TipsFraud References

Fraud Prevention: Avoiding the bait of a phishing expedition

Protecting you from fraud cybercriminals and hackers who are always on the lookout for ways to steal your personal information.

Phishing is defined as a form of social engineering which attempts to acquire sensitive information or data (such as usernames, passwords, email addresses, account numbers, and One-Time Passwords, etc.) through fraudulent means. The pandemic pushed us to bank online to make transactions more convenient throughout prolonged lockdowns. Since then, phishers have become more creative, and continue to find innovative ways to trick people into clicking links or buttons and divulging confidential information.

Before presenting the steps that phishers take to maliciously acquire data, one fact needs to be underscored: contrary to the stereotype that movies often romanticize, phishers are not necessarily socially awkward hackers that spend their entire day in front of a computer. Moreover, they do not use complicated programs or devices to manipulate bank records. Phishers are all about efficiency, thus, their preferred method is to trick their victims into unwittingly giving them the information they need.

That said, phishers use psychology to make us give up our personal and financial information that will allow them access to our accounts. Metrobank, one of the country’s top financial institutions, gave us a peek on how phishers think.

Choosing a pond

Phishers randomly collect as many email addresses and phone numbers as they can. This is usually done by snooping around on social media, looking for profiles that have their email addresses and/or phone numbers in full display. Other sources of email addresses and mobile numbers are those that may have been exposed to the public, mobile apps that were compromised/hacked, etc. Once they have a suitable number of potential victims, it’s time to cast the net.

It is best to use an alternate email address or mobile number for non-financial transactions to avoid compromising the email addresses and mobile numbers used for banking purposes.

Setting the bait

Phishers will now attempt to contact potential victims via phone call, text, or email. They do this to get more personal information that may be used in security verification procedures. In truth, phishers don’t really know for sure if a potential victim does indeed have an account with a specific bank, but they play the odds and hope that there are matches.

There are many ways to do this, but the most common way is to send alarming messages about how accounts have supposedly been compromised, or that there is a need to verify our accounts in light of “new security measures”. These emails and messages are designed to elicit an emotional response--to fool the prospective victim into thinking that it is an urgent message that came from the bank. These messages will usually have “spoofed” or faked email addresses or phone IDs to make it look official. It also usually includes a link or buttons to what seems to be the bank’s log in page.

One thing we all must remember is disregard the message and NEVER click any links or buttons coming from these kinds of emails. As a rule, banks will never give you a shortcut link via email or SMS that will lead you to their online platforms, and in case these logins are needed, customers are encouraged to manually log in via a web browser or through their official apps.

Metrobank will not ask you to verify or give your personal or bank information via a link, text, email or call that you did not initiate.

The pages that are linked from these scam emails are fake. If we enter our username and password, phishers can take over our accounts and will have all the information they need for their next step.

Open sesame

Less than a decade ago, usernames and passwords were enough to get into our accounts. Passwords became easy to crack, hence banks added an extra layer of security by using technology like two-factor authentication to verify your identity or transaction. Two-factor authentication uses either a One-Time Password (OTP) that is sent to a registered mobile phone, or randomized codes generated via an official app to verify logins and transactions.

To completely access our accounts, the phishers will attempt to contact us via phone and text, usually pretending to be someone from the bank. They will then try to convince their target to give the OTP that was sent to their phone. By this time, they have already collected various personal information, and will therefore sound quite legitimate.

As always reiterated by bank advisories, we should NEVER give our OTPs or generated codes to anyone, even if they seem like they have all the other information that only our banks would have. Once we are fooled into giving our OTP, that is the final key that they need to open our accounts and have their way with it.

Hook, line, and sinker

In case we are victimized by phishers through the methods outlined above, there is little that we, or our banks, can do. We can file a complaint with the bank, and they will investigate what really happened, but likely it will be determined that our accounts were accessed solely through the standard log-in process, because correct login information and OTPs were shared and that’s how we are fooled by phishers.

It must be emphasized that security is a shared responsibility. Phishers do not attack banks -- they attack us: the customers. We should be aware of our responsibility in securing our account. We must keep our log-in information and OTPs from falling into the hands of phishers. We must be careful not to give them to anyone else.

That is why banks are also doing their best to inform us about these modus operandi. Currently, Metrobank is leading an industry-wide information campaign called Scamproof.PH. Scamproof is a website that has information on the latest scams and reminders on how to spot and avoid them. Visitors of the site can also submit scams that they have encountered. Submitted scams are then investigated then added into the database so more people would know about them.

We need to be educated on how we can spot a scam and prevent ourselves from getting victimized by phishers. Visit and for more fraud tips and advisories. In case you do encounter scams, it would also be prudent to report them by contacting to your bank.

