By Beatriz Marie D. Cruz, Reporter
PHILIPPINE information technology-business process management (IT-BPM) companies must ensure stronger authentication measures and better enforcement of cybercrime laws to prevent cyberattacks that could harm the country’s reputation as a contact center hub, according to analysts.
“As the Philippine IT-BPM industry progresses toward its projections of 1.9 million full-time digital workers and $40 billion in export revenue in 2025, addressing cybersecurity risks like vishing attacks and other forms of cybercrime is essential to sustaining the Philippines’ leadership as a trusted global hub for IT-BPM services,” Jack Madrid, president and chief executive officer at the IT & Business Process Association of the Philippines (IBPAP), told BusinessWorld in an e-mail.
Australian carrier Qantas Airways recently suffered a data breach following a vishing attack at its Manila-based contact center, according to reports.
The cyberattack, which was detected on June 30, exposed the personal information of over six million Qantas customers, including their names, birthdays, e-mails, and frequent flyer numbers.
“These attacks can damage the reputation of call centers in the Philippines… [which is] one of the major contributors of our GDP (gross domestic product),” Allan S. Cabanlong, regional director for the Southeast Asia hub at the Global Forum on Cyber Expertise, said in a telephone call.
The Philippines has long been a favored destination for offshoring and customer service delivery, amid growing demand in sectors like banking, financial services, and healthcare.
However, the country’s existing laws are not sufficiently enforced to address IT-BPM-related attacks like vishing, which could undermine investor confidence, Mr. Cabanlong noted.
“When it comes to catching cybercriminals, we have a cybercrime law. What’s really lacking there is cybercapacity — the influence of enforcement, investigation, and implementation of existing laws,” he said.
Vishing, short for voice phishing, is a type of criminal fraud where scammers make phone calls or send voice messages to trick individuals into sharing their personal information.
“The individuals behind many of the most notable vishing attacks have obtained information that is so convincing that even well-seasoned support staff would be fooled by their efforts,” Satnam Narang, senior staff research engineer at American cybersecurity firm Tenable, Inc., said in an e-mail.
To address this, the government should prioritize the passage of the Critical Information Infrastructure Protection Act, which outlines clear policies and reporting mechanisms to safeguard critical ICT (information and communication technology) systems, Mr. Madrid said.
Lawmakers should also amend Republic Act No. 10175, or the Cybercrime Prevention Act of 2012, to streamline legal proceedings against employees involved in cybercrimes, he noted.
Mr. Madrid also called for the full implementation of the National Cybersecurity Plan 2023-2028, which outlines strategic approaches to combating cyber threats that could compromise national security and economic stability.
“Given the crucial role of technology and the IT-BPM sector in driving the Philippine economy, IBPAP also urges the government to enact and enforce robust data protection and cybersecurity legislation that can deter threats across industries,” Mr. Madrid said.
To prevent vishing incidents, Mr. Madrid added that some IT-BPM firms have adopted preventive tools like the One Trust Link (OTL), a centralized database that helps verify individuals involved in fraudulent activity during their employment.
“OTL is part of the industry’s collective response to fraud prevention, providing companies with a mechanism to identify and screen high-risk individuals more effectively, while safeguarding due process and data privacy,” he said.
Looking ahead, security teams assigned to helpdesks should implement stringent identity verification safeguards beyond information-based questions, Mr. Narang said.
These include using secondary contact methods and stronger forms of multi-factor authentication, he noted.
“Limiting the privileges of frontline helpdesk staff and requiring escalation to more senior helpdesk staff to vet such requests may thwart some of these types of attacks,” Mr. Narang said.
IT-BPM firms should consistently implement employee training, strong authentication, and regular oversight to maintain the integrity and safety of the information they handle, said Ronald B. Gustilo, national campaigner for consumer group Digital Pinoys.
“Maintaining a do-not-act-until-confirmed rule for any system or credential-related requests should also be on the table for implementation,” Mr. Gustilo said in a Viber chat.
Contact centers should also enforce strict rules against sharing passwords, OTPs (one-time passwords), or credentials, he added. Real-world simulations, such as mock vishing calls, should also be conducted to train employees.
