By Justine Irish D. Tabile, Reporter
FINANCIAL INSTITUTIONS supervised by the Bangko Sentral ng Pilipinas (BSP) lost P5.82 billion from cyberattacks in 2024, up 2.6% from the previous year, according to an official.
“Technological innovation, while it may have plenty of positive results, also has its fair share of negative externalities (which) take shape in the form of cybersecurity risks,” BSP Deputy Governor Chuchi G. Fonacier said at the UK-Southeast Asia Tech Week on Tuesday.
“Gross cyber losses amounted to P5.82 billion in 2024, a slight increase from the recorded P5.67 billion of losses in 2023,” she added.
Under Circular No. 1019, all BSP-supervised financial institutions are required to submit regular and event-driven reports covering technology-related information as well as incidence of major cyberattacks.
“Based on the submitted reports, the number of reports on crimes and losses submitted by our supervised institutions has surged by 150% from around 16,246 reports in 2022 to 40,572 in 2023, with a slight increase to 40,780 in 2024,” said Ms. Fonacier.
Top cybersecurity risks faced by BSP-supervised institutions last year include phishing, “card-not-present” fraud, account takeover or identity fraud, and hacking, she said.
“Phishing and card-not-present fraud are recorded to have the most financially prominent attacks in 2024, with estimated losses soaring to P1.8 billion and P1.5 billion, respectively,” she added.
Phishing involves the use of fraudulent e-mails, text messages or websites to steal user data such as credit card numbers and login credentials.
On the other hand, card-not-present fraud refers to a type of scam where the physical credit card is not needed to complete a transaction.
Ms. Fonacier said threat actors are now using emerging technologies to conduct cyberattacks.
“So, for instance, artificial intelligence (AI) is being used to produce more convincing phishing e-mails, conduct identity takeover through deepfake technology, and create destructive malware variants,” she said.
“These incidents not only threaten to disrupt the delivery of financial products, but they also diminish the public’s trust in our budding digital financial ecosystem,” she added.
Sought for comment, Global Forum on Cyber Expertise Regional Director for Southeast Asia Hub Allan S. Cabanlong said that criminals can now use AI to improve their scam techniques.
“On the other hand, it can also be used by financial institutions to block those criminals,” he said in a phone interview. “It is two-pronged, double-edged, so we should not blame AI. If the criminals use AI, then the bankers or the BSP or whatever financial institution can also use it to block them.”
To mitigate cyberattacks, Mr. Cabanlong said that there is a need to look at banks’ internal policies, make clients aware of the current techniques of threat actors, and strengthen law enforcement agencies.
“The threats are constantly evolving. If your defense doesn’t evolve and you’re stagnant, you won’t be able to catch up with the new techniques of the criminals,” he said.
Dominic Vincent D. Ligot, AI, technology, and research consultant of the IT & Business Process Association of the Philippines (IBPAP), said that the increase in cyber losses can be partly attributed to rapid digital transformation.
“The rapid digitalization of financial services has expanded the attack surface, making financial institutions more vulnerable to breaches. Interconnections with third-party IT systems further exacerbate systemic risks,” he said in a Viber message.
He noted a significant number of cyber incidents involved phishing and social engineering, “exploiting human vulnerabilities rather than technical flaws.”
“Philippine-based threat actors have also been increasingly active, leveraging local scams and political motivations to target financial institutions,” he added.
To mitigate cyber losses, he said that financial institutions and regulators should adopt a multi-faceted approach that will include strengthening cybersecurity infrastructure, enhanced collaboration, human factor mitigation, addressing third-party risks, and legislative support.
In particular, he said that institutions should implement multi-layered defenses like firewalls, intrusion detection systems, and endpoint protection and use advanced technologies like AI-driven threat monitoring.
He also added that initiatives such as the Financial Cyber Resilience Governance Council should be expanded to foster industry-wide cooperation as well as threat intelligence sharing among financial institutions through partnerships.
