BDO, BPI & Metrobank Phishing Scams: How Filipinos Lose Money to Fake Bank Messages

Banking phishing in the Philippines has reached epidemic levels. The Bangko Sentral ng Pilipinas (BSP) has repeatedly issued warnings about the rising tide of fake messages targeting customers of major banks including BDO Unibank, Bank of the Philippine Islands (BPI), and Metropolitan Bank & Trust Company (Metrobank). Millions of pesos are stolen each year through schemes that are alarmingly simple.

Here is how these attacks work and how to keep your money safe.

The Most Common Banking Phishing Scams

1. Fake SMS from "Your Bank"

You receive a text that appears to come from BDO, BPI, or Metrobank. The message says your account has been locked, a suspicious transaction was detected, or your online banking needs to be verified. It includes a link.

The link leads to a website that looks identical to your bank's login page. You enter your username, password, and the OTP that arrives on your phone. The scammer now has full access to your account.

Why it works: Philippine telecom networks allow sender ID spoofing, meaning scammers can make texts appear in the same thread as legitimate bank messages on your phone.

2. OTP Interception via Phone Call

After obtaining your login credentials through phishing, the scammer needs your OTP to complete a transaction. They call you pretending to be a bank fraud investigator, saying they detected unauthorized activity and need you to read the OTP "to cancel the transaction." In reality, they are using the OTP to transfer your money out.

3. Love Scam Leading to Bank Fraud

A common pattern in the Philippines: a scammer builds a romantic relationship through dating apps or social media over weeks or months. Eventually, they claim a financial emergency and ask you to transfer money. More sophisticated versions involve the scammer convincing you to share your banking credentials so they can "help manage finances together."

4. Fake Bank Customer Support

You search online for your bank's customer support number. The first result is a sponsored ad or a social media page with a number that is not the real one. You call, and the fake agent walks you through "security verification" that actually hands over your account access.

5. Deposit or Transfer Notification Scam

You receive what looks like a bank notification saying someone deposited money into your account. When you log in through the provided link to check, your credentials are captured. Sometimes the scammer contacts you afterward asking you to "return" the accidental deposit.

Jak identifikovat Fake Bank Messages

10 Rules for Banking Safety

1. Never click links in text messages claiming to be from your bank
2. Type your bank's URL directly into your browser — bdo.com.ph, bpiexpressonline.com, metrobankdirect.com
3. Never share your OTP with anyone, even someone claiming to be a bank employee
4. Your bank will never ask for your password via call, text, or email
5. Enable transaction notifications so you are alerted to every withdrawal or transfer in real time
6. Set daily transfer limits on your online banking
7. Use the official bank app downloaded only from Google Play or the Apple App Store
8. Do not save banking passwords in your browser
9. Register your phone number and email with the bank to receive legitimate alerts
10. When in doubt, visit a branch — do not try to resolve issues through links or calls

Co dělat If Your Account Is Compromised

1. Call your bank's official fraud hotline immediately — BDO: (02) 8631-8000, BPI: (02) 889-10000, Metrobank: (02) 88-700-700
2. Request an account freeze to prevent further transactions
3. Change all passwords from a secure device
4. File a police report with the PNP Anti-Cybercrime Group
5. Report to the BSP Consumer Assistance mechanism
6. Document everything — take screenshots of messages, call logs, and transaction records

The Love Scam Connection

Romance scams deserve special attention because they combine emotional manipulation with financial fraud. The BSP and NBI have flagged a pattern where victims:

1. Meet someone online (dating apps, Facebook, Instagram)
2. Build a relationship over weeks or months
3. Are asked for money through bank transfers
4. Sometimes share banking credentials with their "partner"
5. Lose access to their own accounts

Red flags: Anyone you have never met in person who asks for money, banking details, or wants to "manage finances together" is almost certainly a scammer.

Sdílení Banking Details When Necessary

There are times when you legitimately need to share bank account numbers — with a family member handling your remittance, an employer for payroll, or a trusted person during an emergency. Sending these through plain SMS or Messenger puts them at permanent risk.

Use LOCK.PUB to create a password-protected link with your banking details. Set an expiration, and the information disappears after the intended recipient views it. No permanent record in any chat thread.

Závěr

Philippine banks are investing in security, but the weakest link remains the human element. Phishing works because it exploits trust, urgency, and familiarity. The single most important rule: your bank will never ask you to click a link, share your OTP, or reveal your password through any channel.

When you need to share financial details securely, visit LOCK.PUB to create free encrypted links that protect your information and auto-expire.