BDO warns against mobile device takeover attempts

2020 November – BDO Unibank, Inc. cautions clients to be vigilant against scammers’ attempts to imitate official bank communications. Using the bank’s name and logo, these scams appear to be legitimate security alerts asking for clients’ personal information, which scammers’ will then use to access and steal money from online bank accounts. BDO reiterates that it will never send text messages or emails asking for clients’ personal information.

 

A recent modus finds scammers tricking clients into initiating BDO’s “Add Device” security alert, which is part of the bank’s two-factor authentication process to protect clients from unauthorized transactions. When accountholders reply “Add Device” to this bank-sent text message, scammers get access to their online bank account.

 

BDO reminds accountholders: “Only add trusted devices to your digital banking app. Do not reply to Add Device text messages if you did not make an Add Device request.” For added protection, the bank advises clients to limit permission to just one device.

 

How “mobile device takeover” scam works

 

The modus operandi starts with an email or text message that urges clients to click on a link to verify their accounts and avoid deactivation. Scammers often get clients’ data from scraping the internet for email addresses and mobile numbers. BDO reminds clients to be prudent when sharing personal information online.

 

Worried of the potential inconvenience, many clients click on the link, which prompts a fake website to open. Clients “log in” the fake website with their online bank account username and password. Scammers get their victims’ login details from the fake website and key these in the mobile app.

 

As a security protocol, BDO sends a text message to the client’s registered mobile number in case an unknown or new device is being used to access his or her online banking account. The alert asks the client to reply “Add Device” to get a One-Time PIN (OTP) to register the known and trusted mobile device.

 

Deceived by the scammers’ email, some clients reply “Add Device” to this prompt, thinking it will reactivate their “deactivated” online bank account.

 

BDO reassures clients that it will never ask clients to verify their bank accounts via email or a text message, or ask them clients to click on links to do so. The bank advises accountholders to ignore or send these messages to ReportPhish@bdo.com.ph.

 

 

 

Report unauthorized transactions to BDO

 

If clients mistakenly register the scammers’ device, scammers will then send money from their victims’ account to theirs. When a fund transfer is successful, the bank sends a confirmation email to clients’ registered email address.

 

If they receive confirmation emails about transactions they didn’t do, BDO advises clients to immediately report it to its Customer Care Hotline at 8631-8000. They may also reach out by logging in Messenger and looking for BDO Customer Care with the blue verified checkmark from Facebook.

 

Again, never share OTPs

 

Scammers obtain their victims’ OTPs through the fake website. OTPs add another layer of protection for online banking. As the last part of the bank’s two-factor authentication process, the unique six-digit numbers register a mobile number to BDO Online Banking and confirm an online transaction. They can be used once and only within a short span of time.

 

BDO reminds clients not to give their bank account login information, such as username, password, and OTPs to protect their online bank accounts from theft.

 

 

Related Stories: