crimes in the Philippines

[Vantage Point] The unsinkable cyber thieves

Val A. Villanueva
[Vantage Point] The unsinkable cyber thieves
'The Philippines continues to grapple with the challenges of how to effectively address the problem of illegal cyber activity'

On February 5, 2016, a group of unidentified cyber criminals tried to rob the Bangladesh Central Bank (BCB) of $951 million, but got away with only $81 million. The heist is now etched in world history as one of the largest bank robberies of all time. 

The embezzled money surreptitiously found its way into a respected Philippine bank where it was converted into pesos and then disappeared in Manila’s foggy casinos. Several years later, $15 million had been recouped, but only Maia Deguito, the manager of the Jupiter Street, Makati branch of Rizal Commercial Banking Corp. (RCBC), has been convicted. The Makati Regional Trial Court found Dequito guilty on eight counts of money laundering. Sentenced to a jail term ranging from 32 to 56 years, with each count carrying four to seven years, she was also ordered to pay a total fine of about $109 million. The cyber thieves were never caught and their Manila accomplishes outside of Deguito remain untouched.

The Bangladesh Bank cyber thieves were highly organized, well-networked, and well-financed. But more than anything else, their success highlighted the weaknesses in the world’s banking system. The hack was highly sophisticated and took place over several lines of attack: manipulation of the SWIFT system – a digital messaging platform that manages many of the world’s interbank financial transfers – to dupe the New York branch of the US Federal Reserve (which holds many international banking assets) into transferring funds to accounts owned by the thieves.

On May 12, 2017, hundreds of thousands of computer users worldwide were greeted with a big red screen commanding in big letters a ransom payment of up to $600 in bitcoins to unlock their respective computers. The ransomware WannaCry virus targeted computers running the Microsoft Windows operating system by encrypting (locking) data and demanding ransom payments. 

Many fell victims to the virus, which hijacked more than 200,000 computers in more than 150 countries. The malware mushroomed from the infected computer by skimming other computers and systems on the network, and over the internet, infecting these connected machines by exploiting the same vulnerability, all without any user action. Technically, it took just one infected user on a network to infect millions of computers worldwide.

Here at home, P1 million was skimmed off a businesswoman’s account sometime in October.  In a complaint filed before the National Bureau of Investigation (NBI) Cybercrime Division, Flordelina Chan said she received numerous messages on one-time passwords (OTP) between October 26 and 27. She ignored the messages, claiming that she was not into online banking transactions. Nonetheless, Chan said she called the bank after she received a message which warned her about a suspicious transaction.

RCBC’s D. Tuazon Branch wrote Chan to tell her it could not return the money lost due to her compromised OTP because there was never a breach detected in RCBC’s internal system. The banks said in a statement that Chan’s account “was compromised outside of the bank’s system.”

Cyber-crime on the rise

These online felonies are but a small sample of how the internet is being used for criminal activities. Banks, commercial establishments, and online consumers are all victims of these seemingly endless online assaults which have become a major global problem. Online syndicates seem to be always a step ahead of cyber security experts

According to a published survey from Statista on personal finance conducted during the first quarter of the year (see table), 42% of respondents who experienced digital fraud attempts were targeted with phishing attacks. (Phishing is the fraudulent practice of sending emails or other messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card number).

Chart, bar chart

Description automatically generatedSource: Statista 

In addition, 38% of respondents were targeted with money or gift card fraud schemes. In this scheme, someone may ask you to pay for something by putting money on a gift card, like a Google Play or iTunes card, who will then ask you to give them the numbers on the back of the card.  This is obviously a scam. No real business organization or government agency will ever insist that you pay them with a gift card. Anyone who demands to be paid with a gift card is a scammer. 

The Philippines continues to grapple with the challenges of how to effectively address the problem of illegal cyber activity. It is a gnawing problem the country shares with other developing nations in South East Asia and in other parts of the world. Internet fraudsters have multiplied, victimizing businesses from micro to multi-nationals. 

