Cybersecurity expert shares tips on how fintech firms can avoid phishing

A global cybersecurity expert shared tips on how fintech (financial technology) companies can conduct due diligence following the recent multi-million phishing attack on thousands of users.

This week, GCash trended on social media platforms after some of the users reported that they recorded unauthorized transactions on their respective accounts.

Some claimed that they did not receive any notice or question informing them of the supposed money transfers they were making, unlike regular transactions.

The money was transferred to an EastWest or Asia United Bank account.

Victims include comedian vloggers Chad Kinis.

An executive from the mobile e-wallet app said the incident was a case of “sophisticated phishing”.

Reports said that when GCash examined the logs of the scammer’s actions, a link was sent to several users. Those who clicked on it were prompted to connect a device.

This prompted the scammer to phish information from unsuspecting users.

“When they accessed the link, information from their device [was] phished. ‘Yun ‘yung phishing natin. Any activities from then on cannot make a fraudster. By the way, he asked to connect a device” Gilda Maquilanvice president of corporate communications at GCash, said on ANC on Wednesday 10 May.

“When you [are] can connect it, you can make your transaction. ‘Yun naman ‘yung ating usual process to access GCash. You need to have the MPIN, and you need to have the OTP, which the fraudster was able to obtain,” she added.

MPIN refers to Mobile Personal Identification Number while OTP refers to One Time PIN.

“This is a phishing incident and not hacking … The scammer attempted to connect to a device,” Maquilan further said.

GCash conducted a “preventive maintenance” to investigate user complaints and restore the account balance of those affected.

READ: “Safe and Secure”: GCash insures users amid unauthorized transaction complaints

Phishing is a cybercrime where a target is contacted via email, phone or text message by someone pretending to be a legitimate institution or entity to lure them into providing sensitive data such as bank details, passwords and personally identifiable information.

The information obtained is then used to gain access to important accounts and may result in identity theft or financial loss.

ONE Kaspersky the official said phishing remains “one of the most prevalent and damaging threats in the cybersecurity landscape.”

“Last year, our solutions blocked 822,536 financial phishing attacks targeting businesses in Southeast Asia, of which nearly 52,914 financial phishing incidents targeted users in the Philippines,” Yeo Siang Tionggeneral manager for Southeast Asia at Kaspersky, said.

He urged fintech companies to exercise due diligence, practice good cyber hygiene and implement security solutions to protect people’s digital assets.

The Kaspersky boss suggested that the companies should do the following:

• Implement a comprehensive defensive concept that equips, informs and guides your team in the fight against sophisticated and targeted cyber attacks like the Kaspersky Extended Detection and Response platform.
• Remind employees of the basic signs of phishing emails, which can come in dramatic subject lines, errors and typos, inconsistent sender addresses and suspicious links.
• Always report phishing attacks. If they detect a phishing attack, report it to their IT security department and, if possible, avoid opening the malicious email. This will allow their cyber security team to reconfigure anti-spam policies and prevent an incident.
• Provide employees with basic cyber security knowledge. Education should be aimed at changing the behavior of students and teaching them how to deal with threats.
• Protect your devices and your business perimeter with a holistic cyber security expert.

“Users like you and I should acknowledge the fact that we are vulnerable. Cybercriminals always find ways to be creative and believable, Siang Tiong said.