Top 5 Ways Scammers Use to Gain Access to Your Account

Social engineering has become the most common and prevalent method to scam people these days. The recent massive attack on GCash users points to phishing as the primary vector to gain access and compromise accounts of unsuspecting victims.

This has been happening for decades but only in a smaller scale. It is only in recent years that we have witnessed incidents such as this happen in a much bigger scale — from the mysterious BPI transactions in June 2017, BDO back in December 2021, to another BPI unauthorized withdrawals just this January 2023. Then, the GCash incident this week.

There is one thing in common — the institutions involved are the biggest players in the industry and have the most numbers of customers in the country. GCash alone has more than 81 million users as of March 2023.

It’s a gold mine for the perfect online heist. It does not need to be as complicated or sophisticated as La Casas de Papel, but even if it will only work with 0.001% of the total user base, that is still 81,000 GCash users.

To those unfamiliar of what phishing is:

Phishing is a type of cyber attack that uses email, phone calls, or text messages to trick individuals into revealing sensitive information, such as passwords, credit card numbers, social security numbers, or other personal data. The attacker typically poses as a trusted entity, such as a bank, a popular website, or even a friend or colleague, to gain the victim’s trust.

The operative word here is trick or fool — making people think they are dealing with the usual entities (bank websites, email from customer support, e-wallet, service providers or even friends) and they encouraging them to provide sensitive details (like login accounts, passwords, and OTP).

Anyone could have been already phished, they just don’t know it yet.

Here are top 5 ways scammers can get access to your account:

• Social Media

  Facebook is perhaps the biggest place to “phish” for victims. Unfortunately, sometimes even Facebook is being tricked by these scammers and the links are even promoted by Facebook via FB Ads.

  

  Even our very own name/brand have been used to scam people into buying cheap gadgets (on FB Marketplace, Carousel, etc). We thanked a lot of readers and followers for contacting us about these pages and verifying if it is indeed legit.

  
  Here’s another example of an attempt to use a legitimate business like Starlink to offer a promo when you GCash. It will use a fake website to ask you to input your OTP and MPIN to transfer money to them scammers.

  Avoid clicking on unnecessary links that offers, raffles or giveaways, investment opportunities and the likes.

• Text Message

  This is called “smishing”, short for SMS phishing, and has been one of the biggest avenues for scamming. For a time, the modus was sending out messages to anyone about them winning a lottery or raffle from legitimate offices (TV Networks, Office of Government Officials, Outreach Programs of Personalities, etc.).

  When that MO became stale, the new targets these days are, again, bank accounts and e-wallets.

  

  And, I am sure you’ve all gotten that SMS from someone pretending to be from Netflix and promising you prizes such as t-shirts and mug after you send them back an OTP number.

• Email

  The most common attempt here is using popular banks such as BPI, BDO, Union Bank to send out warnings about accounts being locked if customers do not update them. The link will then go to a page that really looks like your bank’s website but on a different URL.

  

  Here is one example of an email with attachment that was sent to me a few weeks back posing as a legitimate entity, the Philippine Depository & Trust Corp. I have several insurance and investments so it took me a while to figure this out.

  

  The attachment is in PDF and when you open the file, it can carry malicious scripts or exploits (Trojan) that can compromise your phone or computer, whichever you used to open it.

• Chat

  Messenger, WhatsApp, Viber are among the most widely used applications to scam people. Notice the rampant international calls from WhatsApp lately? Or remember that time where FB accounts were being hacked to use as back story to solicit money from friends and relatives?

  An uncle of mine who is an oncologist and surgeon got his Viber account hacked and it was used to solicit money from hospital colleagues and patients to send money to the GCash account of scammers. It is as trivial as that but because we don’t normally double-check, it’ has become all too common.

• Voice Calls

  The scammers have become more bold and sophisticated that they have elevated their modus by calling potential victims.

  They will follow the usual “script” that Customer Service Agents use like the conversation is recorded and also remind you again about security measures like no giving your login or password.

  Here is a classic example from an old friend who used to be in media and now in the telco industry.

  

  So, do not assume that you are too smart or educated to be a target of scammers. Always be mindful and critical.

Remember, no amount of hardware and security layers can protect you if you give up (unwillingly or unknowingly) your account access to unscrupulous fraudsters or scammers.

The more convenient our access is to financial instruments using banking apps and e-wallets, the more challenging it becomes to secure them. It’s always a two-way street — as users, we need to be mindful and more careful especially that our hard earned money is just one MPIN or OTP away.