This is a story about a modus operandi made via phone call that targets your bank account through your mobile app.
In the morning of Friday September 2, a call center agent who identified himself as John Chua 0969***0723 called me up and was talking to me in behalf of BPI.
This was, according to him, due to a biometric upgrade to the mobile app and everyone was being called up as per mandate by the BSP.
I was busy then and told him to call closer to EOD and he did. This is what happened then:
After all the regular bank spiels such as this call is being recorded yada yada… you would be identified as selected to be assisted on the biometric upgrade as it would be done in three stages – face ID, voice ID, and fingerprint ID. This process would eliminate the SMS 2FA that had been prevalent on the current version of the app, and you would have the latest security from BPI.
If at this point you had asked if they were really from the bank, he would offer up the possibility of talking with a senior officer on the floor to address your concerns.
The updated app is so new in fact that you would be given a link where to download it from – this is almost assuredly a skinned keylogger that would transmit the information you enter onto it to their database for misdeeds… It is not available on either the PlayStore or the AppStore.
This is a RED FLAG as only official apps that come from legitimate distribution channels should be “trusted” both by the bank and by your person. My only regret is not getting the link immediately so that I can put it here as well.
Now here is the “hook” part of the convo: Whether you’re utilizing a debit card or credit card it doesn’t matter, they’d tell you that you have accumulated some points from your use of their services and that you have already garnered something like 300,000 points or thereabouts and that this has a converted cash value of 3000 pesos which he would need to transfer to your account because it will not apply to the new system. At this point he even gave an option to just transfer it to your GCash and ask for your information there. Regardless, in order to do this transfer he would need to “block out” incoming and outgoing transfers into your account so that you would see the aforementioned amount go into (reflect) on your mobile app.
At this point he would ask you to set transaction limits down to zero 4 of 5 entries he would like to have you change. To my understanding, this would allow unlimited mobile transfers of whatever amount and when I confronted him about that, he explained matter of factly that when it’s set to zero, you wouldn’t be able to do transfers instead. He would guide you along your mobile app to get into the area where these transaction limits are to be set to “0” value – naturally, he has complete knowledge of the workings of the app as he is “employed by the bank”…
I told him that, if he were legitimate, he should be able to do this from his terminal to which he counters that the values on their screen appear as asterisks so you would need to do the changes on your end to move the process along.
As part of the entire migration process to the biometrically upgraded app with enhanced security, a senior “verifier” agent would follow up with the call the following day, if and when you have completed this initialization. He would ask for a time for when they could call and this schedule would be set and that you should free yourself at the time for about 20 minutes. That would be the team in charge of the voice ID part of the system – now while voice ID seems like something from sci-fi movies I do believe it is not that easy to be implemented as a verification system and poses its own set of vulnerabilities.
Now as you can imagine, I didn’t set my transaction limits to anything different from what was already on there and I told the agent that I would pay a visit to the bank to verify their claims of an app upgrade. His tone and demeanor remain unfazed by this and just says that I can just go ahead but that would delay the process and leave me out of the upgrade priority to which I just agreed.
This move put a stop to whatever sequence it was they were cooking up and he eventually said that since we’re not going through with the first step then the scheduled verifier call would not need to happen any longer.
He ended the call with this phrase: “Thank you for choosing BDO”
What Would’ve Happened
If you’d continued with the farce, you would’ve been putting valuable login information into the fake app that you would be sent and with that information and the individual on the “verifier call” they would likely gain access to a legitimate and working “approved device” on their end with updated logins (their own passwords and SMS 2FA) and they would initiate transfers out of it while it is on a “temporary freeze” – they would move as much as they can in the shortest amount of time – this is usually much shorter than a report that you would be filing with the bank. Heck it probably wouldn’t even take them the time you’re listening to the “hold” background music for them to clean out your account.
The scam is very organized and the information they have and are working with has a particularly unnerving degree of accuracy to it. It isn’t hard to imagine that some people would likely be swept along with the narrative – hook, line, and sinker.
I’m putting this out there for awareness. Hope it helps stave off at least some of these malicious attacks. Sound off in the comments if this has happened to you personally or to someone you know of.