By now, most of you have read the story of one 32-year-old woman who was scammed recently of almost half a million pesos after falling prey to the guise of gift certificates seemingly coming from legitimate phone calls from one of her banks. It was a painful read, with red flags everywhere, and it makes for a compelling case study on how reverse social engineering scams are now on the rise.

Reverse social engineering is a type of psychological manipulation tactic where scammers impersonate trusted authorities or entities in an attempt to lull victims into compromising situations. Rather than trying to trick someone directly, reverse social engineering flips the script — playing on people's psychological tendency to comply with perceived authorities.

Expect two things in this case: first, they will sound real, and they will have correct information about you (and your card and mobile plan details, to name a few). Most importantly, they can copy the real-life scenario of how these things transpire, i.e., when the fraud department calls you or when the IT support reaches out.

It will all feel real and all the more that you have to raise your guard. Statements such as "please watch out for fraud triggers as you will be getting those, and I would just need the verification code to bypass the system" are nothing but to have the OTP sent so they can take full control of your credit card, for example. That SMS coming from the bank is obviously not a fraud trigger but an urgent reminder for you to validate if you are indeed making the same transaction. If not, run away.

For years, stories of elderly victims being scammed out of their life savings by fraudsters using devious social engineering tactics have been far too common. I wrote about this previously on how exploiting the trusting nature and sometimes diminished mental capacities of the elderly is deplorable enough.

However, a new wave of sophisticated reverse social engineering scams hits even closer to home — preying on young, tech-savvy millennials instead. In other words, the scam design and its storytelling become intricate enough to get your interest and attention, with the accompanying financial and emotional consequences.

Learning and unlearning at the same time

While training and awareness about the tricks and psychological manipulation tactics used in reverse social engineering scams can help mitigate risks, cybersecurity experts agree there are no easy solutions. These scams capitalize on the innate human desire to be viewed as cooperative and address seemingly urgent issues from authorities.

In addition, these intricately designed scams reveal how even our best efforts to arm ourselves against deception may not be enough. That is why it is always important and very practical to keep reminding ourselves, our loved ones and our friends of the following best practices to avoid being victims of such scams:

1. Be vigilant. Know that you have to be extremely wary of anyone asking for personal or financial information, even if they claim to be from a legitimate authority. Verify their identity through other official channels and exercise human two-factor authentication.

The point here is not to believe what you hear in the first instance.

2. Do not take further action. This includes actions such as never installing software, remote access tools, or opening attachments from unsolicited emails or calls, even if they seem to be from your own company's IT department. Moreover, it demands multiple layers of verification and approval for any unusual requests related to accounts, payments, or accessing secure systems.

3. Trust your instincts. The minute you hear and feel a red flag, immediately err on the side of caution. Raise your guard and believe that, yes, you will not receive that voucher promised to you as a reward for your continued use of the bank's credit card. Neither will you get the P70,000 Sodexo gift certificate after creating your digital wallet account.

4. To organizations and employees, ensure that cybersecurity training is provided, highlighting the latest social engineering tactics and how to identify red flags.

More importantly, it is advisable to foster an environment where people don't fear repercussions for questioning suspicious requests to help deter social engineering successes.

Remember, this type of scam is intricate and detailed enough for you to believe the legitimacy of the call. These people have been trained and are continuously practicing and mimicking what goes on in real life to make it appear that they are who you think they are. Now you know otherwise.

Source: Manila Times

Airbnb said it is banning security cameras inside guest homes so as to prioritize privacy.

The home rental platform previously allowed indoor security cameras in common areas such as hallways and living rooms if they were clearly visible and disclosed in listings before people booked such properties.

However, people have complained on social media about finding seemingly hidden cameras in Airbnb lodgings,  some of them in areas where privacy is expected.

"Airbnb is banning the use of indoor security cameras in listings globally as part of efforts to simplify our policy on security cameras and other devices and to continue to prioritize the privacy of our community," the San Francisco-based company said in a blog post.

The new policy, along with a tightening of rules on outdoor security cameras at Airbnb properties, will go into effect on April 30 2024.

"Our goal was to create new, clear rules that provide our community with greater clarity about what to expect on Airbnb," head of community policy and partnerships Juniper Downs said in an online post.

