What It Means
- Cybersecurity awareness reaches only 33.4% of Filipinos aged 10 and older, while 62.5% of ICT device users experienced an incident in 2024, about 24.28 million people.
- Only 1.9% of victims reported incidents to authorities, which means platform fraud models are running on a fraction of actual exposure data.
- Urban-rural cybersecurity awareness is split nearly in half: 42.9% versus 22.7%, but incident rates are nearly equal at 62.7% and 62.1%.
- Digital platforms that expanded into low-awareness markets now operate against a documented public baseline. Regulators have cleaner grounds to act under AFASA and the Data Privacy Act.
- SMS fraud accounts for 57.1% of incidents, a known, addressable attack vector that platforms have not eliminated at scale.
The Philippine Statistics Authority’s third report from the 2024 National ICT Household Survey landed June 16 with numbers that should be uncomfortable reading for anyone running a digital platform in this country. Cybersecurity awareness reaches only 33.4% of Filipinos aged 10 and older. About 24.28 million Filipinos, or 62.5% of ICT device users, encountered at least one cybersecurity incident in 2024. And just 1.9% of those who were hit reported it to anyone.
That last number is the one that matters most. Not as a public health concern. As a data problem.
Cybersecurity Awareness Does Not Match Incident Rates
Every digital platform operating in the Philippines, including banks, e-wallets, e-commerce sites, and insurtech providers, runs fraud detection and risk modeling on reported incident data. A 1.9% reporting rate means those models are calibrated against roughly one in fifty actual events. The fraud is not being underreported in a way that makes headlines. It is being systematically excluded from the data that platforms use to price risk, trigger alerts, and build controls.
This is not a gap that more consumer education closes. If cybersecurity awareness doubled tomorrow among victims, you would mostly get more people knowing they were hit after the fact. The modeling gap is structural: platforms chose to expand into markets where users lack the context to identify, attribute, and report attacks. The PSA has now formally measured how large that gap is.
The Urban-Rural Contradiction
The data carries a contradiction that platform growth teams should find hard to ignore. Cybersecurity awareness among urban residents sits at 42.9%. Among rural residents it sits at 22.7%. That is a gap of nearly 20 percentage points. But incident rates are nearly equal: 62.7% urban, 62.1% rural. The threat is not concentrated where cybersecurity awareness is. It travels equally, regardless of whether the user can recognize it.
The implication is direct. Rural users absorbing the same incident rate as urban users while operating with half the cybersecurity awareness means those users are not identifying attacks, not knowing what happened to them, and not reporting. They are the base on which digital financial inclusion has been built and scaled over the past four years.
Every major fintech and digital banking push in the Philippines, from the BSP’s financial inclusion targets to GCash and Maya’s rural penetration strategy, has been growing into this population. The PSA report did not create that condition. It documented it.
What the Reporting Rate Reveals
A 1.9% reporting rate tells you something specific about system design, not just user behavior. People do not report incidents they do not recognize as incidents. SMS fraud accounted for 57.1% of cases. Most SMS fraud does not announce itself as fraud. A user who clicks a scam link and has money debited from a linked e-wallet may not know where the loss came from or who to call. The platforms that control that e-wallet have every technical and design advantage to help that user, and have chosen not to, or have not done enough.
The BSP’s AFASA rules and the parallel OTP authentication mandate already put banks on notice that consumer fraud protection is a compliance obligation, not a product feature. The PSA data makes the cybersecurity awareness profile of the user base a documented public input. Platforms cannot now claim they were building for an audience they did not know was underprepared. The data is on record.
For a closer look at how the authentication liability shift already landed on banks, see how the BSP OTP ban was structured as a liability transfer, not a security upgrade.
The Educated User Problem
The tertiary education finding cuts against easy assumptions. College-educated respondents posted the highest exposure rate at 68%, above the national average of 62.5%. More education correlates with more digital transaction activity, which correlates with more attack surface. Cybersecurity awareness among that group is higher, but awareness did not prevent exposure. It just means those users are more likely to know what hit them.
This matters for platform design. The argument that better-educated users self-protect does not hold in the data. The highest-awareness cohort is still the most frequently victimized, because frequency of digital activity is a stronger predictor of exposure than cybersecurity awareness level. That is an argument for technical controls embedded in platform architecture, not for public education campaigns that shift responsibility to users who are already being hit regardless.
The Liability the PSA Report Creates
Before June 16, 2026, a platform could argue that the risk literacy of its user base was unknown or difficult to measure. The PSA NICTHS closes that argument. The survey covered approximately 44,000 households with a 99.3% response rate. It is nationally representative, conducted by the country’s official statistical authority, and its findings are now public record.
Any platform that continues to expand into low-awareness markets, runs inadequate fraud controls, or fails to build reporting pathways that a low-literacy user can actually navigate is now doing so against a documented risk profile. That shifts the weight in any future regulatory or civil dispute. AFASA already created the liability structure. The PSA report filled in the factual baseline.
The users who never filed a report after being hit will not generate the claims data that moves regulators. The platforms that built their scale on those users will carry the exposure instead.
More developments that reshape the operating environment in National Signal section of Hemos PH.
