A global cybersecurity expert shared tips on how fintench (financial technology) companies can exercise due diligence following the recent multi-million phishing attack on thousands of its users.
This week, GCash trended on social media platforms after some of its users reported registering unauthorized transactions on their respective accounts.
Some claimed that they did not receive any notification or prompt informing them of the supposed money transfers they made, unlike in usual transactions.
The cash was transferred to an EastWest or Asia United Bank account.
The victims include comedian-vlogger Chad Kinis.
An executive from the mobile e-wallet app said that the incident was a case of “sophisticated phishing.”
Reports said that when GCash examined the logs of the fraudster’s actions, a link was sent to several users. Those who clicked on it received a request to link a device.
This made the fraudster phish information from unsuspecting users.
“When they were able to access the link, information from their device [was] phished. ‘Yun ‘yung phishing natin. Any activities from then on, nakikita ng ating mga fraudster. Ang ginawa niya, he requested to link a device,” Gilda Maquilan, vice president for corporate communications of GCash, said on ANC on Wednesday, May 10.
“When you [are] able to link that, you can make your transaction. ‘Yun naman ‘yung ating regular process to access the GCash. You have to have the MPIN, and you have to have the OTP, which the fraudster was able to acquire,” she added.
MPIN refers to mobile personal identification number while OTP refers to one-time pin.
“This is a phishing incident and not hacking… The fraudster attempted to link a device,” Maquilan further said.
GCash conducted a “preventive maintenance” to investigate the users’ complaints and restore the account balance of those affected.
READ: ‘Safe and secure’: GCash assures users amid unauthorized transaction complaints
Phishing is a cybercrime in which a target is contacted by email, telephone, or text message by someone posing as a legitimate institution or entity to lure them into providing sensitive data such as banking details, passwords and personally identifiable information.
The information obtained is then used to access important accounts and can result in identity theft or financial loss.
A Kaspersky official said that phishing remains to be “one of the most prevalent and damaging threats in the cybersecurity landscape.”
“Last year, our solutions blocked 822,536 financial phishing targeting businesses in Southeast Asia, of which nearly 52,914 financial phishing incidents are targeting users in the Philippines,” Yeo Siang Tiong, general manager for Southeast Asia at Kaspersky, said.
He urged fintech companies to exercise due diligence, practice good cyber hygiene, and implement security solutions to protect people’s digital assets.
The Kaspersky exec suggested the firms do the following:
- Deploy a comprehensive defensive concept that equips, informs, and guides their team in their fight against sophisticated and targeted cyberattacks like the Kaspersky Extended Detection and Response platform.
- Remind employees about the basic signs of phishing emails, which may come in dramatic subject lines, mistakes and typos, inconsistent sender addresses, and suspicious links.
- Always report phishing attacks. If they spot a phishing attack, report it to their IT security department and, if possible, avoid opening the malicious email. This will allow their cybersecurity team to reconfigure anti-spam policies and prevent an incident.
- Supply employees with basic cybersecurity knowledge. Education should be aimed at changing the behavior of learners and teaching them how to deal with threats.
- Protect their working devices and their enterprise perimeters with a holistic cybersecurity expert.
“Users like you and I should acknowledge the fact that we are vulnerable. Cybercriminals always find ways to be creative and be believable,” Siang Tiong said.