If you are a BPI account holder, beware of this phishing attempt!

If you are a BPI account holder with an online banking account, you have to read this!

Just tonight, the tech blogger behind Tech Patrol posted photos on his Facebook wall showing what looks like a legitimate email from BPI with what looks like an alarming subject line: “We Have Received a Complaint Regarding Your Account”. The email basically claimed that my friend’s supposed credit card was involved in a fraudulent transaction. My tech friend had no BPI credit card so he immediately knew something was up. He posted a warning on his Facebook wall. I saw his post and became alarmed because I am a BPI account holder and I know the possible repercussions.

If you receive an email such as this, DO NOT CLICK ON THE RED BOX. If you click on it, DO NOT FILL UP THE LOGIN PAGE WITH YOUR DETAILS. If you do, you would be handing your login details directly to the phisher.

It is a long weekend – perfect for phishers and scammers. BPI depositors and credit card holders may not be able to discover that their accounts were compromised until the first banking day on Tuesday. With so many holidays or long weekends, scammers are active!

This attempt via email is called phishing (online scheme to get your sensitive information like passwords, usernames, credit card details, etc by disguising as a legitimate site). It is meant to fool people into disclosing their BPI login details.

The fake BPI Card email (posted with permission). Personal details were purposely blurred for privacy.

If you click on that red verification page, you will be led to a fake site (below) that looks very much like BPI’s login page.

Fake BPI login page


The phishing looks well planned. The login page of the fake BPI looks very much like the real McCoy. But with a trained eye and a large dose of skepticism, you can detect such attempts. Let’s go through some of them.



1 – The real BPI would be sending you email directly from their servers, not via an unknown one like “netwelink.it” In addition, all email communications from BPI to its depositors use standard encryption (TLS)

2 – The email address of the sender shows a domain URL “bpicards.com”. The real bpicards.com site only provides information about BPI’s credit cards. What is scary though about this is that the phishers are now able to MASK their actual email address and make it appear like a legit customer care communication from BPI. For your info,  the usual email address from BPI for account holders comes from expressonline@bpi.com.ph.

3 – BPI never sends email that begins with “Greetings holder!”. The email is always personalized, using your first name or full name.

4 – Poor grammar!!! Starting a sentence with “Thus” is a giveaway!



Let’s say you missed all these signs, clicked the red “Go to Verification Page” box, and you ended up in what looks like the BPI site. One way of ensuring that you are on a legitimate site is to ALWAYS check the URL.

Look at the URL I underlined in red. The phishers are shrewd enough to get https, a secure protocol (unlike the usual http), because all banks now are on https and they have to make the site look like the real thing. But look at what follows https — the url starts with “www.workdirectory.ca/secure1….” THAT is the giveaway. BPI’s login page’s secure URL starts with “https://secure1….” only.

If the worst case has happened….you did not see any of these signs and you had already given out your login details on the fake login site, here is what you need to do IMMEDIATELY.

  1. CHANGE YOUR BPI LOGIN PASSWORD ASAP – Phishers could use the information you gave to gain access to your bank accounts (if you have any). Change your password to a random, strong one. If possible, make it as long as the maximum length allowed by BPI. Keep this password in a password manager so you need not remember it. Most good password managers have very strong security features that incorporate encryption and can store your passwords and other important information securely.
  2. CALL BPI’s 89-100 HOTLINE (I believe they are on 24/7 service) and report the phishing. This is important especially if your credit card details are inside your BPI account that was compromised. The customer service person may have your credit card blocked to prevent it from being misused. The bank will also be alerted to unusual movements like withdrawals from your bank accounts. (Note: Document the date and time you spoke with the customer service representative and if possible, get his/her full name.)
  3. For a week or two following this, regularly log into your BPI online account and monitor all movements to see if they were initiated by you.

Stay digitally safe, folks!

Tita Jane

Tita forever, geek forever!!! Loves gadgets more than clothes... First introduced to IT via punched cards and COBOL programming... IT auditor for over 5 years... IT consultant covering the financial industry for over 7 years... Now, a blogger and social media practitioner...and still covering the IT world, among other interests. And proud that all my kids are geeky as well. ~ Tita Jane Uymatiao

3 thoughts on “If you are a BPI account holder, beware of this phishing attempt!

Leave a Reply

Your email address will not be published. Required fields are marked *