NPC: Phishing caused GCash security incident

The National Privacy Commission (NPC), the Philippines’ data privacy watchdog, confirmed that phishing caused the unauthorized fund transfers to two bank accounts of many GCash app users. 

Multiple users of GCash, an e-wallet app, turned to social media and reported that a significant amount has been deducted from their accounts even if they did not authorize it. 

“Upon our thorough investigation, we have determined that the unauthorized transactions in GCash accounts were a result of a meticulous phishing scheme,” Privacy Commissioner John Henry Naga said in a statement. “Unknown threat actors took advantage of vulnerable GCash users, triggering the phishing scheme through online gambling websites such as ‘Philwin’ and ‘tapwin1.com’.”

GCash shares financial inclusion story at MWC2023
GCash introduces easier way of borrowing cash with GLoan

Some users may have clicked ads that led them to links that obtained their information and enabled cybercriminals to move funds from the app to banks. 


NPC met with GCash representatives as part of the Commission’s investigation. As requested by the NPC, the e-wallet company, submitted additional information that would aid NPC in their examination and independent verification of the incident.

Two weeks ago, GCash users found their e-wallet either empty or missing a significant amount. The app was down for a couple of hours and no transactions could be completed.

A Philippine Daily Inquirer report said that the fintech company, which has 76 million users, was able to prevent a loss of about P37 million and averted a possible attack. The new report also said that GCash detected suspicious activity within the app and decided to cease operations for a while to avert any attack.

“We have ordered GXI to intensify its education and awareness campaign to its clients to prevent similar incidents in the future,” Naga said. “We assure the public that the National Privacy Commission remains resolute in its mandate to safeguard the rights of data subjects and protect personal information. We will employ the full extent of our powers under the law to penalize those who violate the Data Privacy Act of 2012.”

In 2021, GCash reached double unicorn status after raising $300 million in fresh equity and reaching $2 billion in valuation.