Dad's Review - BPI Bank Fraud and Phising Alert

In November 2018, my BPI credit card started accumulating transactions in Indian Rupee. I learned this when I received several text messages from BPI stating that several transactions were cancelled due to suspected fraud. Likewise, the text message indicates a BPI hotline that I need to call.

I was overseas and the last time I used the said card was a month earlier for online booking.

I promptly called the hotline and learned that several transactions at PAYTM were successfully credited to my card. However, the customer staff instructed me to wait for a dispute letter while they immediately cancelled and blocked my card since it was already compromised. They arranged a new card to be delivered to my residence in Philippines. I received a dispute letter from BPI on the same day and I replied stating that I have my card with me and never used it for PAYTM.

After a couple of days I was back in Philippines and received my new card. Interestingly, I am still receiving text messages from BPI regarding new cancelled transactions. It means my credit card was still being used in PAYTM. So I followed up my reply to the dispute letter sender and called their customer service again.

Normally, when you use your credit card for online purchase the merchant asks for an OTP or one time password to be sent by the bank to your registered mobile number. I googled PAYTM and learned it is not requiring an OTP thus the initial transactions went through.

To make this short, I was billed around 125,000 pesos but I didn’t pay the amount as instructed by the customer service. On my next billing, the amount generated an interest charge. However, after a few days I received a notice that the disputed transactions/amount together with interest charge were reversed. It took BPI around a month to rectify the situation.

Until now, I have no idea how these fraud transactions have transpired.

Fast forward, on Jan 22 I received an email from expressonline@bpiexpressonline.ph. The email address looks authentic isn’t it? It shows a clear BPI logo and flawless grammar and almost a perfect duplicate of BPI standard email. It asks you to click a link for customer verification purposes. Aside from that, the email states that your credit card is suspended until you have completed submitting the details on the said link. The link looks like a BPI website asking for all your personal data including your online banking username and password but I noticed that the URL of the link is not an official BPI website but rather a “template” only though it is a secured website due to “HTPPS.” In addition to this, I remember that BPI normally sends email with “customer security zone” – this is a confidential number pertaining to your card and this email doesn’t have one.




This email seems authentic

 

So I forwarded it to an authentic BPI email from where I am receiving my monthly billing for verification. Aside from that I replied to the “other” email informing them I won’t enter my data unless they send my security zone number. To my surprise, yahoo replied that my email is undeliverable to expresssonline@bpiexpressonline.ph. Got Ya!

Yahoo couldn't locate the sender's email anymore

 



BPI look-alike online banking site - whatever character you type here will be accepted



 

Note the URL or website - it is definitely not the official website of BPI - enjoy filling-up this form





My heart pounding with excitement, I immediately click the link provided and "cursed" them. Yes. I cursed them! It felt good! I even made fun of them too.

So guys, be very careful. Any correspondence you received from your “bank” asking for your personal details should be treated with extreme caution. Your bank won’t ask you to divulge your username/password/credit card/cvc/etc. by email for the sake of verification. Remember that. Don’t get carried away about the threat of getting your card suspended since it won’t cause you any damage. If you need to use your card urgently then you just need to call their hotline. Further, if you are in doubt then reply to that email and put in ccopy your bank’s official email. There is nothing to lose if you spend a little time in verifying this matter. Aside from that, you can also click the “link” provided by the email and check whether the URL is your bank’s official website but don't ever give any details.

In case you have confirmed that the email is a fraud then you can enjoy the luxury of annoying those scammers like what I did.

BPI's reply to my email

BPI replied and confirmed that what I received was a “phishing” mail. They suggested that I change my online banking password through BPI official website which I promptly did. As an industrial system specialist guy, the scammer would be needing a supercomputer to debug my password, LOL.

I am happy that BPI is able to manage the "phishing" situation immediately while the fraudulent transactions recorded on my credit card was professionally handled as well. It is very comforting to know that your bank is trying its best to protect you and your hard-earned money from unscrupulous individuals.

Disclaimer: Some minor details have been changed to protect my personal information.