How to Avoid Scams Online: SMS Spoofing and Phishing

Tagalog Version (Click Here)

While I’ve already made a previous article about how to avoid scams online, this version is mostly about phishing and SMS spoofing scams which are becoming more common in the Philippines. If you don’t want to lose thousands or even millions of pesos to those kinds of scams, then keep reading to learn more about them and how to avoid them.

First off, to give you a picture of how phishing scams work, imagine you’re in a mall buying groceries. Suddenly, a “worker from an electric company” comes up to you and asks you for your name, home address, and the keys to your house because they need to “verify things”.

Will you give them your house keys? 

You don’t want to? What if they say they’ll cut off your electricity if you refuse? Will you give them your address and house keys then?

Yeah, you probably already know that it’s OBVIOUSLY a scam, but people fall for that kind of thing ONLINE. That is exactly how phishing scams work, but instead of a scammer wearing a fake uniform and fake ID, it’s a text message or an email asking for your password, One-time PINs (OTPs), verification codes, and other important personal information.

Never give anyone your password, PINs, and OTPs as those are the “keys” to your accounts. REAL bank and company employees will never ask for that information, but criminals almost always do.

What is a Phishing Scam? – Scam Emails, Texts, and Messages

Phishing is a technique criminals use to make you give them your personal information, account details, passwords, PINs or other financial information that they can use to steal your money or commit identity theft. There are many ways they can do this, but they will usually use emails, text messages, or calls.

Just like a fake worker trying to get your house keys, a criminal will email, text/message, or call you and pretend to be a bank employee, customer service agent, government employee, friend or family member, or something else.

Using whatever reason (“you must update your info”, “you won a promo”, “you received a package”, etc.), they will then scam you into giving them important info such as your bank account username and password, email account username and password, credit card or debit card number and CVV, OTPs, verification codes, and more. Those pieces of information are like your “house keys” that they can use to access your bank account and steal your money.

Again, NEVER give your Password, PIN, OTPs, verification codes, or CVVs to ANYONE. Real bank or company employees will never ask for those things, but scammers often do.

WARNING: Criminals may also ask for your full name, home and work address, home phone number, email address and password, mother’s maiden name, secret questions and answers on your account (pet name, etc.), and more. In case you haven’t noticed, those are information that bank employees and customer service agents usually ask to verify if it’s really you calling when you call them. If the criminal knows all that information, they can call the bank and pretend to be you in order to access your account and steal your money.

Fake Login Websites

A more serious method of phishing is by sending you a fake login link. The phishing email may contain a link to a scam website that looks like the bank’s website, but it’s owned by the scammer. These usually won’t have a secure connection (“https” and a padlock icon on the website). If you type your username and password there, the criminal who owns that website will then know the username and password (your “keys”) to your bank account. They will then use those to login to your account and steal your money.

Now, two-factor authentication (2FA) is one way to guard against that, but if you give the scammer your OTP or verification code, then you’re basically doomed. They’ll have full access to your account, and they might change the email and number so you’ll never get notifications once they steal your money. Again, NEVER give your OTP to anyone.

NEVER click on strange links in emails. If you need to login to your account for some reason, you must go to the official website of your bank and login there. Do NOT use the link inside the email as it could be a phishing link.

Viruses and Other Kinds of Malware

Criminals can also attach a virus or spyware to the email or add a link to a website that contains a virus, spyware, keylogger, or other form of malware to hack your computer directly and steal your username and password. Again, DO NOT click on links in suspicious emails and DO NOT DOWNLOAD SUSPICIOUS ATTACHMENTS.

Here’s a picture of a phishing scam email I received a week before I started writing this article:

And here’s the bank’s notice about that phishing scam:

What is SMS Spoofing (Fake Text Messages)?

You know how banks and businesses can send you notices and OTPs through text and you can see the bank or company name on the number itself? SMS spoofing lets criminals put the bank’s name and number on their text message to you. It’s not the bank or business that sent the spoofed message, it’s a criminal using the bank’s name and number as a “mask” to scam you. 

When they spoof a message, they can then send you a link to a phishing scam website or to prepare you for a call from the scammer. You may get fooled into trusting the scam because they’re wearing the bank’s name and number as a mask.

Here’s an example of how it works. Take note of how they asked for the OTP! Again, NEVER give your OTPs to anyone.

SIM Swap Scam

If you use online banking, you probably know how the bank sends OTPs to your phone (2FA) for almost everything like sending money, changing passwords, changing emails/phone numbers, etc.

If a scammer tricks you and you give them your login and OTPs, they may try to change the phone number of your account to take control of it completely. They’ll replace your number with theirs (the “SIM swap”) so they’ll get all the OTPs, and you’ll never receive any text messages warning you about money transfers and withdrawals that the criminals did on your account.

How to Avoid Scams Online

1. NEVER give your Password, OTP, MPIN, or Debit/Credit Card numbers and CVVs to ANYONE.

Bank and company employees will NEVER ask for passwords, OTPs, verification codes, PINs, MPINs, or CVVs (the number at the back of your debit or credit card).

Take note that real bank representatives may ask for your full name, username or account name (but not your password), debit or credit card number (but not the CVV), bank account number, mother’s maiden name, and other pieces of personal information to verify if it’s really you who is calling and not someone pretending to be you. It’s only relatively safe to tell them that information if you called them first using the number on their official website.

They ask all that information to verify if it’s really you, and that’s why you should be careful if someone calls you first and asks for those things. If they know all that info about you, THEY can call the bank, pretend to be you by answering the verification questions, and then try to steal from your account.

2. BEWARE of Suspicious Calls, Texts, Emails, and Messages.

Again, if someone from the bank calls, texts, emails, or messages you, you must stop the call or ignore the message, go to the official website or social media page of the bank or company and call the number there to ask if the offer or notice is real.

Do NOT call/text/message the number on the email or text message as it could be fake.

3. Follow your bank’s social media page and read their cybersecurity announcements.

Criminals get smarter and smarter and they know how to manipulate their targets. Fortunately, if there’s a new scam going around then banks and other companies will make an announcement to warn people about them. Read the warnings when you can if you don’t want to be the next victim. 

Technology has certainly made our lives far more convenient. We no longer need to spend hours waiting in line at the bank for every transaction as we can do almost everything online. Still, criminals do find ways to abuse it and that is why we must always learn the best ways to protect ourselves.

Remember to follow your bank and financial apps’ social media pages, read their cybersecurity tips, and be extra careful of what you click and download online!

Here are some examples of online scams we found happening in the Philippines. Make sure you give them a read so you don’t get fooled!