Here’s how crooks could steal your online banking account – Manila bulletin

(Jas Santos, a former retail store manager at one of the country’s largest malls, has successfully launched into the online business of new and used bags, shoes and beauty products. Most recently, Jas became a victim of cybercrime. Here is his story.)

By Jas Santos (

I’ve been in online sales since 2013 and love how online banking has revolutionized internet based businesses. It has made the lives of thousands of online sellers like me much easier. It has also transformed online transactions to be more convenient for millions of buyers. Whereas before I had to go to the nearest ATM to check if my buyers have paid for their purchases, now I just have to check my online banking application and see in real time if the payments have been done. I could then send the items through their preferred courier – the transaction started and ended without leaving the comfort of my home.

Most recently, I was the victim of cybercriminals pretending to be BPI. The bad guys took all of my hard earned money and transferred it all to an account in BDO.

I received this email informing me that my access to BPI Express Online would be disabled if I do not update my account immediately. Of course, as an online business owner, I need to access my online banking services not only to accept payment, but also to pay my vendors. Online banking is something I couldn’t afford NOT to have, especially during these times. So when I read the email, I immediately decided to update my account to avoid deactivation. I then clicked on the link in the email and my browser opened a page that I believed to be a BPI login page.

I received this email asking me to update my BPI account or the bank would deactivate it in case of non-compliance.

After clicking the link in the email, this is where I was taken, a page that looks like a legitimate BPI login page. Believing in the email I need to update my account, I entered my username and password.

The fake login page. I didn’t notice that the URL is not from BPI.

The page then asked for the one-time password (OTP) forcing me to enter my phone number, then I typed in my phone number and then the OTP I received but a warning popped up indicating that the OTP I entered had already expired, so I clicked again and hit the resend button.

The fake site asked me for my phone number to send the OTP.

I didn’t realize until much later that the OTP was being used to activate my mobile key for another device. It was too late when I saw that the device model was CPH1937, an OPPO A9 phone that I don’t have. This means my BPI banking transactions can now be authenticated using this OPPO A9. This device could now manage my account without any restrictions.

I have been informed by BPI that I have activated my mobile key using a device that I do not own.

And just like that, two minutes after activating my mobile key, an interbank funds transfer transaction from my BPI account to BDO Unibank was initiated successfully, and another transaction after just a minute, virtually emptying my account.

Where did I go wrong?

I was already a victim by the time I opened the email and believed it was legitimate. It was a phishing email that aimed to steal my money from my online bank account. When I clicked on the link in the email, I didn’t bother to check the URL of the login page. If this happens to you, check the link in the address bar, make sure it is a legitimate BPI login page. The address is with a padlock icon before the address if you are using BPI online banking. If the URL is different, stay away from this page. This security check also works for other services. The Facebook crooks also use the method used by the criminals who scammed me. When you check the URL of those links claiming to be FB login pages, you will see that the URL is not from Facebook. So be careful and always check the URL before continuing.

The OTP or one-time password is very important, it is the six-digit number that is sent to you by your bank (or any company offering online services) when you make online transactions. OTP is an additional layer of protection that significantly reduces the risk of fraud. My mistake was that I sent my OTP without checking whether the page requesting it is legitimate or not. Never share your OTP with others, crooks could be in full control of your account once they know your OTP at some point.

As an added precaution, I now enable two-factor authentication in all of my emails and social media accounts. It works like an OTP, an extra layer of protection to secure my account from crooks and other cybercriminals. To activate 2FA, go to settings, then click on your accounts security, activate the button and just follow the instructions.

Will I continue to use online banking services?

You keep going to the grocery store because there are sometimes pickpockets or real world scammers. You don’t ask your child to stop going to school because sometimes crime happens on and off campus. Likewise, I will not stop using this technology because of the cybercriminals who exploited my moment of weakness where I immediately trusted what I believed to be an email from my bank. The benefits of online banking for an online business owner like me outweigh the risks. I just need to be careful and use methods which are mostly free to secure my account. You can view my page on I sell genuine, new and used bags, shoes and beauty products.

Hope what happened to me serves as a lesson for others on what NOT to do when you receive a phishing email.

A few moments ago I checked my inbox and got this email again, this time claiming to be from BDO and UnionBank, the emails have the same content and link . Everyone be careful.

I received another email, this time from crooks claiming to be from UnionBank.



Source link

David A. Albanese

Leave a Reply

Your email address will not be published. Required fields are marked *