When cybersecurity reminders are not enough

The latest findings from the Philippine Statistics Authority should change the way the country talks about cybersecurity. When 6 out of 10 Filipinos have been exposed to a cybersecurity incident in 2024, maybe reminders are not enough.

More than six in ten Filipinos using information and communications technology devices experienced a cybersecurity incident in 2024, with SMS fraud and text scams emerging as the most common threats. That is an extraordinary number, not because scams exist, but because they have become a shared experience for the majority of digital users. When a problem reaches that scale, it is no longer sufficient to explain it as a matter of individual carelessness.

Same response to growing incidents

The response, however, has remained largely unchanged. Every major scam wave is met with familiar reminders from government agencies and telecommunications companies: be vigilant, avoid suspicious links, never share one-time passwords, and improve digital literacy. 

None of this advice is wrong. Every Filipino should know how to recognize online scams. But the PSA’s findings suggest that education alone cannot explain why cybercrime continues to thrive. Digital literacy is an important defense, yet it has gradually become the default answer whenever institutions are asked why scams remain so pervasive.

There is a danger in relying too heavily on that narrative. It subtly shifts responsibility away from those who build, regulate, and profit from the country’s digital infrastructure and onto ordinary citizens. If someone falls victim to a scam, the assumption is often that they should have been more careful. 

But when most ICT users report experiencing cyber incidents, it becomes increasingly difficult to argue that the primary weakness lies with the public. The more reasonable conclusion is that the systems meant to protect them are still falling short.

This is particularly relevant in the wake of the SIM Card Registration Act. Filipinos complied with the law by submitting personal information and government-issued identification under the promise that anonymous scams would become more difficult to carry out. 

RELATED STORY: SIM registration law failed, says lawmaker

While the law may have improved the ability of authorities to investigate cybercrime, it has not eliminated the daily reality of fraudulent text messages and other forms of digital deception. Citizens have fulfilled their part of the social contract. They are justified in asking whether the institutions that required their compliance have fulfilled theirs.

The balancing act

To be fair, cybersecurity is not a problem with a simple solution. Telecommunications providers continue to invest in spam filtering and network security. Regulators conduct public awareness campaigns and coordinate with law enforcement. Criminal groups also evolve, adopting new technologies and changing tactics faster than governments can often respond. No country has completely eliminated phishing, fraud, or online scams. That reality deserves acknowledgment.

Acknowledging complexity, however, should not become an excuse for accepting the status quo. Cybersecurity is a shared responsibility, but shared responsibility does not mean equal responsibility. Ordinary citizens cannot monitor telecommunications networks, detect coordinated attacks, or dismantle organized scam operations. 

Those responsibilities belong to institutions with the resources, authority, and technical expertise to act before threats reach consumers. Public awareness should be the final layer of protection, not the foundation upon which the entire system depends.

Safeguards for a digital-forward vision

The country’s digital ambitions make this conversation even more urgent. The government encourages Filipinos to embrace online banking, digital payments, e-commerce, and electronic public services because these technologies promise greater convenience and economic growth. Yet trust is the foundation of every successful digital economy. 

If millions of people continue to receive scam messages with alarming regularity, confidence in those services inevitably suffers. People become hesitant to transact online, not because they reject technology, but because they question whether the systems surrounding it are capable of protecting them.

The PSA’s report should therefore serve as more than another cybersecurity statistic. It should be a reminder that when six in ten users experience cyber incidents, the conversation can no longer revolve primarily around what citizens are doing wrong. The more pressing question is whether the country’s cybersecurity policies, regulatory oversight, and digital infrastructure are doing enough to keep pace with increasingly sophisticated threats.

Digital literacy will always matter, and it should remain part of every national cybersecurity strategy, but education cannot compensate for systemic weaknesses indefinitely. A nation cannot simply teach its way out of a security problem that affects the majority of its digital population. Until institutions accept greater responsibility for preventing cybercrime instead of merely responding to it, “be more vigilant” will sound less like practical advice and more like an admission that the system is asking its users to protect themselves where it has failed to do so.

Read more...