BSP: Recipient bank account holders may be liable for GCash phishing

LAPU-LAPU CITY, Cebu —  The holders of the bank accounts that received unauthorized fund transfers from GCash may be held liable if found to be part of the phishing scheme reported last week, the Bangko Sentral ng Pilipinas (BSP) said Wednesday.

In an interview with reporters, BSP Governor Felipe Medalla said that a large portion of the funds transferred from GCash accounts was with the banks when the phishing scheme was caught.

“In this case, kung ma-te-trace natin ang may-ari nung dalawang accounts na ‘yun, possible sila ‘yung criminal ano, at kung pinapagamit lang nila ‘yung account nila, mayroon pa rin silang pananagutan,” he said.

(In this case, if we are able to trace the owners of the two accounts, it’s possible that they are the criminals, and if they were just allowing their accounts to be used, they still have liabilities.)

Medalla did not identify the two banks, but local lenders Asia United Bank and East West Banking Corporation both reported that they are working with the central bank to address the concerns.

A number of GCash accounts fell victim to a phishing scheme on May 8, prompting the temporary downtime of its system as it extended its scheduled maintenance to investigate the reported unauthorized fund transfers.

GCash has maintained that its system was not hacked, and that affected users did not lose any money as adjustments to their accounts were completed as of 3 p.m. on May 9.

“Fortunately, mabilis ‘yung GCash na nalaman nila ‘yung dalawang accounts kung nasaan, at malaking bahagi nung nanakaw ay hindi naitakbo. In fact, ang sabi sa akin ‘nung dalawang bangko, since na-restore na ‘yung mga nawalan at since ginawa nila ‘yon, ‘yung pera sa account na ‘yon already nabalik sa GCash,” Medalla said.

(Fortunately, GCash was quick to identify the two accounts and they were not able to run away with a huge chunk of the funds. In fact, I was told by the two banks that since the funds lost were restored and since they did that, the funds were already returned to GCash.)

“GCash already returned all the stolen money even though the deposit where the money went of course could not cover all of it. Nailabas na ‘yung iba eh [Some of it has been already been collected],” he added.

Sought for comment, AUB said it will coordinate with the BSP to address the issue.

“The bank is willing to cooperate with the BSP and the proper authorities to uncover any fraud,” AUB legal services and data privacy officer Emma Cabochan said in a statement.

“Yes, we agree that’s why we are investigating and actively cooperating with the authorities and other parties involved,” EWB Bank marketing and corporate Communications head Martin Reyes said separately.

GCash—which currently has over 79 million users—is registered as a non-bank financial institution electronic money issuer (EMI-NBMF).

It is operated by GXchange Inc., a wholly-owned subsidiary of Mynt (Globe Fintech Innovations Inc.), which is in turn a partnership between Globe Telecom Inc., the Ayala Corp., and Ant Financial. — BM, GMA Integrated News