What began as an attempt to defraud a manager of the Bank of the Philippine Islands (BPI) evolved into an opportunity for the country’s oldest bank to learn how scammers transfer funds from their victims’ accounts.
In a media roundtable on Wednesday, October 22, BPI’s enterprise information security officer and data protection officer Jon Paz said scammers tried to defraud a channel manager of the bank’s online platform.W
Paz recalled the manager receiving an email claiming that he needed to update his eGovPH mobile app, and that the sender could help him do this if he filled out a Google Form.
“[Up] To this point, all of our knowledge about rogue apps, how these work, had all been anecdotal. They were reported to us by victims,” Paz said.
So, they instructed the manager to click the link and input his details with the hopes of understanding the scheme. The manager then received a follow-up call where the scammer requested him to install a remote servicing application masked as the latest version of the eGovPH app.
This app gave the caller complete control over the victim’s phone. From there, the scammer disabled key security settings, allowing him to “sideload” or download an application that is not from the phone’s official app store.
Paz said this is where things got tricky. The manager’s phone displayed an app installation, but BPI’s IT and data protection team saw something else unfolding behind the scenes.
“So what’s being presented to the user is an installation sequence…But behind that, what’s happening is that they’re tinkering with the configurations to allow the app to do a lot more,” he said.
Using a fake screen to deceive the victim, the scammer secretly used the login information he obtained to access online banking accounts installed on the phone.
Once he gained access to the victim’s bank accounts, the scammer would transfer the funds to his or her own accounts.
But online banking apps usually require biometrics or a one-time password (OTP) to complete the transaction. How do scammers get past that?
According to Paz, the fake eGovPH app shown to the victim requests for the user’s biometrics to log in. But behind the fake screen, the victim unknowingly authorized the fund transfer to the scammer’s account.
Luckily, no funds were stolen in this incident. BPI’s data protection team closely monitored the scammer’s movements, and the attempted fund transfers did not push through since the receiving account was already flagged for its suspected use in scams.
Rogue applications or malware are just one of many ways that scammers trick their victims into giving up their login credentials. Scammers also use International Mobile Subscriber Identity (IMSI) catchers to send phishing text messages to victims. IMSI catchers, according to a previous Rappler report, “intercept devices by simulating or mimicking cell towers. When connected to an IMSI catcher, calls and text messages as well as a device’s location can be accessed without detection.”
Paz said these texts can be compelling since they pretend to be legitimate entities like banks.
Preventing scams
Global anti-scam application Whoscall logged 62,390 scam calls in the Philippines during the third quarter, 78.4% higher since 2024. (READ: Don’t let online scammers escape. Dial 1326 and report)
As scammers employ more sophisticated tactics, BPI’s chief technology officer Alex Seminiano said the bank is strengthening its app’s security through consistent updates and consumer education campaigns.
Fraudsters can’t find more victims if no one falls for their tactics. Seminiano urged the public not to share their authentication credentials such as passwords and OTPs with anyone, and enable multi-factor account authentication.
“The whole security mechanism of banking is based on trust identification,” Seminiano said. “And therefore, if you share your credentials to somebody else, and somebody else pretends to be you, it’s very difficult to really identify that.”
49jilim.com|games|casino|49jilim
About the Author
