A common problem bank users face today is receiving a message that appears to be from their bank—often about rewards, deductions, or transactions—containing a clickable link. Out of urgency, especially when users don't recognize the transaction, they may click the link. Panic sets in, and they scramble to verify what just happened. But according to one digital banking expert, the first thing you should do is pause.

“Take a pause. [S]cams always begin with an urgent call to action. There's always an element of urgency. It's always like that,” said Jon Paz, BPI's Enterprise Information Security Officer and Data Protection Officer.

“It could be rewards points that are expiring. There's an offer for aid that's available that can only be available to a few. Hurry and click here. [T]his is a notification about fraud happening against your account. That's something that anybody would, at the first instance, be very concerned about.”

In a media discussion on cybersecurity Thursday, Paz emphasized that many people panic and click links immediately—links that often lead to convincing, well-designed fake websites. 

These then prompt users to share sensitive information, including online banking credentials.

“Take a pause. Breathe. Ask if this is actually legitimate. The best place to ask would be your bank. So call,” he said.

Paz also warned BPI users about clicking on any text messages that include a link, saying the bank never sends clickable links via SMS.

He explained that many of these messages are part of scams using international mobile subscriber identity (IMSI) catchers.

“A lot of the things that we've done, we're asking for the link also for takedown. To protect the others who might not have seen it yet, or have yet to click it. So that if they see that text, it's probably coming from IMSI catchers,” he explained.

Beyond IMSI catchers, Paz highlighted threats from rogue apps or malicious software that use an overlay technique to hijack the mobile interface.

He explained how the scam typically unfolds: a user receives a phishing text or email with a link. Once clicked, they may receive a follow-up call encouraging them to click another link—to install an app.

“That app is the one that allows the owner to establish control over your device. Now, I mentioned overlays. An overlay is a script that appears on top of apps. [T]hey will present an overlay, a display, totally opaque. So, you're not aware that underneath the apparent installation [s]omething else is happening,” Paz said.

The malicious software then changes the phone’s settings and can ultimately be used to launch real-time attacks on banking apps—setting up and authorizing transactions, even using the user's biometrics.

In response to these scams, Paz said BPI is strengthening its app's security layers and ramping up user awareness efforts. 

He reminded customers to be vigilant of suspicious emails, SMS, and calls; to use strong passwords; enable multi-factor authentication; and regularly review account security settings.