Warning! Fake BPI Express Online website

James Ryan Jonas

Take a look at the screenshot of a website below.

If you’re a Bank of the Philippine Islands (BPI) customer, you’ll most likely recognize it as the BPI Express Online (BPI EOL) website.

But look again. It’s not!

It’s actually a fake website mimicking the original BPI website — with the hopes of scamming you and stealing your money!

The fake website’s address is bpiexpressonlineph.com — very similar to the official BPI website at www.bpiexpressonline.com.

(Warning! We do NOT advise you to visit the fake BPI website.)

The fake site cunningly uses a website address very similar to the official address of BPI’s official website. Users who are not not checking the link could definitely become instant victims because the landing page is almost, if not exactly, the same as BPI’s official online banking website.

How we know it’s fake

The look, feel, layout — everything — is almost the same which is why, at first glance, you’d think it’s the original BPI Express Online website.

The site even “invested” on SSL protection — that’s why the link shows https, not just http — hoping to trick you that it is a “secure” online banking website. (Do note that any website can simply purchase SSL and easily attach https in their URLs. Having an https website is no assurance that the website is legit.)

The weird stuff in the fake BPI website begins the moment you input your username and password. (Which we advise that you do NOT do!)

We already know it’s fake, but we decided to give it a try, of course using fake information as well, to see how it is trying to trick BPI customers. Here’s what we discovered.

1. “What’s the password of your email address?”

Upon entering your BPI login name and password, a new page called the “Update Personal Information” page will load.

The fake website actually has a typo error — “Informations” — and you’d think a big bank like BPI would at least check for grammar or spelling errors. Well, that’s red flag number 1.

But the bigger red flag is that it’s asking you to input the password of your Email Address. Yup, the password of your email address!

Why would BPI be interested in that? It’s understandable to ask for the email address, but the password of that email account? Someone just wants to access and hack your email! That’s one big sign this website is a fraud.

2. “What’s your credit card CVV number and other details?”

Still, we went ahead and typed in fake information, including a fake email address and password. This page appeared next.

blankAdditional input fields now require you to input your important Credit Card details, such as Credit Card number, its expiration date, and even the Card Security Code or the CVV number. Give these information and you’re hacked!

That’s the biggest red flag. Your bank or credit card won’t be asking for these details, especially the CVV or Security Code.

If you’ve already used your credit card online, you know that these 3 details are important. The CVV, for instance, is a validation number which you input to confirm any online purchase or transaction. Anyone who has access to your credit card details will be able to use your credit card online. You’re doomed!

To repeat: never give your account and credit card details to someone on the internet, unless you really, really, really trust them.

Still we wanted to play along, so we typed in fake information again, and what simply happened was we were redirected to the official BPI ExpressOnline website.

You should know by now that once you did that, everything you typed in — from your personal details to account password to credit card details — will be sent to and can be seen by the scammer. Soon, you’re most likely going to be one of countless victims of credit card fraud or bank account hacking!

So be vigilant and make sure you don’t fall for these fake website scams. Double-check every time that the site you’re visiting is the official website of your bank.

UPDATE #1: We visited the fake BPI ExpressOnline website today, and fortunately, Google Chrome is now able to detect it as a phishing website, with a flashy red warning telling visitors not to continue.

We hope users will heed the warning and not go ahead and use the site. You’ve been warned!

We also checked the website’s domain registration and discovered that the site is owned by a certain “Roldhan Plasabas” from Davao City. Whether this person is real or not, and whether he is a scammer, is something for BPI and the police to investigate.


UPDATE #2: BPI has done a great job in providing information to its customers about various ways to protect themselves from phishing and hacking attempts. Check out their useful guide here on How Not to be a Victim of Phishing Scams.

Must read these other awesome articles!

James Ryan Jonas teaches business management, investments, and entrepreneurship at the University of the Philippines (UP). He is also the Executive Director of UP Provident Fund Inc., managing and investing P3.2 Billion ($56.4 Million) worth of retirement funds on behalf of thousands of UP employees.