Beware of the multistep fraud

With more people spending money on online shopping platforms, online banking fraud is more rampant than ever. To victimize as many people as possible, their schemes are now more detailed and sophisticated to feign legitimacy.

One of the new schemes fraudsters use is “multistep banking fraud.”

What is online banking fraud?

Online banking fraud has been going on for a few years now. It is only now getting the media attention it deserves. Criminals try to trick you into giving up your login credentials or other sensitive information through various means. One method is by luring you to a fake website that looks like the real site called phishing sites. Even big corporations have been fooled by this method.

Your login credentials serve as the keys to your accounts and lets you access your online services, including banking websites. If a criminal gets a hold of your credentials, these can be used to initiate transactions or transfer funds from your account. One common scam is when criminals send an email claiming that your account has been compromised. The message directs you to a website that looks like your bank's site, where they trick you into entering your online banking credentials.

You might get an email about "suspicious activity" on your account and are directed to call a phone number for more information. If you call the number, the person on the other end of the line will ask you for your personal data to "verify" yourself. This gives them the information they need to access your account. With your account under their control, they'll take your money and disappear before you realize that anything is amiss.

How many people are victimized by online banking fraud in the Philippines?

The Bangko Sentral ng Pilipinas received about 20,000 consumer concerns in 2020, of which 13% were reports of unauthorized and fraudulent transactions related to deposits, credit cards, e-money services, and remittances.

What is the multistep banking fraud scheme?

The multistep banking fraud scheme puts together two common online fraud schemes: fraudulent emails, SMS, and voice call phishing or “vishing.”

The scheme works with a cybercriminal sending out a fake email made to look like it officially comes from a company such as Metrobank. The email states that you must update your online banking information using an attached link. It also includes a reminder to expect a call from an “official” representative to verify details.

If you click on the attached link, you are taken to a fake login page and are asked to type in your details. This fake website is used to harvest sensitive information.

Once the scammers have your details, they will then try to log in to your account. This triggers an One-Time Password prompt which is sent to your registered mobile number. The fraudster then asks you via SMS or voice call for the One-Time Password or ”activation code” sent to you . If they get this, they have full access and control to your online banking account.

Remember: Metrobank will NOT initiate calls, SMS, emails or chats to ask for your bank account details.

What can you do to protect yourself?

There are a few things you can do to keep yourself and your money safe:

• Beware of attachments and links. If you receive an email that looks like it is from your bank, do not open any files or click on any links in the email right away. Hover over the clickable texts to see where it will take you. If it's not a real link but rather a URL shortener or something similar, it might be a phishing site. You can verify if an email from Metrobank is legitimate by checking the Email Security Zone (ESZ). The ESZ is personalized to contain information that only you and Metrobank know. The ESZ contains the following details: sender’s email address, your email address , the last four digits of your mobile number, and the last four digits of your account number.
• Keep your security software up to date and use it. Anti-virus, anti-phishing, and firewall software can help block sites that try to steal your information as well as warn you about scams in general. They are not perfect, but they provide an extra layer of security. Consider purchasing a security suite.
• Never give your password or PIN to anyone. Never share this information, even to someone who claims they are from your bank. Whether over the phone, via email or any other means, do not share your passwords, PIN, and OTP to anyone.
• Report everything suspicious. If you notice any strange activity on your accounts, report it to your bank immediately so they can investigate it further.
• Beware of emails with "urgent" requests. Do not fall for emails that look like they are from your bank but ask for personal information, especially if you did not initiate contact yourself. The same goes for emails that make threats or demand payment on the spot. Again, check the ESZ to ensure the details match those from legitimate Metrobank emails. You can also verify if a request is legitimate by calling your bank directly through their hotline number or by contacting their official communication channels.
• Lastly, be aware of your surroundings when using an ATM or credit card reader. Criminals sometimes attempt to use devices that read information right off your card's magnetic strip or they might even try to record your PIN with a tiny spy cam hidden on the machine. If you see anything that looks like these devices, report it to your bank immediately.

Know what the latest fraud schemes are and how to spot them protect you from falling victim to cybercriminals. Visit the Metrobank Fight Fraud page for more fraud tips and advisories.

If you suspect fraud, report the incident by forwarding the phishing email or attaching it to an email message and sending it to customercare@metrobank.com.ph using "Report on Possible Fraud" as subject. You may also inquire or report the incident to the Metrobank Contact Center at (02) 88-700-700 or 1-800-1888-5775.