‘STOP’ can be a trick to identify active phone numbers. Attackers depend on your curiosity or anxiety over the situation at hand, but you can choose not to engage.”
- Avoid using any links or contact information in the suspicious email or message. “Go directly to contact channels where possible. Remember that urgent notices can be verified directly on online accounts or via an official phone helpline.”
- Look out for mistakes, typos, and strange characters in the potentially phishing-related text or email.
- Slowing down if a message is urgent. “Emails and SMS are often read on the go, when one is distracted or in a hurry, leaving one’s guard down. Approach offers as caution signs of possible phishing, remain calm and proceed carefully.”
- Downloading an anti-malware app which can help protect against malicious attacks.
In a separate report, the cybersecurity firm has also recommended digital payment providers adopt the following measures:
- Ensure prompt patching and updating of software to prevent adversaries from penetrating the system.
- Use high-grade encryption for sensitive data and enforce strong credentials and multi-factor authentication.
- Use effective endpoint protection with threat detection and response capabilities “to block access attempts, and managed protection services for efficient attack investigation and expert response.”
- Educate customers and employees on possible tricks fraudsters may use.
- Conduct annual security audits and penetration tests to find security issues in a company’s networks.
- Install a fraud prevention solution that can be quickly adapted for identifying new attack schemes and methods.