Online banking and e-wallets have made life easier for many Filipinos. With just a few taps, you can send money, pay bills, or shop online.
However, as these digital services grow, so too do scams surrounding them. Strong security habits and awareness of OTP fraud prevention are now more important than ever.
One recent case involves content creator Jana Berenguer, who said that seven transactions wiped out about Php 189,000 from her accounts in just two to three minutes, even though she claims she never shared her OTP or clicked suspicious links.
In response, BDO Unibank denied any system breach or insider wrongdoing.
Their investigation found that a password reset and registration of a new device took place on her account, with both actions validated via OTP sent to her registered mobile number.
Despite this, the case remains unresolved, as there is still no confirmation that the missing funds were recovered or refunded.
Regardless of who is truly responsible for the breach, this controversy has put a spotlight on how criminals are finding ways around OTP protections.
One of the latest threats is called e-snatching, a scam that can drain your account even if you never share your password or One-Time Password (OTP).
What is E-Snatching?
E-snatching is a new type of online scam where money is taken from your bank account or e-wallet without asking for your OTP.
Unlike most scams that need you to accidentally share your login details or OTP, e-snatching often happens because of security weaknesses in digital systems or because hackers already have partial access to your account.
This makes it extra dangerous, even for careful users who never share their OTP.
How Scammers Steal Money Without an OTP
Normally, banks and e-wallets use an OTP as the final layer of protection. However, with e-snatching, scammers find ways to bypass that step altogether.
Victims often discover that money has been transferred or withdrawn without ever receiving an OTP prompt or SMS alert.
This type of attack is sometimes referred to as a Bank OTP bypass scam, where criminals find loopholes to move funds without the system asking for verification.
This happens because criminals use different tactics, some targeting weak points in devices, others tricking people into handing over access.
Here are the most common scam tactics without OTP:
Malware and Spyware on Phones
Hackers can slip malware into a victim’s phone through unsafe downloads, infected links, or fake “security” tools. Once inside, the malware can record keystrokes, steal stored credentials, or even control banking apps remotely.
In these cases, scammers can move funds without triggering an OTP, or secretly intercept it if one is sent.
Fake Banking or E-Wallet Apps
Fraudsters sometimes build apps that look almost identical to official banking or e-wallet apps.
When users log in, they unknowingly hand over their credentials.
With that information, scammers can log into real accounts and make transfers, sometimes without requiring OTPs if the system recognizes the device as “trusted.”
This is why banking scam protection practices, like only downloading apps from official app stores and checking developer details, are so important.
Phishing Links and Fake Websites
Phishing and smishing attacks remain one of the easiest ways to steal credentials. Victims receive links by SMS, email, or chat that lead to websites designed to look like their bank’s login page.
Once account details are entered, scammers capture them instantly and use them to access accounts. In some cases, stolen logins are enough to bypass OTP checks if systems are already compromised.
Social Engineering Tricks (posing as couriers, bank reps, etc.)
Some e-snatching scams rely more on manipulation than technology. Criminals may pose as delivery couriers, bank representatives, or customer service agents.
By gaining trust, they convince victims to share information or install apps that give remote access.
With just enough personal details, scammers can reset logins or bypass OTP requirements entirely.
NFC / RFID skimming
Criminals can use small, hidden devices to read your contactless card or phone — even when they brush up against you “by accident” out in public.
Through NFC (Near Field Communication) or RFID (Radio-Frequency Identification) skimming, they can capture basic payment details (like card number and expiry) and sometimes fake a “tap” by relaying signals between your card and a payment terminal.
These attacks need physical proximity or special gear — they’re not remote hacks.
However, modern cards and mobile wallets add protection by sending one-time, transaction-only dynamic cryptograms instead of reusable card data.
That makes stolen tap-data much harder to use later.
Still, skimmed details can be abused in some cases — for example, thieves may try tiny contactless charges, use partial card data for weak online checkouts, or exploit older/poorly implemented systems.