While the internet offers a convenient arena for consumers and commerce, it also offers criminals a loophole-filled system through where they can parlay unlawful activities. What used to be done through snail mail and telephone calls is now being implemented in the World Wide Web. These online fraudulent schemes are often difficult to trace and prosecute, costing individuals and businesses millions of dollars each year. 

From computer viruses to website hacking and financial fraud, internet crime has turned into a much larger concern than it was in the 1990s and early 2000s. The situation is less a measure of growing pains than the increasing importance of the Internet in daily life. More and more users are surfing the Web. There is greater business reliance on electronic mail. The tremendous upsurge in electronic commerce have raised the financial stakes.

Criminal syndicates have obviously mastered financial fraud. Stopping their rampage requires the concerted effort of all stakeholders. Banks and other financial institutions have not been remiss in doing their part to fight online attacks through continued improvements in their security systems. They also regularly send information and reminders to their depositors through all available platforms about evading cyber scams.

Telcos too have been vigilant in implementing measures to protect the public from text scams. These scams, conducted through short message service (SMS), have metamorphosed from the usual raffle prize swindle to the more vicious financial scams with cyber criminals worming themselves into the lucrative digital money and e-payment services. Alas, banks and commercial establishments can only do so much in the face of highly organized local and foreign syndicates which are unrelenting on their predatory cyber-attacks.

Is the NBI up to task?

If banks and commercial establishments have their hands full at tackling cyber-crimes, can the National Bureau of Investigation (NBI) step up to help? Consumer group Action for Consumerism and Transparency in Nation Building (ACTION) is demanding NBI Director Medardo De Lemos to take a more aggressive stance in going after these thieves. 

ACTION Secretary General Jake Silo in a letter asked the NBI to “arrest as many (syndicates) as they can to not only weaken their network, but also to send the message that the government is serious in its crackdown against online financial scammers.”

Aggressive and proactive approach, the group believes, will help prevent a repeat of what happened last year when hundreds lost their hard-earned money to scammers during the holidays. ACTION warns that the threat has become more alarming since millions of workers have begun receiving their 13th-month pay and other Christmas bonuses, and overseas Filipinos are going home for the holidays.

I can see where the group is coming from. Exasperated with the thought of cyber criminals going their merry ways in committing their nefarious activities, ACTION is putting NBI to task in throwing these thieves behind bars. 

The group also said online syndicates are also expected to go all-out in their illegal schemes before the full implementation of the SIM Card Registration Act next year.

The law was passed to address crimes using the platform, including text and online scams, by regulating the sale and the use of SIM cards by mandating registration to end-users.

“It is a now-or-never situation for them and this is why we see the recent rise in unabated SMS scams, which we feel will lead to getting people OTPs and consequently access to the victims’ bank accounts,” the group stressed. “We hope that leading to the holidays, authorities arrest as many as they can to not only weaken their network, but also to send the message that the government is serious in its crackdown against online financial scammers.” 

Must Read

In Myanmar, human trafficking hub forces Filipinos into crypto scam

In Myanmar, human trafficking hub forces Filipinos into crypto scam
Types of online scams

The Anti-Cyber Crime group of the Philippine National Police (PNP) in its website has published the most common online scams and protective measures against them. These include:  

The Lottery Scam:  

Modus Operandi – Out of nowhere, you will receive an email, letter, or text message congratulating you for winning a lot of money or some fantastic prizes in, say, a raffle draw that you never joined. The name of a legitimate organization or lottery company will be used. In the congratulatory message, you will be instructed to respond quickly or risk missing out. The scammers do this to try and stop you thinking about the surprise too much in case you start to suspect its authenticity. You could also be urged to keep your winnings private or confidential, to ‘maintain security’ or stop other people from getting your ‘prize’ by mistake. Scammers do this to prevent you from seeking further information or advice from independent sources. You will then be asked to pay certain fees so you can claim your winnings. Scammers will often say these fees are for insurance costs, government taxes, bank fees or courier charges. The scammers make money by continually collecting these ‘fees’ from you and stalling the payment of your ‘winnings’. Some scammers may also ask you to provide personal details to ‘prove’ that you are the correct winner and to give your bank account details so the prize can be sent to you. Scammers will use these details to try to misuse your identity and steal any money you have in your bank account.

