web analytics

Hacked DOH website being used for BPI credit card phishing

We’ve received notification from some of our readers that the Department of Health (DOH) website is hacked and is being used to phish out sensitive information from BPI cardholders.


According to the information we’ve received, an email was sent the cardholder from the BPI servers requiring that they must enter information to verify and activate his card. He then is redirected to a part of the DOH website  — where the layout is akin to the one you’ll see on BPI’s — where one has to put in sensitive information including credit card numbers and the three-digit CVV at the back.


Readers who sent this in have been worried that the BPI may have been compromised as well since the email came straight from the local bank’s email servers, and they have requested for a new credit card recently. We’ve tried the links mentioned in this tip, and they are still live as of this writing.

BPI, on their official website, warns users of unscrupulous methods such as these to get sensitive info our of their customers:

We suggest that you use this short checklist to protect yourself against phishing attacks.

  1. Begin your session by manually typing the web address of BPI into your browser. The official URL of BPI Express Online is secure1.bpiexpressonline.com.
  2. Avoid disclosing personal or account details via email or embedded link. Be skeptical of unsolicited e-mails, especially those that concern personal / account information. Delete suspicious e-mails or e-mail attachments without opening them, even if they seem to have originated from someone you know.
  3. Notify the sending company if you receive a suspicious e-mail. Contact us directly through Express Phone 89-100 or e-mail us at [email protected].
  4. Check the security certificate of the web page. Before entering personal or account information into a site, make sure it is secure. In Internet Explorer, you can do this by checking the yellow lock on the status bar. A closed lock is an indication of an encrypted site.


We’re reaching out to both the DOH and Bank of the Philippine Islands for further comments on this issue. More as we get it.

Get in touch with Carl at @lamielcarl on Twitter or visit his website for more updates!

You may also like...

3 Responses

  1. chief gato says:

    my conspiracy theory-oriented mind suggest that the doh.gov.ph website was not hacked. instead, the doh site was used by one of its system administrators for unauthorized, illegal extra activities…

    if that is not the case, then the doh secretary must probe why its website was used for illegal activity and why no alert was given by any of its system administrators, assuming that the alert come from the alleged phishing victim and not from the government.

  2. Justin says:

    To ensure the security of a website (especially when entering sensitive information).
    First is you should check if the URL starts with “https” which stands for Hyper Text Transfer Protocol Secure, it uses SSL to prevent middle-man attacks in which in each Post/Submit request isn’t visible to them. Second is you need to check the information of the SSL, click the “Padlock” icon in your browser get the details and find for “Subject” there you can see the “CN/Common Name” and “O/Organization”, check what’s the name of the organization.

    Banks mostly use SSL with Organization Verification/Validation or OV and not DV (Domain Validation), be aware of banking websites that uses a DV ssl since the issuer doesn’t verify the organization’s identity. It is highly recommended to use an EV SSL stands for Extended Validation that ensures the Organization’s Identity, A hacker can’t order an EV SSL with the Org Info that is already existing, and it shows a Green Bar Address.

Leave a Reply

Your email address will not be published. Required fields are marked *