Beware of gambling apps, phishing attacks targeting users on the rise

Influencers under investigation for promoting non-accredited gambling apps used in phishing schemes


At a glance

  • The National Privacy Commission (NPC) concluded an extensive investigation into unauthorized transactions involving GCash accounts, determining that the security breach resulted from well-planned phishing attacks.

  • The phishing scheme targeting GCash users was launched through online gambling websites, with threat actors exploiting vulnerable individuals by tricking them into providing personal information.

  • There is a concerning trend of gaming apps in the Philippines falsely claiming accreditation by the Philippine Amusement and Gaming Corporation (PAGCOR) and using them to phish for personal information, including credit card numbers and passwords.

  • Influencers endorsing illegal and non-PAGCOR-accredited online gambling apps are being investigated by the Cybercrime Investigation and Coordinating Center (CICC), as their promotion could lead to more victims falling prey to phishing attacks.

  • To protect against phishing attacks, individuals are advised to exercise caution with gambling apps that request personal information, verify app legitimacy through PAGCOR's official website, avoid clicking on links from unknown sources, and follow recommended steps if targeted by a phishing attack.


Last week, the National Privacy Commission (NPC) wrapped up an exhaustive investigation into unauthorized transactions involving several GCash accounts. The commission confirmed that the security breach resulted from carefully planned phishing attacks.

"Upon our thorough investigation, we have determined that the unauthorized transactions in GCash accounts were a result of a meticulous phishing scheme," Privacy Commissioner John Henry D. Naga stated. "Unidentified threat actors exploited vulnerable GCash users, launching the phishing scheme through online gambling websites like Philwin and tapwin1dotcom," the Privacy Commissioner added.

tapwin1.jpg
Privacy Commissioner John Henry D. Naga warns the public about the alarming rise of gaming apps like Philwin and tapwin1dotcom, masquerading as PAGCOR-accredited, used as tools for phishing schemes targeting GCash users.

Commissioner Naga highlighted a concerning trend of gaming apps in the Philippines purporting to be accredited by the Philippine Amusement and Gaming Corporation (PAGCOR). These apps are often leveraged to phish for personal information, including credit card numbers and passwords. The NPC has warned the public about these apps and is actively investigating them.

As a cybersecurity analyst, my investigation of the GCash incident also points to phishing as the reason for unauthorized transactions in some account holders. The recent trend of phishing attacks explicitly targeting users who have installed gambling applications coupled with influencers asking their followers to download the app and gamble is very alarming, as it could invite more victims of the attack. The Cybercrime Investigation and Coordinating Center (CICC) Chief Alex Ramos said the agency would soon investigate influencers who endorse, ask, tell, and tempt their followers to use online gambling apps promising them big wins if they play. "Ang sunod naming titirahin dito ay ang mga influencers," referring to influencers who are endorsing illegal and non-PAGCOR-accredited online gambling apps. Usec. Ramos said.

Our investigation revealed that perpetrators of these attacks create gambling apps and falsely claim accreditation from the Philippine Amusement and Gaming Corporation (PAGCOR). These malicious apps then trick victims into providing personal information, such as credit card numbers, passwords, GCash numbers, and MPIN, under the guise of an account verification process. Once submitted, cybercriminals can illegally acquire and use the victims' data for unauthorized transactions.

To protect yourself against these phishing attacks, you must exercise caution when encountering gambling apps that request personal information. You can verify the legitimacy of an app by consulting PAGCOR's official website, which provides a comprehensive list of authorized gaming apps. Moreover, it is crucial for you to never click on links embedded within emails or text messages from unknown senders.

If you suspect that you may have been targeted in a phishing attack, the following steps are recommended:

  • Immediately change all passwords associated with potentially compromised accounts.
  • Contact the respective bank or credit card company to report any unauthorized transactions.
  • Report the phishing attack to the National Privacy Commission.

In addition to the measures mentioned above, the following tips can further assist you in avoiding phishing attacks:

  • Approach any email or text message soliciting personal information with skepticism.
  • Exercise caution when faced with emails or text messages from unfamiliar senders, and refrain from clicking on any embedded links.
  • Regularly update software to mitigate potential security vulnerabilities that cybercriminals may exploit.
  • Utilize a robust password manager to create and store strong passwords for all online accounts.

Adopting these precautions can strengthen your defenses against phishing attacks and protect your personal information.

Phishing attacks pose a significant threat in the digital landscape, and it's crucial for you to remain vigilant. The recent attack serves as a timely reminder to stay cautious and proactive in safeguarding your personal information. By raising awareness, adopting responsible online behavior, and following recommended steps, you can effectively reduce your vulnerability to phishing attacks and mitigate the risk of becoming a cybercrime victim.

Stay alert for suspicious emails, verify sources before sharing sensitive data, and regularly update passwords. With these measures in place, you empower yourself to navigate the digital world securely and protect your personal information from falling into the wrong hands.