‘Smishing’ Scam Victims Seeking Answers, Accountability
While financial institutions and law enforcement agencies have stepped up efforts to prevent more Filipinos from falling prey to fraudsters, victims are often left to bear the financial toll of a successful scheme.
(Last of Two Parts)
When Theresa’s father, a senior citizen, recently fell victim to a “spoofed message” scam, their priority was to dispute the transactions amounting to almost P250,000.
Because the message appeared within an official SMS thread, they believe that the burden of paying for the fraudulent transaction should not be passed on to victims.
“It was very stressful for our family because the messages were convincing and created a strong sense of urgency, especially regarding the expiring rewards,” Theresa (not her real name) said in a message to The Philippine STAR. “My father is already a senior, which made it more difficult for him to immediately recognize that it was a scam.”
When four unauthorized transactions were charged to her father’s credit card after he inadvertently provided his personal information and one-time password (OTP), Theresa said they immediately filed a complaint to dispute the charges.
But since her father provided the OTP, the bank ruled that the transaction was valid.
“We feel that consumer protection in this situation was not sufficient, and despite explaining everything multiple times, we are still being contacted and asked to pay the P250,000. It has been very distressing for my dad as he continues to receive calls regarding this,” Theresa lamented.
This is a common complaint among victims of various forms of phishing scams.
While financial institutions and law enforcement agencies have stepped up efforts to prevent more Filipinos from falling prey to fraudsters, such as through consumer education campaigns and police operations targeting alleged scammers, victims are often left to bear the financial toll of a successful scheme.
Marie, whose credit card was charged P19,000, due to a spoofed message as well, said the dispute she filed was also rejected by her bank.
“I was able to contact their fraud department, and they said that if I entered the OTP, there’s no guarantee [that the charges would be reversed],” Marie said.
Explanation lacking
The Philippine STAR tried to reach out to various financial institutions to inquire about their policies regarding fraudulent transactions.
Only BDO Unibank, whose consumers are among those targeted by spoofed messages, responded to queries.
“The bank provides appropriate assistance to the customers,” it said when asked about complaints of fraudulent transactions tagged as “valid.”
It did not elaborate on what kinds of assistance are being provided.
Such explanations are often not enough to quell the discontent of victims, who are often left worrying about mounting debts they never benefited from.
“I don’t want to pay it, but I have no choice because if I left it unpaid, the interest would pile up, it would go to a third-party collection and my credit score would be affected,” said Marie.
According to the Bangko Sentral ng Pilipinas (BSP), victims may escalate their complaints to their Consumer Assistance Mechanism (BSP-CAM) if the issue is not resolved by their bank’s customer service channel.
“If the financial consumer remains unsatisfied with the actions taken by the financial institution during the BSP-CAM, the case may be elevated to the BSP's Consumer Complaints Resolution Office for mediation or adjudication,” the central bank stated in a written response to The Philippine STAR.
“Through mediation, the BSP facilitates the communication and negotiation between the consumer and the financial institution concerned to find a mutually acceptable settlement,” it added.
A case may proceed to adjudication if the mediation does not result in a settlement.
The lengthy process, however, is not ideal for many victims, as it would require them to invest more time and effort just to dispute the charges.
BDO said it heavily “invested and implemented” technology changes to strengthen control and detect suspicious activities, as well as engaged in “very aggressive” customer education.
“The industry is seeing more cases where scam messages appear to come from legitimate bank message threads, which can easily mislead customers,” it said in an emailed response.
“This can happen because scammers use advanced tools, like fake cell towers (IMSI catchers), that can send messages appearing to come from trusted sources,” it added.
AFASA law
To further strengthen efforts against online financial scams, President Marcos in 2024 signed the Anti-Financial Account Scamming Act or the AFASA law, which criminalizes common schemes used by perpetrators of online scams.
These include the use of “mass mailers” and “social engineering” to access victims’ sensitive personal and financial information.
The law also grants the BSP the power to inquire into accounts suspected of involvement in such schemes and to share relevant information with law enforcement authorities.
“Information obtained through this process may be utilized by law enforcement authorities, including the National Bureau of Investigation and the Cybercrime Investigation and Coordinating Council, in the conduct of criminal investigations, identification of perpetrators, collection of digital and financial evidence, and prosecution of offenders,” the central bank stressed.
But lawyer Amie Perez, who specializes in financial crimes, said the AFASA law could only do so much in helping victims who already lost their money.
“Unfortunately, the scope of the AFASA is limited because what the AFASA criminalizes is the act of scamming itself,” she said. “It’s pretty much silent on liability, but it imposes a standard of diligence on the banks. So they should exercise extraordinary diligence and if based on that standard of care, the bank complies, then the bank is not liable.”
