Many scammers attempt to trick users into giving out their personal or bank information by mimicking official bank communications such as Metrobank’s. Sadly, online banking fraud has infiltrated SMS communications. Smishing, a combination of the words SMS and phishing, is one of these ways.
Scammers make use of an SMS to alert a user’s mobile number, which mimics an official Metrobank alert. The most recent of these alerts is the “Add Device” alert, which is part of Metrobank’s two factor authentication process to protect you, our clients, from unauthorized transactions. When clients engage and reply to these fraudulent texts, scammers get access to their online bank accounts.
Metrobank reminds clients to only add trusted devices to their Metrobank app. Never reply to Add Device text messages if a request has not been initiated. For added security and protection, it is best if users limit their trusted device to ONE.
Fraudsters start by sending an SMS to their intended victim urging them to click on a link to verify their account. The SMS also indicates that if the client does not click on the said link within a certain period of time, their account will be deactivated. Many clients click on the attached link in panic. The link will then take them to a fake site of the Metrobank homepage and will ask them to “log in” using their online bank account details.
As a security measure, an SMS alerts you of a log in from an unknown or new device. It will ask you to reply “Add Device” to get a One-Time Pin (OTP) to authenticate and trust the new mobile device. Some clients who are unaware of this type of fraud will click on the “Add Device” button in order to “reactivate” their online bank account.
Sadly, once the fraudsters get into your account, they will then start sending money from your mobile account into their own account. They will also try to lock you out of the app by changing the log-in credentials. For every successful fund transfer they complete, a confirmation email is sent to your registered email address. Please report immediately any unauthorized transactions on your account.
Where do they get the client’s mobile number or email address? Many fraudsters get clients’ data from data leaks or even from profiles that reveal personal information, such as your mobile number or email address. It is also a good idea to keep a separate email address for your social media accounts and another for your banking accounts.
Remember: Metrobank will not request or ask for personal or bank information via a link, text, email or call that you did not initiate. If you receive a message of this kind, please ignore or report them to us. You can report any banking fraud incidents to us by emailing us at customercare@metrobank.com.ph using “Report on Possible Fraud” as the subject or by calling us at the Metrobank Contact Center at (02) 88-700-700 or 1-800-1888-5775.