online scams

Scam alert: ‘Security Bank Holiday Gift’ OTP phishing modus

Gelo Gonzales
Scam alert: ‘Security Bank Holiday Gift’ OTP phishing modus

Email screenshot from reader

Don't fall for bank emails claiming you've won something, and be wary of spoofed log-in pages

A Rappler reader recently emailed her experience of being the victim of a phishing scam in which the scammers were able to steal her bank account and money. 

We’re showing here how the scam worked, so in case you encounter a similar phishing campaign, you’d immediately be able to identify and avoid it as well as other scams that share the pattern. 

  1. The victim receives an email supposedly from Security Bank, with a subject line promising a 5000-peso Shopee gift voucher. The email tells the victim that they are among the winners of the Shopee voucher. 
  2. The victim taps the “Claim Voucher” button, saying she had been so excited to receive the gift, given the current pandemic situation. 
  3. When she tapped on the button, she was led to what she says was the log-in page for Security Bank. The page asked for her to log-in, along with the one-time password (OTP) sent to her number. This was likely where the scam was able to phish for her details. 
  4. The log-in page was a fake one. The scammers recorded the credentials she put in, and used those on the real Security Bank online banking site or app.
  5. Once the scammers logged in, the site sent an OTP to the victim, which the victim forwarded to the fake site, believing she was logging in on the real one. 
  6. The victim noted she tried to input multiple OTPs because the fake page wasn’t showing what she was typing. The scammers likely tried to keep logging in until a working OTP went through the fake page. 

Gaining access to the account, the hackers were able to siphon her money, change the log-in credentials including the registered number, and security questions. Likely, the other OTPs being sent to the victim, which the victim kept forwarding to the fake site, were used to change the said credentials.

Ang hindi ko po alam, ‘yun na katapusan ng pera ko na [payroll ko], at pinagpaguran ko po,” said the victim. (What I didn’t was that was the end of my money, from my payroll, and which I worked hard for.) 

Tip: Be wary of anything claiming that you’ve won something online. That’s the bait. Just as well, be wary of log-in pages that may not be the real one. On Android, when opening a link from an email, tap the 3 dots on the upper right corner, and tap “Open in Chrome” to see the full URL.

If that URL doesn’t seem right, you can check online for the real URLs that your bank use. Give your bank a call as well if you want to double check that URL.

After finding out she couldn’t access her account anymore, the victim reported the scam to the fraud team of Security Bank via email and Viber, but only received system-generated messages. She went to her account branch to file the incident. 

A month later, she received an email telling her that her request to recover the funds was rejected because from the bank’s point of view, it may have looked like the phone number change, and the succeeding money transfers were legitimate.

Security Bank also has more information here about spotting similar schemes, and how to protect oneself, and has reminded the public to remain vigilant. – Rappler.com

Have you been a victim in an online scam? Email the editor at angelo.gonzales@rappler.com.

Gelo Gonzales

Gelo Gonzales is Rappler’s technology editor. He covers consumer electronics, social media, emerging tech, and video games.