Social engineering tops cyber threats in Philippines BSP study in 2025

MANILA, Philippines — Cybercrime threats driven by social engineering, hacking and card fraud remain the biggest risks confronting the country’s financial system last year, accounting for the bulk of cyber-related fraud losses monitored by the Bangko Sentral ng Pilipinas.
Data presented by BSP Deputy Governor Lyn Javier showed that social engineering, account takeover and identity theft made up 76 percent of reported cyber fraud losses in 2025, followed by hacking at 13 percent and card not present fraud at eight percent.
The figures reflect the growing shift toward scam-driven, human-centered attacks as digital financial services expand and transactions move faster across interconnected platforms.
Speaking at a media information session, Javier said the evolving cyber threat landscape is closely linked to the increasing interconnectedness of the banking system, fintech firms, third-party service providers and consumer devices.
“When we look at the cyber threat landscape today, what immediately stands out is how interconnected the banking system is,” she said. “We now operate in a highly interconnected system. So, banks connected to banks, banks connected to third-party service providers and fintechs.”
While this interconnectedness delivers efficiency and convenience, Javier warned that it also expands the attack surface for cyber threat actors.
“These seamless connections that improve customer experience also expand the attack surface for cyber threat actors,” she said, adding that every connection point and device becomes a potential vulnerability.
Javier said the impact of cyber incidents is amplified by the speed of digital payments and the ability of criminals to move funds quickly across multiple channels.
“Once an account is compromised, it gets transferred to multiple channels,” she said. “As the speed increases, the losses also increase, the window of recovery narrows down and it allows the cyber crime to scale more rapidly than before.”
In response, the BSP is promoting what Javier described as a comprehensive, agile, risk-based and engaging supervisory framework known as C.A.R.E. to manage information technology and cyber risks.
Surveillance plays a central role, with banks required to submit incident reports while the BSP also monitors social media, industry databases and open-source signals to detect emerging threats.
When cyber attacks occur, the central bank conducts an incident triage using a traffic light system that triggers corresponding supervisory actions. Lessons learned are fed back into surveillance and assessment processes, while the BSP also draws from the experience of other regional supervisors.
To further promote cyber resilience, Javier said the BSP is implementing several initiatives, including the Financial Services Cyber-Resilience Plan, the establishment of a money mule database to help detect and block suspicious accounts as well as continued engagement through the Financial Services Cyber-Resilience Council.
On fraud loss figures, Javier said the BSP deliberately avoids disclosing absolute peso amounts to prevent misinterpretation.
“We intentionally did not include the amount because the amount is always relative,” she said. “So it’s just a percentage.”
Looking ahead, Javier warned that advances in technology and the growing use of artificial intelligence could make scams harder to detect.
“With increasingly sophisticated technological advances and the use of AI, it has become very challenging to verify whether the person you are dealing with is legitimate,” she said. “That is why it is very important that we continue strengthening our defenses.”
She said this requires stronger risk management and fraud systems within banks, better cyber hygiene among users and continued coordination across regulators, law enforcement, telcos, the media and the public.
- Latest
- Trending





























