Game of Budol: How Filipinos Get Socially Hacked

Episode 37

In this episode of The Philippe Soriano Podcast, Philippe teams up once again with returning guest Mclaine to unpack the growing issue of social hacking in the Philippines—today’s upgraded version of the classic “Game of Budol.”

They dive into how scammers use fake links, engineered emotions, and subtle psychological tricks to manipulate victims—both online and in real-life situations. Philippe and Mclaine shed light on why Filipinos are becoming more vulnerable, the common red flags to watch for, and the tactics scammers use to gain trust and access.

The episode also equips viewers with simple but powerful cybersecurity practices, ways to secure personal data, and the mindset needed to stay vigilant in a digital world full of evolving threats.

Whether you’ve ever received a suspicious message, nearly fell for an online trap, or simply want to strengthen your digital safety, this episode is an essential guide to staying one step ahead of modern social hackers.

This transcript is machine-generated, and we apologize for any errors.

Philippe: Siyempre lahat tayo, we have emails, we have phones, we have laptops. But let’s start with an email.

Mclaine: Hindi na siya typical lang eh. Parang ngayon necessity na yung email.

Philippe: Ano usually yung security measurements that you do for your email? Ang iniisip kasi ng mga tao, pang nahack, hacker. I don’t think that’s the case. Karamihan sa mga nahack is called social hacking. Gone are the days na feeling ng ibang tao na, ah nahack to kasi naging social ng software.

Dating uso yan, diba? Most of the time, it deals with not technology, but it deals with how you could influence the other person to provide you access to their account.

Philippe: Laging human error yan eh. When we say human error is because either nabudol, na nalito, na distract lang talaga. First step of protecting, you have to have a strong password, diba? Ano yung next?

This transcript is machine-generated, and we apologize for any errors.

The views and opinions expressed in this podcast are those of the host and guests, and do not necessarily reflect those of the producers, network, or sponsors. Listener discretion is advised.

Philippe: Alright, today let’s talk about cyber security. Siyempre lahat tayo, we have emails, right? We have phones, we have laptops. But let’s start with an email. Ano usually yung security measurements that you do for your email?

Mclaine: Parang ngayon, before parang walang option ng two-factor verification. Parang ano lang eh. It’s more of a character symbol.

Philippe: Password.

Mclaine: Password, oo.

Philippe: Parang ngayon, before parang walang option ng two-factor verification. Parang ano lang eh. It’s more of a character symbol.

So right now, ano yung… Kasi alam naman natin before, ang password, ano lang siya? Words talaga. Yes. So parang… Pogi ako. All small letters, or minsan parang… In fact, walang special characters, diba?

Philippe: So that’s how people were hacked before. And then siguro nagkaroon ng parang tips on how you could use special characters. Underscore, at sign, numbers.

Parang I think it has to be alphanumerical with special characters, diba? Sige nga, aminin mo, anong password mo dati?

Mclaine: Combination ng mga people that I used to…Mga special someone, or…

Philippe: Birthday. Madami yung nag-birthday din.

Mclaine: Parang yun yung naging trend before, no? Parang wala, birthday, 0, 1, 20, 55. Tapos, underscore, Mac. Mga style ng ano. Pero without the special character, kunwari yun, Mac. Tapos and then the birthday. And then, napapansin siguro ng mga hackers, yung email niya, uy, somehow similar siguro.

Ito si, gumawa ng email, let’s say, mac012054 at yahoo.com. For sure to, ang password nito, hindi ito nalalayo dun sa ginawa niya kasi somehow, parang connected. Parang mabilis matandaan. Parang yun yung naging trending ng gumagawa nila. Since before that time, parang hindi pa ganun kaimportante sa kanila.

Mclaine: Parang makapag… Ah, kailangan ko lang magkaroon ng email. Create ako ng email. Anong password? Parang mabilis matandaan. Lalagyan lang ng two letters or three letters sa front ng email address na, and then that’s the password niya.

Kaya ganun kadali siguro… Siguro up to now, baka ganun pa rin yung style nila, pero with special characters na lang. Pero right now, karamihan ng…

Philippe: I’m sure, I’m pretty sure that a lot of other people would use still the basic form of passwords like name of a song. So for example, let’s say, knew any of song

Mclaine: More than words.

Philippe: More than words, diba? 69. Pero I know people who use stuff like that. Name of a song, birthday. Hanggang ngayon, ganun pa rin sila. There are other ones naman.