In some cases, this looks like a credit card scam without OTP, since the criminal can complete small or card-not-present transactions without triggering extra verification.
Moreover, NFC attacks become especially dangerous if your phone or wallet app is already compromised.
SIM Swapping
SIM swapping is when attackers trick your mobile operator into moving your phone number to a new SIM card they control.
Once they have your number, they can receive SMS OTPs and password reset messages meant for you.
This lets them take over accounts that rely on SMS verification.
SIM swapping doesn’t rely on NFC or card skimming, but it pairs well with stolen credentials or compromised devices, together they make it much easier for scammers to complete fraudulent transfers.
Signs You May Have Been a Victim of E-Snatching
E-snatching can sometimes go unnoticed until it’s too late. Watch out for these red flags that may mean your account or device has been compromised:
- Unauthorized transactions – Money is missing from your bank account or e-wallet even though you never made a transfer or payment.
- Sudden SIM disconnection – Your phone suddenly loses signal or stops receiving texts and calls, which could mean scammers tampered with your number to block OTPs or alerts.
- Emails or SMS confirmations for actions you didn’t make – You receive messages about logins, fund transfers, or password resets that you didn’t request.
If you notice any of these warning signs, report them immediately to your bank or e-wallet provider, change your passwords, and scan your device for malware.
What to Do If You’ve Been Scammed
If you’ve fallen victim to e-snatching, one-time password scams, or any other online banking fraud, act fast to limit the damage and strengthen your OTP fraud prevention efforts:
- Report the incident to your bank or e-wallet provider immediately. Contact their hotline or official support channels to block your account and stop further transactions.
- File a police or cybercrime report. Reach out to the PNP Anti-Cybercrime Group (ACG) or the NBI Cybercrime Division to officially document the incident and assist with possible recovery.
- Secure your SIM card and reset all passwords. Contact your mobile provider to check for SIM swapping attempts, then change your online banking, email, and e-wallet passwords to prevent further unauthorized access.
How to Protect Yourself from E-Snatching
Scammers may be getting smarter, but you can lower your risk by practicing safe online transaction practices.
Here are cybersecurity awareness tips you can follow for better account takeover protection and stronger OTP fraud prevention:
Secure Your Devices
Install trusted antivirus software, keep your phone and apps updated, and avoid sideloading apps from unverified sources.
A compromised device is often the first casualty in an e-snatching attack.
Enable Two-Factor Authentication Beyond OTP
Whenever possible, use authenticator apps (like Google Authenticator, Authy, or Microsoft Authenticator) instead of relying only on SMS OTPs.
These generate time-based codes, making mobile banking fraud prevention stronger and harder for scammers to bypass.
Avoid Clicking Unknown Links or Downloading Unknown Files
Be cautious of emails, text messages, or chats that contain suspicious links.
Phishing and smishing attacks often disguise themselves as bank alerts, promos, or delivery updates.
Use Strong, Unique Passwords for E-Wallets and Banking Apps
Never reuse passwords across multiple accounts. Strong, unique passwords combined with two-factor authentication provide stronger financial fraud prevention online.
E-Snatching and OTP Fraud Cases in the Philippines
In the Philippines, several high-profile cases highlight how scammers are exploiting digital systems and bypassing OTP protections.
These real cases highlight why safe online transaction practices are essential.
Illegal SIM Sales Crackdown (2024–2025)
Multiple operations by the PNP-ACG have led to dozens of arrests for the illegal sale of registered SIM cards.
In one operation in early 2025, 38 individuals were arrested and over 7,900 SIMs seized, some already linked to bank and e-wallet accounts.
These SIMs are often used to intercept OTPs and bypass Unified Payments Interface (UPI) fraud detection and other safeguards.
GCash Unauthorized Transactions & Phishing Scams
There have been several reported incidents involving unauthorized deductions or withdrawals from GCash accounts tied to possible phishing attacks.
