With the Bangko Sentral ng Pilipinas (BSP) sounding the alarm on the weaknesses of one-time passwords (OTPs) and urging financial institutions to adopt stronger digital authentication methods, the country is entering a new phase in its battle against cyber fraud. BSP Circular No. 1140 highlights that traditional OTPs, once seen as the gold standard of security, are no longer enough to protect Filipinos against increasingly sophisticated attacks.
The urgency is real. In 2024 alone, the Cybercrime Investigation and Coordinating Center (CICC) logged over 10,000 cybercrime complaints, amounting to ₱198 million ($3.4 million) in losses, a sharp rise from the previous year. According to Assistant Secretary Renato “Aboy” Paraiso, Deputy Executive Director of the CICC, financial scams linked to OTP fraud, SIM swaps, and smishing make up the majority of cases.
“Most of them, majority of them are linked to these financial scams… If you round it off, it’s around 65% of the complaints that we receive,” Paraiso said in an exclusive interview with CoinGeek.
How scammers work: From links to SIM swaps
For ordinary Filipinos, these scams often start with a simple text.
“When you receive a text that contains what we call a hyperlink, which is now prohibited… you click on that hyperlink, it would forward you to a malicious website either for smishing, phishing, or if it progresses into a financial scam site,” Paraiso explained.
Scammers then trick victims into “test deposits” or OTP verifications, hijacking legitimate banking or even government text threads to make the fraud appear real. The infamous “Ayuda” scams, for instance, mimicked official government relief programs to lure unsuspecting citizens into handing over their OTPs.
Even with the SIM Registration Act in effect, criminals have found ways around it. Instead of registering SIMs under their own names, syndicates buy pre-registered SIM cards from ordinary Filipinos, often from those in vulnerable communities who are tempted by the payout.
“I think the going rate for a previous SIM card right now is around 5,000 pesos ($87.66),” Paraiso revealed.
What happens next is more troubling: these SIMs are then used to open accounts on messaging platforms like Viber, WhatsApp, or Telegram, allowing scammers to hide their true identities while launching fraud schemes.
This black market in SIM cards has effectively undercut the purpose of registration. What was designed as a safeguard to make users traceable has instead become another criminal opportunity. And the operations aren’t small-time; many of these scams are reportedly backed by international syndicates, which deploy local operators to acquire Filipino SIMs and credentials. Once in their hands, these are weaponized not just against Filipinos but also against unsuspecting victims abroad. As Paraiso pointed out, syndicates recently busted in Cebu were “using Filipino credentials and victimizing people from South Africa.”
AI: A double-edged sword
The rise of artificial intelligence (AI) has only made these scams harder to spot. Fraudsters are using AI to both personalize and automate their attacks.
“When you see the message, it’s very personalized. It contains your name… Being Filipino, when someone mentions my name, I usually assume that they know me. It lets our guard down.”
Paraiso added that AI is also being used to map victims’ social networks, reviving the old “dugo-dugo” style scams but in digital form, where criminals prey on family ties to trick people into sending money.
But while AI is helping criminals, it can also help fight them. At a recent Google Philippines (NASDAQ: GOOGL) event on building a Digital Philippines with AI, Gabby Roxas, Google’s marketing manager for Vietnam and the Philippines, pointed to AI’s potential in fraud prevention.
“In real time, 24/7, it doesn’t rest… it could really monitor transactional data, it can monitor from endpoints in network data to see if there’s any issues or fraud occurring so that it could be automatically isolated and triggered,” Roxas said.
Beyond detection, Roxas highlighted Google’s push to develop responsible AI tools, like SynthID, which allows people to identify if an image, video, or audio clip has been manipulated by AI.
“We don’t want it to be stuck in a theoretical discussion, right? We have to show that you can actually manage this appropriately.”
Government vs. syndicates: Where do we go from here?
Despite these efforts, significant challenges remain. Jurisdiction over international platforms is one of the biggest gaps.
“Even if we formulate and legislate regulations, we cannot enforce them here with them… The alternative is to block them altogether. Block Facebook, block Google, block Viber in the Philippines,” Paraiso said, underscoring the limits of regulation without platform cooperation.
Still, there are positive steps. The CICC is now pushing for a “whole-of-government approach” with close coordination between BSP, the Anti-Money Laundering Council, law enforcement, banks, e-wallet providers like GCash and Maya, and the telcos. According to Paraiso, this collaboration, dubbed “digital bayanihan” is critical in outpacing syndicates that operate across borders.
Paraiso also sees potential in blockchain technology as a solution, if used properly.
“Criminal actors use it to scam people, but you need the same technology… whether AI, KYC, or blockchain… to combat what they’re doing,” he said.
The end of OTPs?
The writing is on the wall: OTPs are no longer enough. For the Philippines to move forward, a mix of adaptive authentication technologies, stronger cooperation with telcos and global platforms, and responsible use of AI and blockchain will be key.
As Paraiso put it, “I’d rather go for the banking institution that has the most security features… But to some degree, Congress should provide for the minimum guidelines or the minimum standards that all these institutions need to adhere to when it comes to cybersecurity.”
For now, vigilance is still the best defense for individuals. Don’t click suspicious links, never share your OTP, and always verify the source before acting. Because in the evolving cat-and-mouse game of cyber fraud, the weakest link is often the one that scammers exploit the most: human trust.
In order for artificial intelligence (AI) to work right within the law and thrive in the face of growing challenges, it needs to integrate an enterprise blockchain system that ensures data input quality and ownership—allowing it to keep data safe while also guaranteeing the immutability of data. Check out CoinGeek’s coverage on this emerging tech to learn more why Enterprise blockchain will be the backbone of AI.
Watch | Futureproof Tech Summit 2024: Exploring new AI-blockchain business models
title=”YouTube video player” frameborder=”0″ allow=”accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share” referrerpolicy=”strict-origin-when-cross-origin” allowfullscreen=””>