Heritage Bank responds to phishing challenges

The phishing scam, which has been made public in recent days, has led one commercial bank to respond to the concerns of citizens. One businessman went as far as saying that the bank – in this case, Heritage Bank – was not doing enough to prevent customers from losing money. However, in our extended discussion on this, Heritage Bank’s Managing Director, Stephen Duncan took time to explain today that while phishing is not unique, it is not the bank’s system that was hacked. Instead, it is customers who clicked on external links, without the bank’s knowledge, which led to their funds being stolen. 

Stephen Duncan, Managing Director, Heritage Bank: “The phishing scam that’s going on is not an intrusion or a hacking of the bank’s system. So none of the banks in Belize has had their system hacked or broken into. Phishing scams have been occurring in Belize because customers of banks have been giving up their credentials which they use to access their bank accounts and they’ve been giving up to third parties. It might be unwittingly done but none the less they’re giving up the credentials. So once you give your password and your pin number and that type of thing to a third party if that third party chooses to use it no bank will be aware that it is not you using it and that is the same for international banks as for local banks. It is the same for large banks as it is for small banks because any system, any electronic system, in fact any system at all of withdrawing money from banks is based on you the customer providing the bank with prearranged or predetermined information that the bank can use to match to make sure that you are the one accessing your account.”

The Police Department and the FIU both agree that customers fall victim to this type of cyber-fraud because they click on links that look like legitimate correspondence from the institutions they bank with. Duncan says that when in doubt, customers should call the bank. He also reiterated that all commercial banks have many layers of protection to avoid fraudsters from getting into their systems. 

Stephen Duncan, Managing Director, Heritage Bank: “The security in the banks are standing. We have a cybersecurity committee that is established by the Central Bank of Belize along with all the banks and credit unions and we have certain minimum standards that Central Bank put in place that we have to meet and they check our systems, they test our systems. We have audits of those systems and so the security system, the level of security we have pretty standard. Again I add those security systems were not breached and effectively we are aware that in fact besides the password being lost our system has different layers and so if you try to send funds from a Heritage Bank account to an account at another bank besides the fact that you are already in the bank’s system doing that transaction it’s going to send to you another code that you have to use in order to send that money out of the bank to another bank or to another institution. So there are different layers so all banks have different layers as well.”

Thus far, the scam appears to be a local enterprise and it has managed to scam thousands of dollars thus far. The Police and the FIU are actively investigating the scam. In the meantime, Duncan says that online banking remains safe and he explained some of the security features, which are currently in place. 

Stephen Duncan, Managing Director, Heritage Bank: “You start with setting up the system within a bank and what banks do is that you arrange with the bank how you’re going to access your account. In the old days it used to be just a signature but now it’s password and then you have above that codes, different codes that are sent out depending on what transaction you’re doing and those codes are sent in real time. So a code does not last for more than seconds and I’m sure that most people who do things internationally whether you buy on Amazon, or there are times you are asked to put in a code which they send to you when you want to set up your Gmail account or if you forget your Gmail password they end up sending something to you you have to get it into the system within a certain time frame or it expires, it’s the same thing that banks do and we make sure that you get these codes and then those are authenticated and checked and it varies from transaction to transaction so one code that you get for this transaction cannot be used for another transaction. Each transaction requires its own code.”

Duncan adds that the bank has been advising customers and will do its part to raise awareness by asking people not to click on suspicious links.