How to Add New Beneficiary
May 8, 2026
System Maintenance: Jan 12, 2026
June 23, 2026
Dear Tita Lits
May to June 2026
Isabelita Manalastas-Watanabe
Visit: https://www.jeepneypress.com/artikulos-2026/tita-lits-2026
A PAINFUL LESSON LEARNED, AND SHARED
My Philippine online bank accounts were hacked last Sunday, April 19, 2026. My Philippine cellphone was also compromised. I have already lost all my peso savings and may not be able to recover even a single centavo, so I would rather not dwell on my misery.
It was a painful lesson, though it could have been worse had the hackers accessed my foreign currency accounts as well. Still, I hope I can help you, my dear readers, become more aware of this very prevalent hacking problem in the Philippines.
The reality is that cybersecurity in the Philippines remains weak, and catching violators is rare. There also seems to be silence among many victims. I realized this from my own experience. After the incident, I messaged all my friends on Facebook Messenger, Instagram, and WhatsApp, warning them to ignore any messages coming from my Facebook name (a pseudonym I use). I spent hours doing this, from Sunday night until almost 3:00 a.m. the next day.
However, my friend of 50 years—let us call him Peter—likely did not know that his social media accounts had been hacked. He was impersonated. The message I received appeared to come from him, complete with his photo and a natural, believable tone. It was about receiving “ayuda” from the DSWD, which is currently offering PHP 5,000 in assistance.
Why would I care about such a small amount? But Peter’s message said, “Lits, we deserve this. It is our right and privilege.” My nickname was used, and knowing that my friends are educated and socially aware, the message did not seem suspicious. He asked for my contact number so his “pamangkin” (niece), who supposedly worked at the DSWD, could assist me. I gave him my Philippine number.
Shortly after, I received a call from the “pamangkin.” She was polite and apologetic for interrupting my dinner, assuring me the process would only take a few minutes.
Note: I never gave any OTP.
Instead, she sent me three separate QR codes, asking me to save each one. After sending each code, she would call again to confirm that I had saved it. This happened three times. I never opened or accessed any of the QR codes.
As the process neared completion, I even thanked her and jokingly said I would give the PHP 5,000 back to her uncle for her efforts. Then she claimed she could not complete the transfer because there was an issue with the phone number I had provided.
At that time, I was in Tokyo and not using my Philippine phone. I had intentionally given that number earlier, assuming the transaction would be local. Then came my biggest mistake.
She asked what number I was currently using—and I gave my Japan phone number.
My office had previously arranged for my Philippine and Japanese numbers to be synched, so calls through apps like Viber, Messenger, or WhatsApp would ring on both devices. At that time, my Philippine phone was packed away for my upcoming trip.
She told me to check after five minutes if the funds had been credited. Earlier, she had also asked which banks I used online, and I had answered (two out of the six banks I deal with).
As soon as the call ended, I contacted Peter. He immediately said, “Do not do anything. Do not answer any calls!”
I checked my accounts—and saw that all my funds had already been transferred, leaving only a few pesos in each. The BPI funds were transferred to GCash, and the AUB funds to Maya.
It was a Sunday. I now suspect this is a preferred day for such attacks, as it is difficult to reach banks for immediate assistance. I was able to contact a friend at BPI, but not my contact at AUB, who was hospitalized at the time. One bank had a feature to immediately disable online banking; the other did not.
I even contacted the Chairman of the bank without this feature and suggested adding it. He responded positively. Ironically, this bank already had stricter security—a three-tier authentication system: password login, transaction review and approval, followed by a 4-digit security code, and finally a rotating 6-digit code that expires quickly.
Yet somehow, the hackers bypassed all of these. Bank records show that “I” made the transactions—but I did not perform any of those steps. How did they do it? Could they see inside my phone?
When I first warned my contacts, most simply acknowledged my message. But when I shared that my accounts had been wiped out, I began receiving more concerned and detailed responses—even from friends abroad and people I barely knew. As I explained further, including that my aunt had lost PHP 450,000 in a similar scam, more people came forward, saying they or someone they knew had been victimized.
The most common advice I received was: Never give your OTP.
But I never gave mine.
In conclusion, hackers are becoming more sophisticated and more deceptive. According to my son, they tend to target older individuals and those who are often in a hurry—which, admittedly, includes me.
So far, they seem to target peso accounts—but who knows what they may attempt next?
So, my dear readers: please stay vigilant.
And if harm has already been done, do not be ashamed to admit you were scammed.
I was not embarrassed when a colleague from the financial industry called me and said, “Of all people, you should know better.” Yes, in my profession, I deal with spam and phishing attempts almost daily, carefully screened by our IT team—and yet, I still became a victim.
But I take pride in what I did afterward: spending hours informing hundreds of contacts around the world, hoping to prevent the same from happening to them. This column may deviate from my usual writing, but I share it in the spirit of awareness and protection.
Tita Lits
To read the full article, click here.
