Created: 2022-12-22
Human nature is flawed, despite having implemented the 2fa system or complicated passwords in your tech life, social engineering still often bypasses these security implementations.
Social engineering exploits the people's limited energy such as their short-attention span or accumulated stress in day-to-day life .
Read more below (Contains Filipino Languange)
Naiiyak na ako, sobrang bobo ko talaga. Putangina ang tanga tanga ko talaga.
I fell for a credit card OTP scam. I lost 150K. I feel like absolute shit, that money was for my wife's business, my kids education. I work in tech and I thought I had really good infosec. I use 2FA whenever possible, all my passwords are complicated pass phrases with special characters. Then I get social engineered like a dumbass.
This happened yesterday just before noon. A woman called on my cellphone. I did not recognize it at the time but she was using a Smart prepaid number (A mobile carrier). She claimed to be from BPI (Bank of the Philippine Islands.), saying they were going to raise my credit limit and waive my annual fee. It seemed reasonable to me because I had been inquiring with BPI to raise my credit limit. I immediately searched if BPI was waiving annual credit card fees and landed on this page, so it seemed legit to me.
The woman introduced herself as Thea Calvez. She had that call center voice na mabilis magsalita and I could even hear the noise of a call center in the background. She said all the right things like "please be informed that we may record this conversation for quality assurance purposes" (not exact quote). To process the credit limit increase and waive the credit card fees, she said she needed to verify that I was the card owner. She knew the first few digits and last few digits of my card, and asked me to fill in the rest. In hindsight, I should have asked it I could provide my customer number instead, but like I dumbass I gave her the missing numbers on my card. Then she asked me for the card's expiration date. I was hesitating a bit, so she would say things like "Opo I understand po" and offered me her BPI ID number and said she was from Paseo De Roxas branch. At this point I wasn't alarmed yet because she never asked for my card's 3-digit security number. I thought that so long as I didn't give out the security number, the card couldn't be charged. I ended up giving her my card's expiration date as well.
This is the part where where I really feel so stupid and embarrassed. She said she would text a number of verification codes as the final step in the process. It was already past noon and I wanted to finish the call so I could go to lunch, so I was in a a hurry and not really paying attention. I got the text messages and could see that the sender was "BPI". I started dictating the 6 digit codes on the messages. Hiyang hiya ako dito, I completely missed the huge, all caps letters at the start of each message - "NEVER SHARE YOUR ONE-TIME PIN". I was so used to seeing this message during my regular transactions, but I would always be the one to initiate the message. It completely flew under my radar that I was being sent an OTP for credit card purchase.
After giving out the pin codes, I got text messages from BPI saying "Thank you for using your primary BPI card ending in #### at GRAB amounting to PHP20,000. For. Each. Message. At this point it did not register in my mind yet that I was sending money via credit card, but I started getting suspicious. I pointed out to the woman that "these look like purchases". She re-assured me not to worry and that was just how the system works. She ended the call telling me to expect an email confirmation on the credit limit increase.
Something did not feel right, so I immediately called the BPI hotline 89-100. I told them that this woman called me and gave me her BPI ID number, and the BPI agent told me they don't use ID numbers to identify themselves. It suddenly hit me. I asked the agent to deactivate my card and immediately cancel the purchases. I thought that since it was a credit card, the charges could still be cancelled or reversed. The agent told me they would open a "dispute", but if I sent money through an OTP, it was unlikely that the money could be recovered. My heart sank. Did I really just lose 150K, in less than 30 mins?
After contacting BPI and realizing that I may have lost the money forever, I spent an hour trying to find a way to contact Grab but couldn't find any phone number or customer support that I could contact right away. I tried their chat but couldn't get anyone to respond. I had to settle for opening a support ticket for "Unregistered activities or transactions" which up to now I am still waiting for a response to. In my desperation I even contacted Smart (A mobile carrier company) and tried to tell them that this prepaid number was used to scam me, but of course there wasn't really anything they could do about it.
Ayun, go ahead and laugh at me. I feel terrible and so so stupid. If I were living alone I could justify the stupidity but I'm supporting a family, and it makes me sick to my stomach that I lost this money that should have gone to them.
All I can do now while waiting for the BPI dispute (which most likely won't recover the money) is hopefully warn everyone else. Don't be stupid like me. Merry Christmas po. Tangina.