STOCK PHOTO
MANILA, Philippines鈥擫ast week, unknowing BDO Unibank account holders fell victims to an online banking scam, which resulted in huge monetary losses.
According to social media posts of some victims, they discovered that unauthorized fund transfers were made using their accounts to move money to a UnionBank of the Philippines (UBP) account of a certain 鈥淢ark Nagoyo.鈥
Some affected users likewise detailed that they suddenly received e-mail and text notifications about the unauthorized bank transfers made in their accounts.
A public group named 鈥淢ark Nagoyo BDO Hacked,鈥 now with over 2,200 members, has been created following the incidents.
When translated into English, the word 鈥渘agoyo鈥 means to make fool out of someone.
According to the Bangko Sentral ng Pilipinas (BSP), nearly 700 BDO accounts have been affected by the fraudulent transactions.
What we know so far
On Dec. 15, Henry Aguda, UBP鈥檚 chief technology and operations officer, confirmed that six 鈥減ersons of interest鈥 have been identified in relation to the cyber fraud聽attack against the banking giant.
鈥淲e鈥檝e already identified persons of interest and we鈥檝e already filed the necessary information with the PNP and the NBI,鈥 Aguda said at a press briefing.
鈥淲e will be providing the necessary information to them as well as to the BSP,鈥 he added.
According to Aguda, the UBP has already started collaborating closely with BDO.
鈥淲e are collaborating closely with BDO. In fact, we鈥檝e started collaborating even over the weekend and we are pursuing the investigation of the fraudulent activities. We have already frozen the money in the identified accounts in Union Bank,鈥 he said.
鈥淲e are coordinating with our counterparts, with BDO on how to proceed with the frozen accounts,鈥 he added.
READ: Bank fraud probe tags 6 鈥榩ersons of interest鈥
The BSP earlier revealed that it has traced two to four persons behind the 鈥淢ark Nagoyo鈥 account, where funds taken BDO accounts had been transferred.
鈥淭he real persons behind 鈥楳ark Nagoyo鈥 have been identified,鈥 said BSP Technology Risk and Innovation Supervision Department Director Melchor Plabasan in an interview over One 黑料社 on Dec. 14.
鈥淚 think BDO and UnionBank will definitely file charges if these persons allowed their accounts to be used for these fraudulent activities,鈥 he added.
The suspicious individual accounts, according to Plabasan, were opened only last October.
Based on initial reports, the affected BDO account users were not victims of a phishing scam since they did not click or enter suspicious links or share their one-time PIN (OTP) with other people prior to the incident.
According to BDO, the victims have been affected by a 鈥渟ophisticated fraud technique.鈥
BSP Governor Benjamin Diokno on Dec. 14 said the recent fraudulent fund transfers may be a case of an inside job, noting that the incidents occurred while the banks were transitioning to a new system.
READ:
鈥淚鈥檓 sure there is an employee involved because given the extent of hacking, there are many cases and it all came at the same time, right? So, I think there鈥檚 an inside job,鈥 he said.
Still, Diokno said the BSP will continue to investigate the incidents, along with BDO and UBP.
Banks ensure users
BDO has already announced that clients who were affected by the unauthorized activities will be reimbursed.
鈥淲e have requested our clients to go to their branch of account and submit documentation to get the refund. The bank will shoulder the losses perpetuated by this cybercrime incident,鈥 BDO Unibank said in a press statement on Dec. 14.
搁贰础顿:听
The bank management has also assured clients that they have already implemented additional security measures to prevent further incidents of fraudulent transactions and to protect bank credentials.
鈥淢ost recently, we have required our online banking users to update their passwords. Changing their password improves account security and prevents fraudsters from accessing their hard-earned money,鈥 the statement released last Dec. 12 stated.
鈥淐hanging their password improves account security and prevents fraudsters from accessing their hard-earned money,鈥 the bank said.
鈥淲e thank our clients for their patience and cooperation in protecting their online bank accounts. We assure our affected innocent clients that we will reimburse their losses,鈥 it added.
READ:
Diokno, meanwhile, assured bank clients that the BSP has already coordinated with BDO and UBP regarding the incidents.
鈥淭he BSP has been monitoring the surge in complaints posted on social media platforms since the early part of this week. We are in close coordination with BDO as well as UBP on this incident to ensure that remedial measures are being undertaken, including reimbursement of affected consumers,鈥 Diokno said on Twitter.
鈥淩est assured that we continue to collaborate and engage stakeholders to ensure the safety and integrity of the financial system as well as the protection of financial consumers. BSP will do everything to ensure the safety and integrity of the financial system as well as the protection of financial consumers,鈥 he added.
Hackers to face punishment
The cybercriminals who were involved in the hacking of BDO deposit accounts are bound to face economic sabotage charges, Anakalusugan Rep. Michael Defensor said in a statement.