Yung name ng email, diba? Alam ko dati yung email. Email mo ata yun. Parang pogi ako. 69.

Mclaine: And then nung nag-ask na yung…Kasi kapag nag-apply na yung special character, Ang gagawin lang niya, we suggest that you change your password.

Papalitan lang niya. Pogi ko. Pogi ako. Underscore. 69. Tapos may at sign lang, diba? At sign.

Philippe: Tapos yung iba, gumagamit siya ng years. Parang for example, show my business. 2025. Pero ganun. So those passwords, no matter kahit alphanumerical, kahit may special characters. I think, ang hirap kasi yung mga special characters, i-incorporate.

I think pinakamadali, dash, underscore, add. Pero yung mga ibang special characters, for example, yung mga bracket, o yung pataas na arrow, and then percentage, diba? Ang hirap kasi tandaan. So I think, the very first step to secure, let’s say, any device, your email, let’s start with email.

Philippe: To secure your email, have a very strong password. So strong is a combination of alphanumerical, so we got alphabets, numbers, and so alphanumerical is letters and numbers. Ano kaya pa po yung special characters? Special alphanumerical.

Mclaine: Special alphanumeric characters.

Philippe: Alphanumeric characters. Special na sila. Kailangan gamitin yung mga at sign, dollar sign, pound sign, and then brackets. Alam mo yung asterisk?

Mclaine: Asterisk. Pound sign.

Philippe: Pwede ba plus? Equals? Pwede ba yun? Exclamation mark?

Mclaine: Exclamation mark, yes.

Philippe: I wonder yung enye. Pwede ba yun sa password?

Mclaine: I think pwede, pero parang yung iba, ayaw nilang gamitin kasi una hanapin nila yung special characters.

Philippe: Apostrophe, kaya?

Mclaine: Apostrophe, hindi pa akong nakagamit na apostrophe.

Philippe: So meron tayo yung ano, comma? Pwede ba yun? Comma? Dalawang klaseng brackets pa yung pagano, tapos meron pa.

Mclaine: O, tapos yung box bracket.

Philippe: Box bracket, tapos meron pa yung kung anong tawag doon?

Mclaine: Sa ano yun, di ba? Sa algebra nila gamitin.

Philippe: Oh yeah, algebra. Yung A, X plus Y, ewan ko na.

Mclaine: Siguro, yun pala, regarding dyan, malilaman mo pag ang mga algebra yung ano, ah, mathematician to, or ano to. Somehow, somehow weird ang thinking.

Philippe: Yun ang mahirap i-hack yung mga ganun, di ba? Okay, so very, that’s the very first step of protecting. You have to have a strong password, di ba? Ano yung next?

Mclaine: Continuous, ano?

Philippe: Updating of password.

Mclaine: Updating of password. Pero ako hindi. Hindi ko nag-update. Pero I, siguro, ito yung mali sa ginagawa ko na hindi ko matanggal, I kept a directory of all my emails.

Kahit anong account dyan, mapa, YouTube, meron akong Excel file na nandun silang lahat. And then, if I change, nakala, ano yan, so if Excel file siya, starting from the top, ito, ibig sabihin, ito yung una kong ginamit.

Mclaine: Nag-change ako. So inilalagay ko siya para I would monitor kung ano yung na yun na gamit ko. Kasi, may isang, di ba? Pag nag-try ko mag-login, you already used the same old password.

Philippe: Old password, yeah.

Mclaine: So, ah, oh no, ano yun?

Philippe: Ibang pinapalitan lang yung number sa dulo. So for example, let’s say, save the world, 10. Yung susunod, save the world, 11, 12, 13. Pero, what’s best practice? Gaano kadalas kailangan ipalit yung password?

Mclaine: For a typical, siguro, na ano, pero ngayon, parang hindi na siya, ano eh, hindi na siya typical lang. Parang ngayon, necessity na yung email, and maraming scammers, ah, hinahack nila kahit simple, kahit hindi yan active na email, basta nakita nilang existing,

ah, tinatry nilang mahack eh. Ah, yung email ko, I once hacked in the middle of the night or morning pa. Buti na lang, na-check ko yung ano, ah, aside dun sa email ko, same as well sa Facebook. Ah, minutes lang, nakalipas, buti, nag-change agad ako,

Mclaine: ah, pero medyo, medyo matagal kasi parang, siguro at the same time, nag-try siya, and then I was ah, recovering yung ano. So, yan nga, isa sa backup ko, o, isa sa, yung ginagawa ko, naka-backup siya. Ang ginakabahan lang ako, once na nawala yung phone ko, ah,

ah, pero it’s easily been, madali siyang i-take down, pag, if you have internet access. Excel file lang siya, spreadsheet. You could just delete it on, ah, or, ah, remove it. Pero, mas madali, madali, pag familiar sila, copy paste lang. Or na-download na nila yung data. So.