Protection – Do not send money or pay any fee to claim a prize or lottery winnings. Automatically delete without opening suspicious or unsolicited emails (spam). Never reply to a spam email (even to unsubscribe). Never call a telephone number that you see in a spam email. Never respond to a text message which says you have won a competition that you did not enter. Do not click on any links in a spam email, or open any files attached to them. If it appears too good to be true — it probably is.

Card skimming:

Modus Operandi – The scammers will illegally copy information from the magnetic strip of a credit or ATM card, so they can create a fake or cloned card with your details on it. The scammer is then able to run up charges on your account. Card skimming is also a way for scammers to commit identity fraud. By stealing your personal details and account numbers, the scammer may be able to borrow money or take out loans in your name.

Protection – Keep your credit card and ATM cards safe. Do not share your personal identity number (PIN) with anyone. Do not keep any written copy of your PIN with the card. Check your bank account and credit card statements when you get them. If you see a transaction you cannot explain, report it to your credit union or bank. Choose passwords that would be difficult for anyone else to guess. If you are using an ATM, take the time to check that there is nothing suspicious about the machine.

Phishing:

Modus Operandi – The word phishing comes from the analogy that Internet scammers are using: email lures to fish for passwords and financial data from the sea of Internet users. Phishing, also called brand spoofing, is the creation of email messages and Web pages that are replicas of existing, legitimate sites, and businesses. These Web sites and emails are used to trick users into submitting personal, financial, or password data by asking for information such as credit card numbers, bank account information, social insurance numbers, and passwords that will be used to commit fraud. Brand spoofing aims to lead consumers into believing that a request for information is coming from a legitimate company. In reality it is a malicious attempt to collect customer information for the purpose of committing fraud.

Protection – Equip your computer with anti-virus software, spyware filters, email filters and firewall programs. You can verify a website’s authenticity by looking for “https:” at the beginning of the internet address. Contact the financial institution immediately and report your suspicions. Do not reply to any email that requests your personal information. Look for misspelled words.

Email spoofing:

Modus Operandi – The scammer creates messages with a forged sender address something which is simple to do because the core protocols do not include authentication. Spam and phishing emails typically use such spoofing or falsification to mislead the recipient about the origin of the message. In a spoofed email, the sender will purposely alters parts of the email to masquerade as something authored by someone else. Commonly, the sender’s name/address and the body of the message are formatted to appear as though it came from a legitimate source, such as a legitimate bank, newspaper, or company on the Web. Sometimes, the spoofer will make the email seem to have come from a private citizen somewhere.

Protection – Consider what personal information you post on social or business networking services. Scammers use publicly available information to identify potential victims. Check if a website has a digital certificate. Install and regularly update antivirus, antispyware, and firewall software. Never click on links provided in emails or open attachments from strangers. An email with an attachment that arrives unexpectedly could contain malware. 

As the world continues to embrace the digital norm and commerce is transacted over the internet, we should always be mindful of privacy and security concerns to ward off cyber threats. If governments remain inutile in putting a brake on online syndicates, I wouldn’t be surprised if the next financial meltdown would be sparked by a cyber-attack. – Rappler.com

Val A. Villanueva is a veteran business journalist. He was a former business editor of the Philippine Star and the Gokongwei-owned Manila Times. For comments, suggestions email him at mvala.v@gmail.com.

1 comment

Sort by
  1. AH

    Our laws – and the reputation of law enforcement – deter people with the knack for infosec roles and activities (penetration testing, security auditing, active defense, red/blue teaming, etc.) from pursuing an interest in hacking and learning about the weaknesses of IT systems. The defense establishment needs to get real: The fraction of the population employed by the intelligence and anti-cybercrime agencies of government cannot be the source of our country’s security operations expertise. Government needs the private sector to grow that expertise, by creating the conditions for companies to flourish that “do cybersecurity” for a living. Right now, compared to what e.g. Australia, in particular, have done, our governing elites have no clue. The proof of that is in the legislation relating to cyber from the past decade.