GCash, a finance app used for payments and money transfers, will fully switch to in-app One-Time Passwords (OTPs) starting June 22, replacing SMS-based codes to help reduce phishing scams and account fraud.
The change follows a Bangko Sentral ng Pilipinas (BSP) rule requiring financial institutions to stop using SMS OTPs by June 2026. It also supports the Anti-Financial Account Scamming Act (AFASA), which aims to protect users from digital fraud.
Instead of receiving codes through text messages, users will now get OTPs through secure notifications inside the GCash app itself.
“Our upgrade to In-App OTPs is a strategic move to put an end to phishable SMS OTPs,” said Miguel Geronilla, chief information security officer of GCash. “We will shift users to instant, GCash app-verified authentication to increase the security of their daily transactions.”
SMS OTPs have long been targeted by scammers through fake links, SIM swap attacks, and other tricks that steal login codes. With the new system, OTPs will only appear on devices already logged into the verified GCash app, making it harder for attackers to intercept them.
The change also makes transactions simpler. Instead of waiting for a text message and typing a code, users can approve payments directly through a notification in the app.
GCash said the upgrade is part of efforts to boost multi-layer security system called multi-factor authentication (MFA), which adds extra steps to verify users and helps protect accounts even if passwords or MPINs are stolen.
The fintech company has also strengthened its security tools in recent years, including Know-Your-Customer (KYC) checks and facial recognition, known as Double Safe. The new in-app OTP system builds on these protections while aiming to keep the experience fast and easy.
The Philippines remains one of the region’s biggest digital payments markets, with millions relying on mobile wallets for everyday transactions. As usage grows, regulators and companies are pushing stronger security measures to reduce fraud risks.