BPI warns companies about a phishing scheme targeting employees

The public and businesses have been cautioned by the Bank of the Philippine Islands (BPI) about the rise in executive phishing attacks, also known as whaling, which preys on employees of a company through sophisticated social engineering schemes. 

According to Jonathan John Paz, the BPI Enterprise Information Security and Data Protection Officer, executive phishing, also known as whaling, is a scam in which dishonest people pretend to be senior management figures in emails and messaging apps like WhatsApp and Viber in order to trick employees into carrying out fraudulent transactions or giving away private or sensitive information. 

“Cyberattacks against organizations do happen and it could cost millions in terms of data loss, financial impact, and operational disruption. Line managers, particularly those with access to critical data or tasked with critical transactions, face the biggest risk of whaling, that is why it’s important to conduct regular cybersecurity awareness training and attack simulations within the company. We must get everyone to understand that cybersecurity is a responsibility we all share and that it takes a collective effort to fight cyberthreats. Doing so will allow us to safely navigate the digital world while ensuring the company and employees are protected.” ~Jonathan John Paz, BPI Enterprise Information Security and Data Protection Officer

Paz urged the public to be alert and exercise caution with emails and attachments to protect themselves from this type of social engineering scams. He advised to follow these tips:

• Verify the sender. Before taking any action, make sure that the sender’s name, email address, and contact number are correct. If you don’t normally receive an email or message from the sender, ask a person in authority to verify their legitimacy. 
• Don’t engage. Don’t click on links or download attachments from suspicious senders. Don’t respond to their message either. 
• Check for viruses. Take an extra step by scanning attachments for viruses before opening them. 
• Report immediately. If you receive a message from a sender who you suspect is impersonating an executive of your company, report immediately to your company’s cybersecurity team. 

Furthermore, according to Paz, businesses need to be proactive in raising cybersecurity awareness. They should encourage their staff to believe that cybersecurity is a shared responsibility, irrespective of their position, title, or length of service. 

The Department of Information and Communications Technology reported that cyber incidents in the nation surged by 62 percent in 2023, indicating the necessity for a more vigorous cybersecurity awareness campaign to safeguard Filipinos.