MANILA, Philippines – As the Senate continues with its public hearings on the proliferation of bank fraud, one thing has become clear: the country’s outdated banking and cybersecurity laws alone can’t protect you when fraudsters attack.

You have to learn how to keep your own account safe as well. That’s especially true now as some fraudsters have taken to “hacking” the human instead, as banks ramp up their security and make their systems impervious to hacks.

As cybersecurity consultant Philip Kwa put it, fraudsters take advantage of people being the “weakest link” in the chain of security. They can exploit our human tendencies to give out information or click risky links when we’re excited, afraid, or vulnerable.

“As we know, the human factor is the weakest link,” Kwa told Rappler. “Have this security culture in your mind to always keep yourself safe. Look very carefully at what is being sent to you.”

So, if fraudsters are increasingly targeting us account holders directly, what actions can we then take to protect ourselves? We spoke to cybersecurity experts and a bank president to find out what tips they can offer.

1. Got a link? Type it, don’t click it.

One classic trick that fraudsters use to get into your account is to phish for your information using a URL that looks almost identical to that of a real website – but with some letters that are actually different. This is called a “homoglyph” attack.

Quick test: can you tell which one is the actual URL to the central bank’s website?

• bsρ.gov.ph
• bSp.goⅴ.ph
• bsp.gov.pʜ

Trick question, it’s none of them! The real URL should be bsp.gov.ph. If you’re not extra careful, you could easily click one of these links.

So, what happens if you actually click a phishing link? You might be redirected to a website that “spoofs” or copies the website of your bank down to the last detail. Convinced, you might then enter your username and password in the fake website, thinking that you were logging into your bank account, when in reality, you just gave the fraudster your account details.

Fortunately, modern browsers provide you some protection against homoglyph attacks, so long as they are updated. But UnionBank chief information security officer and data protection officer Joey Rufo recommended going a step further: type the URL, don’t click it.

“Just be cautious of what you click. Type it, don’t click it. Sometimes, even if you click on the text that you see on the message, it may not be the actual link to where it goes, right?” Rufo told Rappler. “The best way is always to just go directly to the browser, and type the actual website.”

2. Keep a low profile and always double-check

In this age of social media, Rufo recommended going the opposite route: don’t overshare. Posting on social media, especially when the visibility of your post is set to public, gives would-be scammers free access to your information. That could make you an easier target to impersonate.

Rufo likened it to displaying your valuables in the physical world.

“You try to keep things simple and hidden. So, in the cyber world, same thing. Do not share more than what is necessary. Do not share your boarding passes, tickets, passports, your 2×2 picture. Do not put it anymore online,” Rufo told Rappler in a mix of English and Filipino.

But with us being chronically online, the chief information security officer said that the best way to protect yourself is to assume that your information is already on the web.

That’s why cybersecurity expert Philip Kwa recommended double-checking whenever you get suspicious or unexpected messages from people.

“If you receive an email that you’re suspicious of, that you don’t expect to receive, then don’t answer the email. Or if it comes from a friend of yours, and you don’t expect a friend to send it to you, call your friends and check with your friends,” he told Rappler.

Double-checking has become even more important as artificial intelligence (AI) enables bad actors to spread phishing emails and messages at an unprecedented pace and scale. (READ: AI being used for hacking and disinfo, top Canadian cyber official says) 

“With the use of generative AI, I can use it to craft a very enticing email. I can use it to emulate your voice, and you think it’s your friends or relatives. So again, if you receive this kind of call, double-check and make sure that it’s from somebody that you can trust,” Kwa added.

3. Don’t put your savings in a single account

You may have heard of not putting all of your money in an e-wallet. But the same applies to your savings too. 

Similar to an e-wallet, it can help to only put large amounts in your deposit account when you immediately need it, especially if the account has online banking functionality.

That’s because if a fraudster manages to gain access to your bank account, they can transfer up to P50,000 out a day in real-time using InstaPay. If it goes unnoticed for weeks, that could mean hundreds of thousands siphoned off.

Richard Lo, convenor of anti-fraud advocacy group BankFraudPH, instead recommended keeping the bulk of your savings in stable financial instruments, like time deposits or money market unit investment trust funds.

This gives a couple of benefits, such as earning higher returns than a regular savings account while also taking low risks, given their conservative nature. 

When it comes to security, sometimes slower is better too. It’s harder for a fraudster to impersonate you and withdraw money when they’re stored in these financial instruments, especially since it takes about one full day for the bank to process withdrawals from these instruments.

“Perpetrators cannot readily touch your money which are placed in such ‘vaulted’ investment instruments,” Lo told Rappler.

4. Lower your transaction limits, add MFA

You should also familiarize yourself with the security features in your banking app. For instance, if you have a savings account that has online banking, you might want to manually lower transaction limits.

Most mobile apps for online banking include settings to reduce the total amount that you can transfer per transaction. Jerry Ngo, chief executive officer of EastWest Bank, advised that if you don’t regularly transfer large amounts of money using online banking, you can lower this limit and raise it the next time you need it.

“I keep my limits very low. Whenever I want to just transact, I go to settings, I increase it, again may mga (there is) extra validation. Then I make those big transactions. Then you can reverse it back,” he said. “Safe, kontrolado mo lahat (you control everything).”

Because banks normally ask for further OTP verification before these settings can be tweaked, it affords you a bit of extra protection.

UnionBank’s Rufo also recommended enabling multi-factor authentication, or MFA, whenever you can – for your bank account and even social media accounts. This means that aside from having to enter a password to unlock your account, you’ll also be asked for another form of verification, such as an OTP or face scan.

Rufo suggested strengthening your bank account’s password too and using a password manager to help remember it.

“If you have the ability to use password managers, such as those digital ones, make use of them. It allows you to have different passwords for different websites,” he told Rappler. 

“A lot of the hacks na nakikita namin, isa lang ‘yung password niya sa email, sa banking, sa social media. So, one password, pasok sa lahat,” he said.

(A lot of the hacks that we see, the person just had one password for their email, banking, and social media. So, with one password, the hacker got into everything.)

5. Beware of info-stealing malware

Sometimes, you might be giving your information to fraudsters without even realizing it. That can happen when your device is infected with an “info stealer.”

An info stealer is a type of malware that can stay on your computer or phone without you knowing it. Once in your device, it can steal credentials and passwords that you type in through a variety of ways.

But how do you get infected by an info stealer? It can happen when you click on links that redirect you to malicious websites. Rufo also warned that they can hide in seemingly innocuous apps – like ones that you download to check horoscopes or “clean” your phone.

“What it does is that whenever you receive a communication, it also sends the communication to the cyber criminals,” Rufo told Rappler. 

“That’s why we keep on educating people to always have antivirus on your computers. Don’t use pirated software. Don’t download apps that you don’t know or are non-reputable,” the chief information officer added. – Rappler.com