“The limitation of AFASA is that it does not shift the liability to the bank provided that the bank exercised a certain level of diligence in protecting accounts from scams,” she added.
While the law contains a provision on civil liability, which allows restitution for the damage done on victims and other aggrieved parties, challenges remain in terms of tracking down and prosecuting alleged perpetrators.
More laws?
At the House of Representatives, Cagayan de Oro 1st District Rep. Lordan Suan filed a proposed bill to specifically penalize smishing or text-based scams.
It also specifically directs public telecommunications entities to implement technological solutions to identify and block suspicious text messages.
“It seems as if we are passing the [responsibility] to the public. It feels like victim-blaming,” he said in Filipino. “It should be the telcos that should bear that responsibility to make sure that we do not allow those kinds of text messages.”
Both Smart and Globe, however, said they are already implementing measures to prevent suspicious messages from being sent using their networks.
Roy Ibay, vice president at the Philippine Chamber of Telecommunicators Operators and head of the regulatory affairs department at Smart, said the problem with IMSI catchers is that they do not go through their systems.
“It's a fake cell site. It builds a small network in the area where it operates. So, it's practically invisible to Globe or Smart Network,” he said.
“It doesn't pass our network. How can we block something that doesn't really pass through our own network? So the challenge really is to be on the ground exactly when and where it happens,” he added.
Both Smart and Globe said they already blocked millions of SIM cards suspected of engaging in fraudulent activities, while their systems continuously prevent scam messages from being sent using their networks.
Garrett Silao, chief information security officer at Globe, said invisibility is also the reason why the telco donated IMSI catcher detectors to law enforcement agencies.
“We do have our preventive security mechanisms in place. That’s why the attack evolved … They cannot attack here, so they go the off-net route,” he added, referring to the use of fake cell towers.
Suan agreed that his proposed measure will not be able to cover schemes outside of the scope of telecommunications companies, saying this—along with matters related to supporting victims—will be taken into consideration by the House committee on information and communications technology.
The lawmaker expects the committee to come up with a substitute “umbrella” bill to comprehensively address scams and other forms of cyberattacks.
For Jocel de Guzman, co-founder of consumer protection group Scam Watch PH, legislators and policymakers should not resort to piecemeal legislation in combating scams.
“Right now, I think you have all the policies already in place. It's just a matter of having ... an integrated effort [in terms of enforcement],” he said.
“The DNA of all scams in the Philippines is the same … If you’ll craft legislation, the approach should not only be to prevent IMSI catchers and SMS scams,” he added.
BDO said while current laws provide a good foundation to address scams, “emerging threats like IMSI catchers show that more needs to be done.”
“One key area is phasing out older, more vulnerable network technologies and devices that can be exploited for these types of attacks. While some networks have already started this transition, progress has been gradual, and accelerating this will significantly reduce risk,” it stressed
Whole-of-nation approach
For BSP, there is a need for a whole-of-nation approach to address the problem.
“Smishing is not solely a financial sector issue-it cuts across other key components such as telecommunications, digital platforms and consumer behavior. This is why a whole-of-nation approach is essential, with stronger coordination among regulators, industry players, and law enforcement agencies,” it said.
Among its recent policy directives is a requirement for banks and e-wallets to stop using OTPs to authenticate high-risk financial transactions and instead use other forms of authentication such as biometrics, hardware tokens and cryptographic keys.
Globe said it recently launched its GoSafe campaign to further promote online safety, while Smart also has its HuliSCAM portal to accept complaints from users about scamming incidents.
De Guzman, however, stressed that consumer education campaigns must go beyond reminders and advisories, especially with the evolving nature of scams.
“You cannot stop it. You cannot totally eradicate it. That's the job of the enforcement, which is true. But before enforcement can actually move, they need the help,” he said.
“Before you can achieve the whole-of-society approach, what you need to do is a whole-of-organization approach first. Because online scams are no longer a cybersecurity problem. It's a company-wide problem. It's a customer experience problem,” he said.
De Guzman also underscored the need to promote behavioral change to better equip Filipinos against any form of scams.
“The DNA of all scams, it’s the same… Whether it's a job scam, task scam, SMS scam, call scam, it's phishing,” he pointed out.
Phil, an early victim of spoofed message scams, appreciates the aggressive efforts of various stakeholders to educate Filipinos about prevalent and emerging scams.
But for victims like him, they were left with no choice but to accept their losses.
“They said that it was my fault because I gave my OTP. I can no longer rebut it. It’s my fault. I was scammed,” he said.
Reporting for this story was supported by the Journalists Against Corruption and the Philippine Center for Investigative Journalism.
Part 1: Inside SMS Spoofing: Evolving Scams Outpace Policy, Enforcement
