Two Truths and A Lie: The tricks scammers play

Press Release

Aug 19, 2024

In this game, the stakes are high. One wrong move can change your life completely. The game: Two Truths and a Lie. The players: Scammers and their Targets. The mechanics: They Play You Until You Give In.

The Bank of the Philippine Islands (BPI) is urging the public to stay vigilant about this nefarious practice, as cybercriminals are getting more sophisticated in their tactics and the use of social engineering schemes in the country.

“In this modus, the scammer makes three statements. The trick is that not all statements are true: two of the statements given are truths and one is a lie,” noted Jonathan John Paz, BPI Enterprise Information Security Officer and Data Protection Officer.

“The scam follows a general pattern. A person receives a call, and the caller proceeds with his or her prepared spiel. It can start with the caller giving your existing bank account. That will be the first truth. Second will be your name, address, and some other personal information. Then comes the lie: the caller is not an employee of the bank and only pretends to be to perform the vishing scheme,” Paz explained.

This is the reason BPI continues to roll out regular reminders to its accountholders emphasizing the need to remain alert and to not easily believe any emails, messages or calls from people claiming to be the bank’s representatives. Among the lies that BPI warns the public about are the following:

1. Under the cover of “hiring” schemes, fraudsters offer unwitting victims supposedly open positions in the bank. Fake employers would ask the unsuspecting victims to submit not just their employment documents but also to pay “processing fees.” In other instances, these fake officers send out phishing links in messaging apps and call the applicants to ask for their bank and e-wallet details.

2. Another lie that these scammers also use for their modus is to offer to convert your expiring bank points to cashback. They would then ask for sensitive banking information to facilitate the conversion. BPI would like to reiterate that points earned from BPI credit card transactions don’t expire, and no bank employee will ever ask for confidential information such as your One-Time PIN (OTP).

3. There is also a scheme whereby scammers call about unauthorized charges in your account and how you can reverse them by going to a BPI ATM. The caller would then give further instructions that will activate changing of the mobile number linked to your BPI online account.

In response to these escalating cyber threats, BPI encourages its customers to use the Bank’s mobile and online security features to help keep their accounts safe. These include activation of one’s Mobile Key, enabling biometric login, linking a device to one’s account, using OTP, and setting up login notifications and email alerts, among others.

“Never share your OTP—the 6-digit code you receive via SMS—with anyone. Stay vigilant in protecting your account. Cybersecurity is a shared responsibility. As we remain committed to continue strengthening safeguards to protect our customers against cyber fraud, we also ask the public to do their part in securing their accounts,” said Paz.

Early this year, BPI introduced new security enhancements to its mobile banking app. The updated BPI app features three new security controls that users can easily activate. These include a device binding control, which acts as a digital lock that allows only authorized mobile numbers and devices to access an account.

To stay updated with the latest cybersecurity reminders, follow the Bank’s official social media accounts: Facebook, Twitter, Instagram, LinkedIn, YouTube, and TikTok.