Stop sharing, stop phishing


BPI reminds clients to do their part: Don’t answer phishing emails and never share OTPs

One early morning in December last year, Kean, an employee in a business process outsourcing (BPO) company, was awakened by an anonymous call on his smartphone. Still feeling disoriented from the previous night's drinking session with his peers combined with sleepiness, Kean grudgingly answered the phone call, guessing that the caller was from a credit card company. Eventually, he realized that it was a call from his bank.

After the conversation, he went back to sleep, confidently believing that the call was simply one of those routine calls that he typically receives from banks and credit card companies. But that was just the beginning of a nightmare. From that point, Kean noticed a huge online purchase under his bank account that he never initiated or authorized.

Kean's experience was just one of the many cases of fraud that might be involving confidential information such as the One-Time PIN (OTP) in order to get access to the victim's bank account.

Primarily designed as an additional security feature when doing an online transaction, BPI's OTP helps in authenticating one's identity in every financial transaction through a unique 6-digit passcode which will be sent to the account holder’s registered mobile number via SMS. An OTP is valid for a single online transaction and will expire five minutes from the time it was sent. Unfortunately, fraudsters these days are keen on using time-tested methods and finding new ways to exploit it for their own advantage.

Now considered as a traditional cybercrime tool, fraudsters still employ phishing as an effective way to gather customer information through email. Fraudsters usually make phishing emails appear as legitimate ones coming from the customer's bank, asking them to provide information for ‘verification purposes.’ Once the perpetrator gets the client’s confidential information (such as account number, password, mobile number, etc.) via a phishing email, the fraud act moves on to the second phase called vishing (voice phishing), wherein further gathering of customer information is done through a phone conversation.

The fraudster, pretending to be a bank agent, calls the target customer. To cause worry and a sense of urgency, the caller may cite any of the following reasons to the customer:

  • To update information needed for a new mobile application
  • To deactivate compromised online access
  • To update account to credit incoming deposit, transfer or remittance
  • To cancel unauthorized transaction made using the account
To further make the call appear legitimate, the caller verifies the customer's account based on the phished information, then proceeds with initiating a financial transaction. The caller asks the customer to provide the OTP for additional verification. The customer then discloses the OTP and the caller uses it to complete the fraudulent transaction.

Looking back and assessing the workflow of the fraudsters, the chance for customers to stop the cybercriminals from succeeding remains high. By being aware and vigilant, customers can hinder the fraudsters from advancing to the next level of their activity by not responding to the phishing email. Customers receiving emails from a bank should be cautious before providing information. It would be better for customers to call the bank first to confirm the email's validity. For BPI customers, they can call BPI Phone Banking via 89-100 to check the legitimacy of the email. By eliminating phishing, customers can stop vishing and avoid becoming a victim of a potential fraudulent activity. And last but not the least, remember that OTP is a personalized and confidential information. BPI will never ask its customers to send any confidential information such as the OTP via email, phone, text message or social media.