Graphic by Ed Lustan
鈥淭he act of breaking into a bank鈥檚 computer system and stealing money from at least 50 deposit accounts constitutes economic sabotage,鈥 said Defensor, citing Republic Act No. 11449, 鈥渨hich increased the penalties for the unlawful use of electronic access devices such as cards, codes, personal identification numbers (PINs), user names, and passwords, among others.鈥
鈥淯nder the law, the offense is punishable with life in prison plus a fine of up to P5 million,鈥 he added.
Graphic by Ed Lustan
Defensor said he expects the BSP and the National Privacy Commission (NPC) to impose separate administrative fines on banks whose systems were breached, causing depositors to lose money and their sensitive personal information.
鈥淎ctually, it is not true that the banks themselves are absorbing the financial losses from cyberattacks,鈥 the lawmaker said.
He likewise stated that the depositors are the ones who usually pay for the bank鈥檚 financial losses whenever money from an account gets stolen.
鈥淚n fact, every time the banks seek an increase in their automated teller machine (ATM) withdrawal or credit card fees, they always claim that they need the higher charges to pay for financial losses due to fraudulent transactions,鈥 he added.
鈥楬igh alert鈥 this holiday season
Defensor, in the same statement, urged the BSP 聽to require banks to 鈥渞outinely go on high alert against potential cybercriminal activities鈥 especially on weekdays and holidays.
鈥淲e already know that most cyberattacks on banks happen on weekends and holidays, so the practical solution is for them to heighten their vigilance on these slow days,鈥 he said.
The lawmaker mentioned the $101 million Bangladesh Bank cyber heist in 2016, which took place on a weekend when the bank鈥檚 offices were closed.
During that year, the then-unidentified hackers initiated fake transfer orders that sought to move nearly $81 million in funds stolen from Bangladesh Bank鈥檚 New York Fed account and mostly transferred to accounts at Rizal Commercial Banking Corp. (RCBC) in the Philippines.
The transaction was channeled to a foreign exchange dealer, Philrem Service Corp., and transferred to accounts at other banks and to local casinos before being moved out of the Philippines.
搁贰础顿:听What went before: $81-million Bangladesh bank cyberheist
鈥淲e also want banks to put end to their practice of going on slow mode when it comes to providing customer support on weekends and holidays,鈥 said Defensor.
鈥淏anks must respond instantly to customer complaints of potential hacking of their bank or credit card accounts 24 hours a day, seven days a week,鈥 he added.
Secure accounts against hacks, scams
To keep their clients safe against unauthorized transactions, fraud, and scams, BDO has previously released some tips. These were:
Graphic by Ed Lustan
- Do not share personal information鈥擳hese include bank account numbers, usernames, passwords, and OTPs. Scammers can steal identities, access online bank accounts, and steal money using these pieces of information.
鈥淭he bank advises all to be prudent in posting personal info on social media channels. If profile is public, best keep it on private mode for added protection,鈥 BDO said.
- Do not click on website links鈥擣raud attacks, according to BDO, can come in the form of emails, SMS messages, phone calls, or messages via social media channels and a website link.
- 鈥淒o not click on these links. These links will lead to a website identical to a legitimate company鈥檚 official site. Here, scammers can harvest personal information,鈥 the bank鈥檚聽management said.
Meanwhile, the Department of Information and Communications Technology (DICT) advised the public to 鈥渂e wary of unverified and unproven COVID-19 websites or applications that require you to give your personal data.鈥
鈥淭hese websites and applications might be used by online scammers. Cybercriminals will do anything to obtain personal information, especially your financial and banking details.鈥
- Do not share OTPs鈥擮TPs sent out through text messages are considered as an added layer of protection, especially for banks and account holders.
- Be cautious at all times
The Philippine National Police (PNP) likewise reminded the public to be extra vigilant and careful with their online and social media transactions.
鈥淲hen using social media, be careful not to accept random friend requests. Cybercriminals often create fake accounts to befriend you. Trust no online friends unless you know them personally,鈥 the PNP-PIO said last week.
鈥淎 common method of cybercriminals is to hack into personal computers or gadgets to send them e-mails with infected attachments.聽 It is important to note not to respond to these dubious e-mails with embedded links. Don鈥檛 open links and attachments when in doubt.聽 Such communication may be classified as phishing e-mails,鈥 it added.
READ: PNP: Be careful online; beware of cybercrime, bank fraud
The Bankers Association of the Philippines (BAP) has recently released a statement, which says:
鈥淎n important reminder: You will never be a victim of cybercrime if you would never give your personal information, such as one-time password, to other people. If you do not give your personal information to others, cybercriminals will never be able to steal your money.鈥
The statement, however, was answered by then National Privacy Commission chief Raymund Liboro who told the banking community to not blame the victims.
READ: Don鈥檛 blame victims of hacking, National Privacy Commission chief tells banks
鈥淚 hope this is not the mindset of the entire banking system,鈥 Liboro said in an interview.
鈥淧rivacy and cyber self-management must be matched with greater accountability from banks. Banks must work toward building cyber resilience instead of putting the blame on customers,鈥 he continued.
鈥淪ocially engineered cybercrimes rely on human weaknesses and instincts鈥攖he same instincts that banks rely on in promoting their own products and services,鈥 he added.