Doorbell cameras and noise decibel monitors will still be permitted by Airbnb for home security and to detect unauthorized parties, according to the company.

Hosts will be required to disclose the locations of any outdoor security cameras, which can't monitor areas such as outdoor showers or saunas, Airbnb said in the post.

Source: Philstar

The Bangko Sentral ng Pilipinas (BSP) on Monday, April 18, has again called on the public, especially digital financial consumers, to make use of “all available security features for online transactions” as protection against cyber fraud.

“The BSP encourages digital financial consumers to enable multiple layers of security features, including multi-factor authentication (MFA), for online transactions in BSP-supervised financial institutions’ (BSFIs) digital platforms,” the BSP said in an advisory.

At the same time, the BSP is reminding all BSFIs to “strictly comply with policies on the management of cyber security risks.”

MFA requires users to verify their identity through several methods before proceeding with a transaction. MFA includes one-time PINs or OTPs, biometric authentications, and mobile banking PINs or MPIN. Authentications are sent through SMS, e-mail, or phone call. Enabled notifications will promptly alert the individual if a transaction was completed.

“The BSP continuously reminds the public that e-safety is everyone’s responsibility,” it said.

The BSP has been strongly advising the public to practice cyber hygiene such as refraining from sharing personal as well as sensitive information, and by using strong passwords and changing them regularly.

It also reminds the public to update device operating systems and to report immediately any suspicious or unusual activities to their banks or digital non-bank service providers.

The BSP has recently approved new rules on banks and non-banks’ robust fraud management systems to build up its cybersecurity resiliency.

BSP Circular No. 1140, which BSP Governor Benjamin E. Diokno signed last March 24, amended the existing IT risk management regulation not just to reinforce consumer education and awareness of cyber threats but also to strengthen cybersecurity and minimize losses due to fraud and cybercriminal activities.

The new circular is part of a comprehensive cybersecurity guidelines that BSP has been preparing.

The BSP is giving BSFIs until end-December 2022 to comply with circular standards, and to show its plan of actions including specific timelines and status before achieving full compliance.

It was in December 2021 when Diokno first announced BSP’s intention to issue stronger regulations on banks’ fraud management systems following the hacking crisis which victimized a number of BDO Unibank Inc. clients. The hacking incident also involved Union Bank of the Philippines.

The Bangko Sentral ng Pilipinas (BSP) on Monday, April 18, has again called on the public, especially digital financial consumers, to make use of “all available security features for online transactions” as protection against cyber fraud.

“The BSP encourages digital financial consumers to enable multiple layers of security features, including multi-factor authentication (MFA), for online transactions in BSP-supervised financial institutions’ (BSFIs) digital platforms,” the BSP said in an advisory.

At the same time, the BSP is reminding all BSFIs to “strictly comply with policies on the management of cyber security risks.”

MFA requires users to verify their identity through several methods before proceeding with a transaction. MFA includes one-time PINs or OTPs, biometric authentications, and mobile banking PINs or MPIN. Authentications are sent through SMS, e-mail, or phone call. Enabled notifications will promptly alert the individual if a transaction was completed.

“The BSP continuously reminds the public that e-safety is everyone’s responsibility,” it said.

The BSP has been strongly advising the public to practice cyber hygiene such as refraining from sharing personal as well as sensitive information, and by using strong passwords and changing them regularly.

It also reminds the public to update device operating systems and to report immediately any suspicious or unusual activities to their banks or digital non-bank service providers.

The BSP has recently approved new rules on banks and non-banks’ robust fraud management systems to build up its cybersecurity resiliency.

BSP Circular No. 1140, which BSP Governor Benjamin E. Diokno signed last March 24, amended the existing IT risk management regulation not just to reinforce consumer education and awareness of cyber threats but also to strengthen cybersecurity and minimize losses due to fraud and cybercriminal activities.

The new circular is part of a comprehensive cybersecurity guidelines that BSP has been preparing.

The BSP is giving BSFIs until end-December 2022 to comply with circular standards, and to show its plan of actions including specific timelines and status before achieving full compliance.

It was in December 2021 when Diokno first announced BSP’s intention to issue stronger regulations on banks’ fraud management systems following the hacking crisis which victimized a number of BDO Unibank Inc. clients. The hacking incident also involved Union Bank of the Philippines.

Source: Manila Bulletin