In 2023, the National Privacy Commission (NPC) concluded that certain unauthorized GCash transactions were caused by phishing sites masquerading as legitimate services.
Following these reports, the Bangko Sentral ng Pilipinas (BSP) launched an investigation into unauthorized deductions from GCash accounts, asking the platform G-Xchange, Inc. (GXI) to provide updates and ensure refunds where due.
This case underscores why digital payment fraud safety is so critical.
The BDO-“Jana Berenguer” Controversy (2025)
As mentioned earlier, content creator Maria Jamila Cristiana Gonzales Berenguer (also known as Jana Berenguer) publicly alleged that about Php 189,000 was siphoned from her BDO accounts through unauthorized transactions.
She claims she never shared her OTP, password, or clicked any suspicious links.
BDO Unibank responded by calling the claims baseless.
Their internal investigation reportedly found that on September 14, a password reset and a new device registration occurred on Berenguer’s account—both validated via OTP sent to her registered mobile number.
They also emphasized that her mobile number wasn’t changed, and that registration and transaction alerts were sent, with some alerts triggered six hours before she contacted the bank’s hotline.
Berenguer insists she was a victim of an advanced scam, while BDO maintains that its system was secure and that proper OTP validation was followed.
Despite this, the case remains unresolved, raising questions about how to avoid being scammed online and whether current security layers are enough to protect customers.
This has fueled public debate on whether existing safeguards, such as OTPs and transaction alerts, are truly enough to protect consumers.
For everyday users, this case is a reminder to:
- Regularly check and update security settings on your online banking and e-wallet apps.
- Monitor SMS and email alerts closely and act immediately if you spot suspicious activity.
- Use authenticator apps instead of relying solely on SMS-based OTPs.
- Contact your bank right away if you notice any unusual prompts, even before any money is lost.
- Keep a record of your reports to strengthen your case if investigations drag on.
In short, while banks emphasize that their systems are secure, customers also need to adopt stronger security habits and know the right steps to take if they suspect fraud.
Frequently Asked Questions (FAQs)
E-snatching and related scams can be confusing, so here are answers to some common questions:
Can scammers really steal money without my OTP?
Yes. While OTPs are meant to secure transactions, scammers use methods like malware, phishing, fake apps, and SIM swapping to bypass or intercept them.
Is e-snatching the same as SIM swapping?
Not exactly. E-snatching is a broader term for scams that bypass OTP security, while SIM swapping is just one method.
In SIM swapping, criminals trick your telecom provider into transferring your number to their SIM card so they can receive OTPs and reset your accounts.
What should I do first if I notice suspicious activity?
Report it immediately to your bank or e-wallet provider, secure your SIM card, and change your passwords.
You should also file a report with the PNP-ACG or NBI Cybercrime Division for documentation.
How can I protect my GCash, Maya, or PayPal accounts?
Use strong, unique passwords, enable app-based authentication (instead of just SMS OTP), keep your devices updated, and never click suspicious links or download files from unknown sources.
Are banks responsible for losses due to e-snatching?
Banks typically investigate reported fraud, but they often claim that the customer authorizes the transaction by receiving the OTP on their registered mobile number.
This situation sometimes prevents victims from obtaining reimbursement.
Always review your bank’s policies on digital fraud and ask about their e-snatching and online banking scam protection measures.
Final Thoughts: Protect Your Money, Secure Your Future
E-snatching and other online fraud schemes may sound alarming. However, most of them can be prevented.
With strong security habits, vigilance, and awareness of how these scams work, you can protect yourself from becoming the next victim.
Practical steps like using authenticator apps, avoiding suspicious links, and practicing OTP fraud prevention are key to keeping your accounts safe.
Always verify, stay alert, and secure your accounts to protect your hard-earned money.
Moreover, if you’re looking for safer and more reliable ways to earn, Remote Staff offers legitimate online jobs for Filipinos.
Work with trusted clients, enjoy a secure remote setup, and grow your career without worrying about scams.
Sign up with Remote Staff today!
