BPI Uncovers Scam Tactics Using Fake eGovPH App

The Bank of the Philippine Islands (BPI) has uncovered how scammers are targeting Filipinos through a fake version of the governments eGovPH app, exposing new tactics used to steal online banking credentials.

BPIs enterprise information security officer, Jon Paz, said the scheme began when a bank manager received an email urging him to update his eGovPH app through a Google Form. The scammer later called and instructed him to install what appeared to be the latest version of the app. In reality, it was a remote servicing tool that gave the fraudster full control of the phone.

Behind the fake installation screen, the attacker disabled security settings and sideloaded unauthorized software. This allowed the scammer to capture login details and trick the victim into submitting biometrics through a counterfeit interface. While the user thought he was logging in, he was unknowingly authorizing fund transfers to the scammers account.

Fortunately, no money was lost. BPIs data protection team monitored the attempt in real time, and the flagged receiving account prevented the transfers from being completed. The incident gave the bank valuable insight into how rogue apps operate, beyond reports from scam victims.

Paz explained that these malicious apps are only one of many tools used by fraudsters. Others include International Mobile Subscriber Identity (IMSI) catchers, which mimic cell towers to intercept calls and messages. These are often used to send phishing texts that appear to come from legitimate institutions like banks.

The Philippines has seen a surge in scam activity. Global anti-scam tracker Whoscall recorded 62,390 scam calls in the country during the third quarter, a 78.4% increase from last year.

BPIs chief technology officer, Alex Seminiano, urged Filipinos to remain vigilant, reminding the public not to share passwords or one-time PINs, to enable multi-factor authentication, and to keep banking apps updated.

“The whole security mechanism of banking is based on trust identification,” Seminiano said. “If you share your credentials and someone else pretends to be you, it becomes very difficult to distinguish the real user.”

BPI said it will continue to strengthen its systems and expand education campaigns to help protect Filipino customers from increasingly sophisticated scams.