I Got Scammed (Vishing)

Vishing is a crime that consists of impersonating companies, calling the victim by phone, and obtaining their data. Cybercriminals can gain remote access to your computer if you follow their instructions. 


I got scammed yesterday out of thousands of my savings account. To give context to what happened and how everything went down: I currently own a Security Bank Checking account for work and our ATM cards expire by June 2022. I have not received my new card as of this writing as I was not able to make it during the card distribution. I have been waiting for the card for weeks now and the last conversation via e-mail was that they will update me through call once the card is already made available. 



Note that I have 3 bank accounts - 1 is the mother account where my salary is being sent out and I have 2 extra accounts for savings and the other for my skincare.


I requested for the card renewal 2nd week of June, so today I received a call and the person calling me stated they are from Security Bank and are asking about my debit card. Red Flag #1: I assumed it was Security Bank. I told them I have not received it yet and asked what the status was. The person speaking stated he will check and that he will get back to me. Red Flag #2: The line was too quiet, normally when I call them the line is too noisy with other agents talking over each other. Then he asked me that he will send an OTP to complete the transaction, I told him this was already requested and he stated that we need to activate a biometric chip and will require the OTP. Giving me a barrage of benefits, it was lunch time and honestly have been at this ATM replacement for several weeks now so I didn't really pay much attention to it. I might have shared my account number too, everything went too fast that I could not recall when I gave him this. 


The agent stated that he will then pass the call to his "supervisor" stating that he will complete the request. The supervisor asked me what online banking I use, I told him I use the old version as I find it easier for me. He asked for my username and I do not know why I gave it to him. A few minutes later he asked to send another OTP to complete the ATM request. This was the time that I checked my messages and of course, gave him the code. He stated that the code did not work and he will send a new one. Red Flag #3 Had I not checked the text messages and if I had given him the 3rd OTP my entire savings would have been lost. He attempted to take out money from the skincare account. A few seconds later the call dropped and my heart sank as I saw a confirmation text that I have "transferred" thousands of money via Instapay. He called again and I knew I got scammed. 


I immediately logged into my online app and saw that one of the three accounts I have has been debited PHP22,400 off my savings account and the skincare account still has some balance to it. Funnily enough, he did not take out all the money - he left me with PHP80.76 from the account. Does he deserve a thank you? The scammer called multiple times during this time but I was already calling Security Bank to block everything and report the fraudulent activity. I immediately moved the skincare funds over to my own BPI account as I waited to get to a Security Bank agent. I waited for an hour before I reached someone.


When I reached the Security Bank agent, I reported what happened. Someone pretended to be them and what was shocking was how was it that they were able to get access to my account - checking on the site all you need are the username and password to gain access. Now if you forget a password, a username and e-mail are required. Yes, I did share the username but not my e-mail address so I can assume that they already have access to my profile. I also saw in e-mail all the things that happened:


1:06PM they changed my password - this was the first OTP
1:07PM they were able to access my online account
1:09PM they already transferred the money to a Chinabank account via Instapay - this was the 2nd OTP
1:12PM I moved my remaining cash over to another bank
1:15PM I have been logged out from all apps due to multiple simultaneous access


What the Security Bank agent do during our 1-hour and 45-minute call, note the line was really noisy with agents speaking at random intervals.
2:10PM deactivated all online accounts
3:09PM created a new ticket or the ATM replacement - goddamn it's been a month already!
3:18PM deletion of the account where the money was taken out
3:18PM deletion of the salary account
3:18PM deletion of the credit card account
3:52PM ticket sent for an unauthorized transaction


I was told this will be a 20-business day investigation. I honestly do not hope for much, the pessimist in me says that there is no way this will be valid. Also, I have read that this happened previously and there has been and yes, I know that somehow this is my fault for giving them the OTP and username and even the account number but what I wondered was that even during the first call at 1:06 how was he able to change my password if they do not have immediate access to it?


I honestly feel this was a targeted call and here's why:
1. How could they have called my number out of all of the people in the Philippines?
2. How could they have known I am waiting for a card? Was it because I responded I waited for it?
3. How could they have been able to get inside my online account without full details?


I have been very careful with all these vishing, spam, and phishing messages that I get daily from random folks saying I won the lottery or that they are hiring, and have been rather careful in answering calls. I hate making and receiving phone calls and if I can avert it I will. 


Here's what I did after:
1. I changed all passwords to my accounts.
2. I created a new e-mail address and connected it to my online banking.
3. I have decided to call forward all calls to a dead number - yes! I just did that!
4. If I do decide to answer a call, I will ask for identification first and remain vigilant or heck not talk to them at all.
5. Should I need anything from my bank, I will call them directly instead.


I also knew of a friend who lost her PHP5000 from GCASH just by clicking a somewhat legitimate link from her email. I felt weak to my knees knowing that in less than 10 minutes, I was robbed of my own money. I was caught at a very bad time and yes I could have done better. I know it's just money and that I can manage to earn it, what just hurts is that there are people that do not fight fair. In a world where technology is just at the tip of our fingers - we still have to be careful. 

Stay safe out there.


Also, the site went offline by 5PM MLA.

Update: 

July 14th - I filed a complaint with BSP about what happened with my Security Bank Account.
July 18th - Received an email from Security Bank that they have received a complaint from BSP about the incident and that they are currently working on it.
July 20th - Received this email today.


Long story short, I already expected this result after I filed the complaint. I knew that they will never return my money as I have read countless stories about the same incident. What I wish to learn from this is to accept that people do not fight fair and that money can be replaced. Also, I realize that justice in the Philippines is just a thing of the past.

May you learn from my mistake and not become vulnerable to these instances. Stay safe out there.