BDO Unibank account holders have reportedly lost thousands of pesos in deposits due to an online banking scam where unauthorized transfers were made to a Union Bank of the Philippines account with a bogus name.
BDO users took to social media starting Saturday, December 11, to complain that illegal transactions were made using their accounts to transfer money to the UnionBank account of a certain “Mark Nagoyo.”
In Filipino, the word “nagoyo” means to make a fool out of someone.
The fraud has been massive enough that a public Facebook group called “Mark Nagoyo BDO Hacked” has since been created, with multiple users reporting similar cases of hacking.
A common pattern has so far emerged among the victims of the hacking scandal: The alleged cybercriminals were somehow able to access the victims’ BDO accounts even if they were careful not to click on suspected phishing links and they did not reveal any of their banking details in public.
The BDO clients were surprised to receive email and text notifications from BDO notifying them that the bank transfer – usually involving thousands of pesos – was successfully processed. In some cases, the hackers were somehow able to get past the one-time PIN (OTP) security feature of BDO to make the illegal transactions push through.
Facebook user Mela Abesamis said she lost P50,025 due to the hacking scheme. Abesamis said she first received a text message from BDO at 1:11 am on Saturday saying there was a supposed transfer of P50,025 from her account, but it did not push through.
A few seconds later, she received another text message from BDO and the amount was already removed from her bank account.
Like the other cases reported on social media, the supposed beneficiary of the illegal transaction was Nagoyo’s account.
“Sobrang maingat ako sa phishing scams. Wala akong pinipindot na kahit anong unusual links, at bihira ko gamitin ang BDO debit/account ko. Naka-enable ang OTP ko, pero this time wala akong natanggap na OTP…. Nagulat na lang ako kasi nakatanggap na lang din ako ng email saying that I sent money to another bank, which is UnionBank,” said Abesamis on Facebook.
(I’m very careful when it comes to phishing scams. I don’t click on unusual links and I barely use my BDO debit/account. My OTP is enabled, but this time I didn’t receive any OTP. I was surprised when I suddenly received an email saying I sent money to another bank, which is UnionBank.)
Facebook user Charisse Matanguihan, who works for a government bank, also fell victim to the scheme as early as Thursday, December 9. In Matanguihan’s case, it seems the suspects siphoned money from other people’s accounts by pretending to be her.
She said she woke up on Friday morning, December 10, to missed calls and text messages from several people accusing her of getting their money. Upon checking her bank accounts, Matanguihan realized she lost much of her deposits in BDO and four unauthorized fund transfer confirmations were made through her account.
“I work for a government bank and therefore I must uphold my integrity. I am afraid that my reputation will be ruined despite being also a victim. Thus, I desperately need your assistance to investigate and file a case to whoever is behind all this,” said Matanguihan.
BDO said in a statement on Sunday, December 12, that it is already investigating the alleged hacking.
“BDO Unibank has been informed about [OTP]-related concerns. The bank would like to assure its clients that it is looking into each of the cases and will revert back to those who have been affected,” it said.
BDO then reminded clients never to share their login information and OTP, and to regularly change the passwords of their online banking accounts.
The Bangko Sentral ng Pilipinas (BSP) also said it is in “close coordination” with BDO and UnionBank, assuring the public it would take “remedial measures” including reimbursement of affected consumers.
“Rest assured that we continue to collaborate and engage stakeholders to ensure the safety and integrity of the financial system as well as the protection of financial consumers,” said the BSP in a statement. – Rappler.com