In 2020, hacking and other malware attacks surged by a whopping 2,324% from the previous year, while phishing and other social engineering schemes increased 302% from 2019, according to the Philippine central bank. File photo shows people wearing face masks and face shields as protection against the coronavirus disease (COVID-19) queue at a bus stop, in Quezon City, Metro Manila, Philippines. Image Credit: Reuters


  • Philippine central bank reports 2,324% spike in hacking, malware attacks during COVID months.
  • 302% spike in phishing and other "social engineering" schemes in 2020, compared to 2019. 

Unregistered SIM cards have become the scourge of online trade in the Philippines, through scams driven by the anonymity of mobile phone numbers. But it's just one of the enablers of financial fraud in the Asian country.

Between 2019 to 2021, Filipinos have lost an estimated 2 billion pesos (about $40 million) to online fraudsters, according to a senior Philippine central bank official.

Bangko Sentral ng Pilipinas (BSP) Governor Benjamin Diokno said the shift to digital payments and online banking amid the pandemic saw a spike in cybercriminal activity.

The data came from consumer complaints noted by the BSP in the last two years from 2019 to 2021 — which shows financial transactions valued at Php 2 billion involved in scams, hacking and phishing attacks, said Diokno. The Philippine central bank has been cracking the whip against fraud, money laundering, but a new legislation is being considered in the Senate to better protect consumers of financial services.

2,324% surge in hacking, malware attacks

“In 2020, hacking and other malware attacks surged by a whopping 2,324% from the previous year, while phishing and other social engineering schemes increased 302% from 2019.”

Over the same period, account takeover or identity theft rose 2.5 percent,” he added.

Dr Diokno was testifying on the proposed financial consumer protection act being heard in the Philippine Senate.

Not just hackers

In addition to reports of bank transaction fraud, the BSP also heard consumer complaints involving insurance players, as wells “hundreds” of investment scams reported to the Securities and Exchange Commission (SEC) in 2019 and 2020.

“Without this act, we will continue to hear stories like Johnny’s — a father of two young children and an economic front-liner, who lost his hard-earned savings after a fraudster obtained his account information and made unauthorised fund transfers; or Marianne’s — a small business owner, who was billed with an increased amortisation on her loan account. She disputed the reasonableness of the fees and charges, but lost to the financial institution in the end,” Diokno said.

In 2021, Diokno said complaints elevated to the BSP’s consumer assistance mechanism were valued at Php540 million worth of transactions.

42,456 complaints

A “dramatic rise” in digital financial transactions posed “graver risks”, he said. Digital payments saw a massive jump in the country even as the economy slid into a recession and millions lost their job.

As COVID-related mobility curbs were imposed, the BSP logged 42,456 complaints from consumers in fraudulent financial transactions from 2020 and 2021.

45.2 %

share of hacking and/or scam complaints related to the use of internet banking and mobile banking

Diokno pressed for legislation to better protect consumers from online fraud.

“A majority of these cases have been deemed closed. But the process was long and arduous. And for many complaints the resolutions were unfavourable to the consumer,” Diokno said.

“Complaints related to the use of internet banking and mobile banking account for 45.2% of the total complaints in 2021. Hackers and scammers took advantage of the digital infrastructure and consumer vulnerability to perpetrate crime. Based on BSP monitoring, the increased use by the public of digital financial services has given rise to a wave of cyber and financial crimes,” Diokno told the Senate.

Hacking incidents

On December 12 2021, central bank said they were looking into complaints that some clients of BDO Unibank, the Philippines’ biggest lender, lost money to online fraudsters that involved the use of Union Bank of the Philippines (UBP) accounts.

The BSP’s investigation into the incident is still ongoing. A parallel to a probe being undertaken by the National Bureau of Investigation, BSP director Melchor Plabasan told senators.

The BSP said they were looking closely into the case to ensure remedial measures — including reimbursement of affected consumers — are taken. BDO has said they already restituted about 700 affected accounts. The BSP is expected to submit its own report on the hacking incident to the Monetary Board by end-January.

The BSP was beefing up its regulatory “cyber-defenses”. It has hired globally-certified "ethical hackers” to conduct “penetration tests” and combat the rise in cyberattacks.

Financial consumer protection bill

“These cases could be resolved quickly once the financial consumer protection act is in place. This act will empower financial regulators such as the BSP, the Insurance Commission, the SEC and the Cooperative Development Authority (CDA) to expedite the adjudication of reasonable monetary claims more efficiently, fairly and openly, all to the benefit of the consumers,” Diokno told the Senate hearing.

In the proposed legislation, financial regulators will be empowered to “sanction business practices and entities that pose grave and irreparable injury to financial consumers.” Diokno said the bill, if passed to become a law, will not only help curb risks from financial fraud and cybercrime but also keep consumer confidence in the financial system.

On December 16, 2021, the Senate pass on third and final reading Senate Bill (SB) 2395 that will require the registration of subscriber identification module (SIM) cards. Known as the SIM Card Registration Act, it seeks to curb criminal activities aided by mobile phone, internet, or other electronic communication devices, such as terrorism, text scams, unsolicited indecent or obscene messages, bank fraud, and disinformation.

The bill has to be "harmonised" with the version passed by the House of Representatives on December 6, before the final version will be offered for the president's signature.