Social engineering is top cyberthreat for PHL banks

SOCIAL ENGINEERING SCHEMES, such as phishing scams, was the top cyberthreat that affected Philippine banks in the first half of 2025, posing a persistent risk to the country’s digital payments system, the Bangko Sentral ng Pilipinas (BSP) said.

Based on the BSP’s cyberthreat surveillance in the first half of 2025, social engineering, account takeover, and identity theft accounted for 76% of the total amount lost to financial fraud in the period.

“This actually mirrors what other supervisors are seeing. We are seeing that social engineering remains the biggest driver of cyber-related threats,” BSP Deputy Governor Lyn I. Javier said during a media information session in Dumaguete City on Monday.

“So, we’re seeing phishing, vishing, and smishing — again highlighting (the) human element, exploiting the trust of the public or the people. It’s a vulnerability that these threat actors are exploiting just also to implement their schemes or the scam.”

Phishing involves the use of fraudulent e-mails, text messages or links to steal personal, financial, or account information. Vishing, or voice phishing, is a form of phishing using phone calls or voice messages, while smishing is done via text messages.

Meanwhile, hacking was the second most common cyberthreat in the banking system, making up for 13% of total losses, followed by card-not-present fraud with 8%.

Ms. Javier said cyberthreats are becoming more frequent, targeted, and more scalable.

“And as the speed increases, the losses also increase, the window of recovery narrows down, and it allows cybercrime to scale more rapidly than before,” she said.

“So… when we talk about cyber risk, it is no longer just a technology issue. It’s about trust, behavior and (an) ecosystem challenge that we all have to contribute to addressing and protecting the financial system. It directly affects consumer confidence, operational resilience, and ultimately poses risks to financial stability.”

She added that growing interconnectedness in the financial system has expanded potential attack points for cybercriminals as there are increased potential vulnerabilities that they can exploit.

This also heightens financial stability risks as a single point of failure could also affect other institutions, she said.

“Cyber risk is evolving, it’s shifting, and we also have to learn how to adapt to this development… An attack in one financial institution does not necessarily mean that it will be confined to that institution. It could affect other financial institutions connected to that bank. So, it means the services being offered to businesses and households,” she said.

“Now, the stakes become higher when cyber incidents attack critical financial market infrastructure — for example, the payments system. And then, what’s even more challenging is when they attack the accounts of individuals, of depositors, and this scales up, it could actually trigger massive withdrawals in a financial institution, triggering liquidity issues and sometimes capital issues in that financial institution because of the loss of confidence of the public in that particular bank. The trust of the public or trust of the depositors, it’s the core, it’s the foundation of banking. So, we have to take care of that trust.”

She said that while there’s no fool-proof defense against cyberattacks, the central bank and industry stakeholders continue to put in place various rules and measures to strengthen the financial sector’s resilience.

The BSP requires all its supervised financial institutions to submit regular and event-driven reports covering technology-related information as well as incidence of major cyberattacks. Ms. Javier added that they monitor potential threats through social media platforms and the cybersecurity incident database.

The BSP has also mandated banks to update their respective fraud management systems to align with the implementing rules and regulations of the Anti-Financial Account Scamming Act. It has given lenders until June 25 to comply, adding that failure to do so could result in license suspension. — Katherine K. Chan