BDO, BPI & Metrobank Phishing Scams: How Filipinos Lose Money to Fake Bank Messages

Banking phishing in the Philippines has reached epidemic levels. The Bangko Sentral ng Pilipinas (BSP) has repeatedly issued warnings about the rising tide of fake messages targeting customers of major banks including BDO Unibank, Bank of the Philippine Islands (BPI), and Metropolitan Bank & Trust Company (Metrobank). Millions of pesos are stolen each year through schemes that are alarmingly simple.

Here is how these attacks work and how to keep banii tai safe.

The Most Common Banking Phishing Scams

1. Fake SMS from "Your Bank"

You receive a text that appears to come from BDO, BPI, or Metrobank. The message says contul tau has been locked, a suspicious transaction was detected, or your online banking needs to be verified. It includes a link.

The link leads to a website that looks identical to your bank's login page. You enter your username, password, and the OTP that arrives on telefonul tau. The scammer now has full access to contul tau.

Why it works: Philippine telecom networks allow sender ID spoofing, meaning scammers can make texts appear in the same thread as legitimate bank messages on telefonul tau.

2. OTP Interception via Phone Call

After obtaining your login credentials through phishing, the scammer needs your OTP to complete a transaction. They call you pretending to be a bank fraud investigator, saying they detected unauthorized activity and need you to read the OTP "to cancel the transaction." In reality, they are using the OTP to transfer banii tai out.

3. Love Scam Leading to Bank Fraud

A common pattern in the Philippines: a scammer builds a romantic relationship through dating apps or social media over weeks or months. Eventually, they claim a financial emergency and ask you to transfer money. More sophisticated versions involve the scammer convincing you to share your banking credentials so they can "help manage finances together."

4. Fake Bank Customer Support

You search online for your bank's customer support number. The first result is a sponsored ad or a social media page with a number that is not the real one. You call, and the fake agent walks you through "security verification" that actually hands over contul tau access.

5. Deposit or Transfer Notification Scam

You receive what looks like a bank notification saying someone deposited money into contul tau. When you log in through the provided link to check, your credentials are captured. Sometimes the scammer contacts you afterward asking you to "return" the accidental deposit.

Cum sa identifici Fake Bank Messages

Feature	Legitimate Bank Message	Phishing Message
Links	Rarely includes links	Always includes a link
Urgency	Informational tone	"Act NOW or account will be locked"
Grammar	Professional, error-free	Often has typos or odd phrasing
Sender	Verified sender ID	May look similar but slightly off
Request	Never asks for OTP or password	Asks you to verify credentials
Channel	In-app notifications preferred	SMS, email, or Messenger

10 Rules for Banking Safety

1. Never click links in text messages claiming to be from your bank
2. Type your bank's URL directly into your browser — bdo.com.ph, bpiexpressonline.com, metrobankdirect.com
3. Nu partaja niciodata OTP with anyone, even someone claiming to be a bank employee
4. Your bank will never ask for parola ta via call, text, or email
5. Enable transaction notifications so you are alerted to every withdrawal or transfer in real time
6. Set daily transfer limits on your online banking
7. Use the official bank app downloaded only from Google Play or the Apple App Store
8. Do not save banking passwords in browserul tau
9. Register telefonul tau number and email with the bank to receive legitimate alerts
10. In caz de indoiala, visit a branch — do not try to resolve issues through links or calls

Ce sa faci daca contul tau a fost compromis

1. Call your bank's official fraud hotline immediately — BDO: (02) 8631-8000, BPI: (02) 889-10000, Metrobank: (02) 88-700-700
2. Request an account freeze to prevent further transactions
3. Change all passwords from a secure device
4. File a police report with the PNP Anti-Cybercrime Group
5. Report to the BSP Consumer Assistance mechanism
6. Document everything — take screenshots of messages, call logs, and transaction records

The Love Scam Connection

Romance scams deserve special attention because they combine emotional manipulation with financial fraud. The BSP and NBI have flagged a pattern where victims:

1. Meet someone online (dating apps, Facebook, Instagram)
2. Build a relationship over weeks or months
3. Are asked for money through bank transfers
4. Sometimes share banking credentials with their "partner"
5. Lose access to their own accounts

Red flags: Anyone you have never met in person who asks for money, banking details, or wants to "manage finances together" is almost certainly a scammer.

Sharing Banking Details When Necessary

There are times when you legitimately need to share cont bancar numbers — with a family member handling your remittance, an employer for payroll, or a persoana de incredere during an emergency. Sending these through plain SMS or Messenger puts them at permanent risk.

Use LOCK.PUB to create a protejat cu parola link with your banking details. Set an expiration, and the information disappears after the intended recipient views it. No permanent record in any chat thread.

Concluzie

Philippine banks are investing in security, but the weakest link remains the human element. Phishing works because it exploits trust, urgency, and familiarity. The single most important rule: your bank will never ask you to click a link, share your OTP, or reveal parola ta through any channel.

When you need to share financial details securely, visit LOCK.PUB to create free encrypted links that protect your information and auto-expire.