Reported Incidents of Fraudulent E-Mails and Websites

May 10, 2017BSP MEMORANDUM NO. M-2017-017TO : All BSP-Supervised Institutions   SUBJECT : Reported Incidents of Fraudulent E-Mails and Websites In response to the growing concerns on cyber-attacks involving fraudulent e-mails and websites aimed at customers and employees of financial institutions, BSP-Supervised Financial Institutions (BSFIs) are advised to sustain resilience efforts and continue to perform rigorous risk assessments of their current technology environment. Further, BSFIs should ensure compliance with the following BSP issuances: 1. BSP Circular No. 958 dated 25 April 2017 — Adoption of Multi-Factor Authentication (MFA) Measures for Transactions Considered as Sensitive Communications and/or High-Risk; and2. Memorandum No. M-2015-025 dated 22 June 2015 — Guidance on Management of Risks Associated with Fraudulent E-mails or Websites.In addition to implementing risk-based authentication methods for customer accounts, BSFIs should also ensure adequate access control measures are in place for systems that support the provision of electronic products and services [e.g., authentication servers, application servers, domain name system (DNS) including domain registry services] regardless of whether these are managed internally or by a third-party service provider. For outsourced...