Even the most legitimate-looking scams are easy to spot if you pay attention to the tiny details.
With that in mind, we want to take a closer look at two Facebook posts making the rounds and warning about new phishing attempts.
This time, it seems like the scammers are getting cleverer with their tricks: They are making their attempts to contact people come from “official channels,” using a legitimate email address from a bank and a landline number from one of the most secure government agencies in the country.
How they do it
Facebook user Raymund Edgar Alvarez recounted a fraudulent email he recently received from “BDO.” Not an uncommon tactic for scammers but, what made this post stand out was the fraudulent email appears to have come from an actual BDO email address.
Based on Alvarez’s post, he received an email from “BDO” saying that his account is currently blocked as part of the anti-fraud measures by the bank. To regain access to his credit card, the email instructed him to click the link on the email and type in his details.
However, the email came from a certain email@example.com. If you’re not paying enough attention, you might think it’s a legitimate email. This is where it gets alarming. If you’re not careful, you might legitimately believe that there is something wrong with your account, panic, and give the scammers what they want.
The button leads to a subdirectory of google-docs.org (a scammy website) and then redirects to download-microsoft.com (another scammy website) where they host the replica of the BDO login page. You can only guess what happens to your account when you enter your details there.
We tried to log in using fake credentials with lots of expletives and then we got redirected to the real BDO homepage. Before we left their fake website, we got an account retrieval “confirmation” page that’s still poorly written. At least we got a thank-you note from the scammers.
Addressing the issue, BDO posted this on their phishing awareness page:
“All our official communications are made through BDO official email addresses, i.e., where xxxx is either the name of the unit or the name of the bank personnel sending the email. If you are doubtful of the content of the email, you may call our BDO Customer Contact Center. BDO will not send advisory or announcements through public email addresses such as Yahoo, Hotmail, G-mail and etc.”
Unfortunately, the bank has no directory of email addresses it uses to cross-check it with their list. Even if you search online, you won’t get any results unless you enclose it with quotation marks, where a single blog post said it’s an email scam.
Beware of email spoofing
Phishing emails are not as uncommon as you think. However, not everyone is trained to pay attention to tiny details that make the fraud obvious.
The email used in the phishing attempt may look like it came from a legitimate source. To make you panic in a blink of an eye, they employ this old email trickery called email spoofing.
In a nutshell, email spoofing is simply forging an email’s header to make it look like it came from a legitimate sender. Anyone can do this by using a script that will falsify the sender’s details such as sender’s email address and name.
In more sophisticated methods, they can even add a profile photo to make it appear more trustworthy.
In another Facebook posts making rounds on newsfeeds, an old-school technique employs an additional technological twist to scam people through the phone.
According to the Facebook post, what happens is the victim will receive an automated call from an unknown number that implicates the receiver in illegal drug cases.
After the robotic voice call, the receiver will then be given a set of options that they can choose from by pressing a corresponding number. Regardless of the choices, the call will then be redirected to a person who claims to be from the Philippine National Police (PNP) and will grill the other person on the line for connections to illegal drug charges.
After implicating the receiver in serious criminal charges, the “police” will then ask for the person’s confidential details like bank account number, social security number, and other sensitive information.
However, this is where it gets bizarre. According to the Facebook post, the number used in this extortion attempt turns out to be a phone number that belongs to the Bangko Sentral ng Pilipinas (BSP).
“The BSP categorically denies association with these calls and assures the public that these calls are fraudulent,” the agency said in a statement.
Beware of caller ID spoofing
If the BSP didn’t actually make these calls, then how could someone imitate the number of a government agency and use it for phishing?
In this scheme, fraudsters are merely using a trick called caller ID spoofing.
Simply put, it’s a technology that modifies the caller’s information in the receiver’s caller ID to mask the actual details of the former, specifically the phone number.
With the help of paid services, scammers can choose any phone number to hide their real details. In this case, they used one of BSP’s numbers to trick people into thinking they’re legitimate calls from the government.
The best way to prevent yourself from becoming a victim of this is to never answer phone calls from unknown numbers. If you’ve answered one, hang up immediately and don’t follow their instructions (such as pressing a number to repeat a message); this is how they identify potential targets.
In addition to that, never answer their questions with a yes or a no since your responses may be recorded and used for further criminal activity.
If you’ve fallen victim to these scams or received such attempts, you can contact the PNP Anti-Cybercrime Group through the following:
Hotline number: 723-0401 local 5313
Email address: firstname.lastname@example.org