BDO Online Banking Phishing – Credential Harvesting Page
This phishing campaign impersonates BDO Unibank, a major bank in the Philippines. The page is designed to steal customers’ online banking credentials—specifically the User ID and Password used to access BDO’s online banking platform.
How it works:
The victim receives a phishing email, SMS, or other message claiming a security alert, account suspension, or the need to verify their information. The message includes a link to this fake BDO login page. The page mimics the real BDO Online Banking interface, including toll-free numbers, footer links, and other elements copied from the legitimate site. When the victim enters their User ID and Password and clicks “Login,” the credentials are captured and sent to the attacker.
The goal:
The attacker aims to steal the victim’s BDO online banking credentials. With these, they can log into the victim’s real bank account, view balances, transfer funds, pay bills, and potentially commit further fraud.
Red flags to watch for:
- Suspicious URL: The page is hosted on a domain that is not
bdo.com.ph. The legitimate BDO online banking domain isbdo.com.ph. Always check the address bar before entering any credentials. - Typographical error: The page contains the phrase “Logn to BDO Online Banking” instead of “Log in.” This type of error is common in phishing pages and is a clear red flag.
- Generic security message: The page includes a note about browser versions, but legitimate BDO login pages do not typically display such a message prominently on the login form.
- Unsolicited login request: BDO does not send emails or messages with links requiring customers to log in to resolve account issues. Customers should always access online banking by typing the URL directly or using the official BDO app.
- No personalization: Legitimate BDO Online Banking often displays a security image or personalized greeting after entering the User ID—this page does not.
- Copied footer content: While the footer contains real BDO information (toll-free numbers, regulatory disclosures), phishing pages often copy this text to appear credible. The presence of this content does not make the page legitimate.
What to do if you encounter this:
- Do not enter your User ID, Password, or any other personal information on this page.
- If you are a BDO customer, always access online banking by typing
bdo.com.phdirectly into your browser or by using the official BDO mobile app. - If you have already entered your credentials, contact BDO immediately through their official customer service hotline to secure your account and change your password.
- Report the phishing page to BDO’s fraud department (e.g., by forwarding the original message to
[email protected]).
Why this scam is effective:
BDO has millions of online banking users in the Philippines, making it a frequent target for phishing. The page closely mimics the design of the legitimate BDO login interface, including familiar elements such as the toll-free numbers, footer links, and the “We find ways” slogan. The inclusion of real-looking customer service details and regulatory disclosures adds to the illusion of legitimacy. The typo “Logn” is one of the few visual red flags—underscoring how carefully users must scrutinize every detail.
Protective measures:
- Bookmark the official BDO login page and use that bookmark to access online banking—never click links in emails or messages.
- Use a password manager: It will autofill only on legitimate
bdo.com.phdomains, not on phishing sites. - Enable two-factor authentication (2FA) on your BDO account if available, to add an extra layer of protection.
- Be suspicious of any unsolicited message that creates urgency and asks you to log in to your bank account.
- Check the URL carefully: Legitimate BDO domains end with
bdo.com.ph. Look for misspellings, extra words, or unusual top-level domains. - If in doubt, contact BDO directly using a phone number from your bank statement or the official website—never use contact information provided in a suspicious message.