BDO Unibank, Inc. alerts clients to be cautious against attempts by scammers to mimic official banking correspondence. Using the name and logo of the bank, these scams claim to be genuine security alerts asking for confidential information from customers, which the scammers can only use to enter and steal money from online bank accounts. BDO reinforces that it will never send text messages or e-mails requesting personal information from customers.
BDO advises clients to be watchful over scammers
A recent modus finds that scammers trick clients into initiating BDO’s “Add Device” security alert, which is part of the bank’s two-factor authentication mechanism to shield clients from fraudulent transactions. As account holders respond “Add Device” to this text message sent by the bank, scammers will have access to their online bank account.
BDO warns account holders: “Only add trusted devices to your digital banking app. Do not reply to Add Device text messages if you did not make an Add Device request.” For additional security, the bank advises clients to restrict authorization to only one device.
How “mobile device takeover” scam works
The modus operandi begins with an email or text message that prompts clients to click on a link to verify their accounts and prevent deactivation. Scammers often get customer details by hacking the network for email addresses and cell phone numbers. BDO reminds clients to be vigilant when sharing personal information online.
Worried about the potential inconvenience, several clients click on a connection that causes a bogus website to launch. Clients log in to a bogus website using their online bank account username and password. Scammers get the victim’s login information from the bogus website and connect these to the mobile app.
As a security protocol, BDO sends a text message to the registered telephone number of the client in the event that an unfamiliar or new device is used to access its online banking account. The warning asks the client to respond to “Add Device” to get a One-Time-PIN (OTP) to register a known and trusted mobile device.
Deceived by the scammers’ email, some clients respond “Add Device” to this prompt, assuming that they would reactivate their “deactivated” online bank account.
BDO reassures clients that it will never request clients to verify their bank accounts via e-mail or text message or ask clients to access links to do so. The bank urges account holders to ignore or send these messages to ReportPhish@bdo.com.ph.
Report unauthorized transactions to BDO
If clients mistakenly register the scammers’ device, scammers will then send money from their victim’s account to their own. When a fund transfer is successful, the bank sends a confirmation email to the registered email address of the customer.
If they receive confirmation emails about transactions they have not carried out, BDO urges clients to immediately contact their customer Care Hotline at (+63 2) 8631-8000. They can also reach out by logging in to Messenger and search for BDO Customer Care with a blue checkmark on Facebook.
Again, never share OTPs
Scammers acquire OTPs from their victims through a bogus website. OTPs provide another layer of online banking security. As the last part of the bank’s two-factor authentication process, specific six-digit numbers register a mobile number for BDO Online Banking and confirm an online transaction. They can only be used once and in a short period of time.
BDO encourages clients to safe keep their bank account login information, such as username, password, and OTPs, to protect their online bank accounts from fraud.
To learn more about BDO Unibank, and how to protect your online bank accounts, please visit www.bdo.com.ph.