Bank data breach in PNB
I do not remember having received any warning from the Philippine National Bank (PNB) that their account holders should not entertain any call from anyone asking for their account details. Their warning (I made a screenshot of it) was sent long after the vishing had happened and it was too late. A big amount from my account had been siphoned off by scammers. And it happened so fast.
On May 6, I got a call from the PNB “head office.” The male caller then passed the phone to a woman who asked if I was so-and-so. I answered yes. The caller asked if my account number was such-and-such. I do not have it, I said, short of saying it was not tattooed on my arm. The caller informed me that I had so many unclaimed rewards points. The points were equivalent to so much with a few pesos deducted as processing fee and then deposited in my account. It all sounded very official.
The caller knew my name, my cell phone number, my account number, and, I suppose, many things else, having recited it all over the phone. She was from the PNB “head office” after all.
Vishing, I learned later, was what I was a victim of.
Vishing, according to Google, is short for “voice phising” which involves defrauding people over the phone enticing them to divulge sensitive information.
Four times the caller sent numbers via my email address that I was to verbally repeat to her every time, then OTPs (one-time PINs) via text messages that I was to key in much like when you are paying online. To make a long story short, when it was done, I was overcome with doubt so I called PNB’s help desk. True enough, so much had been withdrawn four times from my account.
I immediately wrote a letter and had it delivered to the PNB branch where my Social Security System (SSS) pension is deposited monthly. The next day, May 7, I went to the bank and spoke with their staff that handled the matter. My letter was going to be sent to the head office. I was advised to uninstall the PNB app on my cell phone, withdraw the remaining amount in my account and leave P100. If this was an inside job, the scammer must have seen the accumulated funds as I seldom withdrew from my SSS pensioner’s account. (I have my own reasons.)
Yes, I tried calling the National Bureau of Investigation cybercrime department, and other such agencies. Emergency numbers don’t work! You are on your own. I did my own sleuthing, followed the money trail based on the online transactions and saw that the amount in four trenches were electronically transferred to EastWest Bank/Komo with me as payee! An EastWest/Komo bank account in my name had been set up! I was several steps ahead of PNB if at all they were doing anything. I called a retired top official of EastWest who found out that the amount had been transferred from EastWest/Komo to Banco de Oro. Komo, he said, was EastWest’s easy-access subsidiary (or whatever) where anyone could open accounts very easily. Scammers, take note.
The scammer called again after a few days. I was on the road but my companion recorded the conversation. The caller hung up after I said I was coming for them. I have the numbers.
I waited for PNB to respond to my letter where I asked if the stolen amount could be refunded. After all, the initial security breach happened on their end. I stand by this. I got a casual thumbs down. With the help of friends, I sought the help of a department of the Bangko Sentral ng Pilipinas that handled such concerns. I got instructions—from filling up the online form and recounting what happened, to where to send it online, etc. I did get occasional emails from PNB saying they were now investigating the matter.
After four months, I received a three-page letter dated Sept. 4, 2024 from the PNB Customer Experience Division saying that they did their investigation, even detailing the vishing process that happened. The gist: It. Was. All. My. Fault. I could have scammed myself! From PNB: “There was no breach in the Bank’s system.” PNB would not own up to the fact that the breach happened on their watch (which I stressed in my letter). How did the scammers get my personal details if not from PNB? Or perhaps from SSS? Was it an inside job? Why were depositors not warned? The warning came too late. (I did read on Facebook about a businesswoman who lost a seven-digit amount that also went through EastWest/Komo.)
All PNB Customer Care could lamely say was: “Should you wish to pursue action against the perpetrator, rest assured that we are willing to cooperate with the authorities within the bounds of the law. You also have the option to directly communicate with Komo by EastWest regarding this matter.” Plus a list of reminders. Duh.
Question: Should SSS pensioners be stuck with PNB? The pun “In Banks We Trust” is a bad joke. We. Are. On. Our. Own., while the banks make money with our money.
I do imagine confronting the scammers someday, perhaps in a police setting, where their teeth would be flying and their mouths bleeding courtesy of my deadly pitsikorno.
—————-
cerespd@gmail.com