Manila: On November 8-9, 2024, GCash experienced a significant incident where numerous customers reported that their e-wallets were "stolen" through unauthorised transactions.
It’s not immediately clear how many customers were affected. Many GCash users found their accounts were debited without their consent, raising widespread concerns and frustration.
GCash, the country's top mobile payment platform, said the incident was “isolated", identified the compromised accounts, and had corrected the "system reconciliation" issue.
“We assure our customers that their accounts are safe,” the company stated. The company also warned customers against "phishing" attacks.
Comedienne goes hysterical
The glitch’s effect was amplified on social media. Many found the glitch not funny, potentially posing a setback for GCash.
Filipina comedienne “Pokwang”, using her “Marietta Subong” account, broke down during an Instagram “live” session after discovering that 85,000 pesos ($1,450) vanished from her GCash account.
Visibly emotional, she shared her frustration in Filipino language and questioned the effectiveness of the SIM registration mandate, which was supposed to prevent such unauthorised transactions.
Pokwang expressed deep dismay, describing the loss as a significant breach of trust.
Account wiped out
She tearfully recounted, “I wake up every morning to work hard and provide jobs for single moms, but one day I found my GCash wiped clean by nearly 30 unknown numbers. What happened to the protection from SIM registration?”
“I built my business with honest work, only to be targeted by unknown attackers. It’s devastating,” :she said in Filipino, urging GCash to improve its safeguards for small business owners and everyday users like herself.
Reliability
Her experience has amplified ongoing debates about the reliability of digital financial services and the need for stronger user protection.
The incident underscores the pressing need for enhanced security in online payment platforms.
94 million customers
The incident comes at a time when GCash is working on an IPO. GCash, with 94 million customers as of end-2023, has recently hit a valuation of $5 billion – the only company in the Philippines to achieve a multi-unicorn status prior to planned initial public offering.
SIM card registration
The law, which took effect on December 27, 2022, mandates that all SIM card users, both new and existing, to register their phone numbers with their respective telecommunications providers.
The Act sought to assist law enforcement agencies in tracking down individuals who use mobile phones for criminal activities, such as scams or illegal transactions, curb spams and scams.
Unregistered SIMs were deactivated, as part of broader efforts to address digital fraud and enhance the security of mobile communications in the country.
‘Not a hack attack’
GCash responded by clarifying that this was not a result of hacking but rather a “coordinated phishing attack”.
According to the company, the phishing attempt led users to unknowingly share their credentials on fraudulent sites posing as legitimate ones.
These stolen credentials were then used for unauthorised access and transactions from users’ e-wallets.
Accounts traced
The company stated that the funds were traced to accounts in Asia United Bank and East West Bank. GCash assured customers that they had successfully reverted the stolen amounts back to users' accounts.
To resolve the issue, GCash implemented immediate security protocols, including extended preventive maintenance of the app. This action aimed to secure the platform and address vulnerabilities.
They also collaborated with regulators like the National Privacy Commission (NPC) and law enforcement agencies to investigate and mitigate the situation
The incident highlighted the growing need for robust cybersecurity measures, especially for digital financial services, as phishing schemes become increasingly sophisticated.
GCash has since reiterated its commitment to enhancing user education and security protocols to prevent similar incidents in the future.
The Manila-based fintech platform, which also operates in a dozen countries, heavily relies on user trust, particularly when dealing with sensitive transactions and personal data.
The incident shows the need to bolster the platform’s security measures to prevent such a large-scale phishing scheme.
Previous phishing incident
In May 2023, the Philippines' National Privacy Commission (NPC) reported that over 1,000 GCash accounts were affected by a phishing attack.
The attack resulted in unauthorised deductions from multiple accounts totaling approximately$660,000.
GCash stated that the incident was isolated and that there was no system glitch.
To help protect against online scams during the previous Phishing attack, GCash has taken the following steps:
- Deactivated over 4 million suspicious accounts in 2023
- Taken down 810 phishing sites and 45,000 malicious social media posts and accounts in 2023
- Added an online scam protection feature for money transfers called Send Money Protect (SMP).