How to defend yourself from fraudsters

Knowing is the first step to defending yourself from fraud. Here are some measures you can take to help prevent becoming a victim of fraud:

  1. NEVER give away your personal and account-related information to anyone, including your One-Time Password (OTP), username and password, PIN, or CVV (the three-digit number found on the back of a card). We will never ask you to provide such information over the phone, an SMS, or an email.
  2. Monitor your account for unusual transactions. Use the Metrobank Mobile App to track transactions. In addition to this, make sure your mobile number is registered so you can be notified of every transaction you make under your account.
  3. Be careful or avoid interacting with suspicious websites or ads that ask for your personal information. Also make sure that the website is secure by looking at the URL that shows “https://” at the address on your browser. Install and update your computer and mobile device’s anti-virus, ad-blocking, and anti-spyware software.
  4. Be careful about any job offers where a supposed employer will ask for use of your personal account to process or transfer funds. Never allow anyone to use your bank account to transfer money.
  5. Never entertain calls from individuals offering you a SIM upgrade. Immediately get in touch with your mobile service provider when your phone suddenly loses signal or stops working.
  6. Conduct your transactions only on secured and official platforms. Always type the URL of the website you are looking for instead of clicking on links. To access the Metrobank website, use

If you suspect you’ve been a victim of fraud, call us immediately and report the fraud incident to (02)88-700-700 or 1-800-1888-5775. You can also email us at using “Report on Possible Fraud” as a subject.

5 simple ways to fight fraud before it happens

You would think you won't be a victim to fraud until it happens, which is why your common reaction is, “I didn’t expect that.” This blissful ignorance is what fraudsters are looking for in victims.

But you don’t have to become a victim if you’re vigilant of these tips to protect yourself from fraud.

Keep username and password to yourself- Giving away your username and password, even to family members or trusted friends, opens you up to possible attacks as they could misplace your access details of your email, social media, and even bank accounts. Never share online access details.

Know to whom you are giving personal information- You feel that it’s okay to give away personal information, such as home address, email address, or mobile number, whenever you are using a new online service or mobile app. However, this information could be used in nefarious schemes without your knowledge. Look for and read the terms and conditions and privacy policy of online services or mobile apps that you are using.

Be wary of get-rich-quick schemes- It is easy to be captivated by advertising that says, “Earn US$100,000 from Home” while browsing the web or your social media network. These lead to websites that ask for your personal information. These too-good-to-be-true offers could be fraudulent schemes tricking you into giving away your personal information. Don’t be baited.

Log out of networks- Most of us would forget or outright disregard logging out of our email, social media, or web browser accounts. Even when using your personal computer or mobile device, someone could access your account and do mean things with it. Always log out and always have a password or a passcode on your device.

How to Spot Red Flags from Online Banking Scams

Cybercriminals and hackers are always on the lookout for ways to steal your information. Educate yourself on the latest bank fraud schemes and how to protect yourself against them with Metrobank.

Misspelled URL
A dead giveaway that a link being sent to you, whether that’s by SMS or email, is not legitimate is if the URL is misspelled. Be very mindful of this because the error may be easily missed, such as maybe a missing letter or the capital letter “i” in place of a lowercase “l”. Never click on any link that does not come from an official Metrobank email address.

Unsafe websites
If you do accidentally click on the link, check if the website is secure. You can do this by looking at the URL or web address. Most browsers will have a padlock symbol next to the URL to indicate that the website is safe.

Grammar errors
This one applies to both SMS and email scams. Official Metrobank materials are thoroughly checked for spelling and grammatical mistakes before they are sent out. If you notice that a message has a few of them, it is definitely not from us.

Sense of urgency
If the message is pushing you to update your bank information or else your account will be closed in XX days, it is an online scam. Remember, Metrobank will not ask you to verify or give your personal or bank information via a link, text, email or call that you did not initiate.

Asking for details
The number one tell-tale sign that you are being tricked into giving your information, whether this is through phone call, email, or text,, is that you are being asked to divulge very sensitive personal and bank information. This information will include an OTP sent to either your phone or email (which may be the most important piece of information they need). NEVER GIVE AWAY YOUR OTP. Even if the number telling you to do so seems to be the official Metrobank number, DO NOT GIVE IT AWAY. Fraudsters have gotten smarter and have been able to mask their real contact numbers and mimic legitimate business’ numbers. Your last line of defense is your OTP. Keep it safe.

Share your knowledge about fraud prevention.
Preventing fraud is an organized and concerted activity and is the responsibility of everyone. You can help others from becoming victims of fraud through proactive activities. You can start with sharing this article to friends.