It would be understandable for anyone to feel secure when the text messages you’re receiving are from your bank’s official number, but as it turns out, even that can now be infiltrated by scammers.
Such was the unfortunate case with one Filipina, who took to Facebook to share her story. She narrated how the scammers were able to send her a text message using her bank’s official number that sends her her account’s OTPs for transactions. OTP, or one-time pins, is a security feature used by banks, wherein if you do an online transaction, your bank sends you a confirmation pin through text that you will need to input to allow the transaction to go through. This feature helps banks ensure the transaction is really being made by the account owner. And for added security, OTPs are only valid once, and expire.
Though banks consistently remind their users never to share their OTPS to anyone, what will you do if it’s your bank that calls you and asks for it?
She tells her story:
TL;DR: ALL MY MONEY WAS STOLEN FROM MY [BANK] ACCOUNT. THIS IS A PSA ABOUT PHISHING SCAMS.
Last Friday, August 7, I received a text message from the OFFICIAL [bank]-OTP number telling me to expect a call. The message said their agent with the number 09162083912 would call regarding my account. Sure, a little strange, but this was the official [bank]-OTP number that has been sending me all my previous OTPs for all my online transactions. Past experience told me this number only sent automated messages, so this must’ve been an official call from [them], right?
The following day, at 5:23pm, I received a call from the number indicated in the [bank]-OTP message. It made sense, so I answered. The “representative” on the phone told me that [they are] testing out a new system and needed customer confirmation that their messages were being sent and received in real time. I was told to read two sample messages out loud, which I would realize were activation keys that allowed the scammers to access my [bank] online account.
Later that night, I had a trail of emails about multiple funds transfers I was completely unaware of. Once the so-called [bank] agents had gained access to my account, they transferred my money to a PayMaya account. It was too late by then, and all the money I had saved this year was gone. Well, they left me Php 200.
I immediately contacted [my bank’s] customer support hotline to ask for help. I forwarded a screenshot of the [bank]-OTP message I received from THEIR number. You know, the number we’ve been conditioned to trust because that’s where all our OTPs come from. Supposedly the last line of defense, this [bank]-OTP number had been used to help people steal my money. I told the support personnel what happened, and all they could offer was to report the issue. They said they couldn’t do anything about the money stolen from me with the help of their own security number. Nothing. Nada. Just me, a “reported issue,” and my annual savings of Php 200.
Aside from the obvious issue of losing all my money, what concerns me the most is that the [bank]-OTP number—an official number that I am supposed to trust for all my banking transfer passwords—is compromised. We’re constantly reminded to keep our presence of mind and never share bank details with anyone, but you would think you’d at least be safe when it’s the bank you trusted with the entirety of your savings telling you to expect a call. Isn’t banking built on trust, after all?
It’s easy to say you’re careful, but when you’re in the moment and your faith in your chosen bank has been taken advantage of, you can just as easily be left broke. Currently, I’m still exhausting all possible options to get back the money that was taken from me.
Please learn from what happened to me and be very vigilant about your online accounts, especially now that we’re in quarantine and are constantly transferring money through our phones.
Trust your instincts, and be extremely careful when sharing your bank information, even with your bank.
Apparently, the scammers were able to infiltrate the bank’s number that sends the OTP messages, and texted her telling her to expect a call from a specific number. When she got the call, they activated a transaction that sent her OTPs, and they asked her to read them out for them, supposedly to “test out” a new system. Through this, they got her OTP, and were able to transfer all her money out of her account. You can read the original post here.
It seems impossible that this could happen; after all, how could someone hack into a bank’s system? But as it turns out, the answer is quite simple.
After the post about the OTP hack went viral on Facebook, tech company White Cloak posted an infographic set on Facebook that explains how OTP hacks can possibly happen. Apparently, there are numerous services online that provide “SMS spoofing” capabilities. SMS spoofing means you can send text messages to anyone from any number that you can set yourself. While these “fake” text messages can primarily be used for simple pranks on friends, it can also easily go awry—like, say, when scammers decide to use it for their shady operations.
A recent post went viral detailing how a #hacker was able to break into her bank account and wiped out her entire…
Let’s hope banks get to strengthen their security even more to prevent similar incidents to happen. Until then, please always remember this one, golden rule: NEVER share your OTPS with anyone, not even with your own bank.
NOTE: Original poster’s name was omitted for her privacy.
What do you think of this story? Share your thoughts in the comments.
Do you have a story for the WhenInManila.com Team? Email us at email@example.com
Get in touch with the author of this article! Follow Nicole on Instagram at @TheStillnessinMoving.