Philippe: Ang problem lang, kasi sa, pag-change na password, kung madalas, kung kailan, let’s say every month, hassle pa din, diba?

Mclaine: I think, pwede bang, parang ano yata siya, every two, three months yata pwede magbalit

Philippe: No, you could change it even everyday.

Mclaine: Ah, ganito ba?

Philippe: Pero yung, frequency of changing it, is a hassle, for, for the typical, for the average person. So, for example, isipin mo, tomorrow, babagoin mo yung, yung password na email.

Ang hassle lang, it has to be a habit, pero, I think it’s safe to say na, kahit every month, dapat palitan. So, for example, yung password mo is, let’s say, save the world, June. Next month, July na.

Mclaine: Save the world, July

Philippe: I think, I don’t recommend it, but, I think it’s, it’s best na, to change it every month, ah, just for security purposes. And, sa email palang, importante kasi, we have a lot of, notifications from different apps, right? And all that. Okay, so, first step, good password, strong password.

Second, ah, the frequency of updating your password, changing your password, at least every month, or every, or every three months, bahala na. kung sensitive, kung pang work email, I think it’s advisable every month. Diba? Kung medyo sensitive talaga, baka every week nga.

Philippe: Diba? Even, you have your financials, and all that, importante kasi, ang daming cases na hang, hindi nila ampano. Right? And I think it’s just because, ito yung next step, is because, ito hindi nila ginagawa to. So, which is, ah, two-factor authentication.

So, sa mga hindi alam, kung ano yung two-factor authentication, that’s, ah, layer of security. For a layer of security, which verifies, ah, you, logging in to a certain account, could be your email, could be anything. So, people may know this as, OTP, one-time password.

Philippe: So, ah, second, second, eh, to FA, second-factor authentication, is getting an OTP nga. Right? So, one-time password, ah, which is sanay na mga tao, for example, kung mag, mag-login from another device, and then, may two-FA, lalagyan mo yung password mo, and then, yung password na yun,

ah, ah, sorry, yung next step nun, makakaroon ng, second, ah, factor, second-factor authentication, or two-factor authentication, two, two-FA, in short, magsasend, let’s say, ng one-time password sa phone mo, or sa ibang email, pwede, or sa device, or sa WhatsApp, sa Viber, right?

Philippe: So, that’s the second layer of security that you could add to your emails, or to any of your devices. So, importante yun. And, it’s always important that yung, kung saan pinapadala yung OTP, dapat hawak mo din yung account na yun.

So, whether phone siya, or ibang email address, or Viber, or WhatsApp, or anything else, dapat hawak mo. Ang problema kung wala ka nun. So, I think, yung second, is strong enough na. Pag pinalito man yung password, strong password pa, at meron pa 2FA, I would say, the vulnerability of your, went from zero.

Philippe: Doon sa password pa lang, di ba? Complicated sa, with password special characters. I think, yung safety ng account mo, from zero, sabihin natin, to 50% lang. Di ba? And then, yung, ano ba to? Yung, two factor, that goes, I would say, 90%. Hindi, hindi kaya yung 100 eh.

Mclaine: Kasi hackable eh. Okay.

Philippe: Ang hindi na-hack, kasi ang, ang iniisip kasi ng mga tao, pang na-hack, hacker, napapanood nila. Okay. Daming tinotype, tapos na-hack. Right? But I don’t think that’s the, ano, I don’t think that’s the case. Karamihan sa mga na-hack, is called, social hacking.

Kasi, for example, for example, kasama tayo, and I wanna hack you, right? Nakuha ko yung email mo, nakuha ko yung password mo, I’m able to, ano, to log in, but, may two factor authentication, in FCR ka. Mag-notify naman eh. Yes, ha. Makakita ko, oh, yung OTP. Right?

Philippe: Nakapasok na ako. Social hacking eh. Most of the time, it deals with, um, not technology, but it deals with, how you could influence the other person to provide you, access to their accounts, right? It happens in so many places.

Naging uso ito, for example, sa, you go to any Starbucks, makakita, people, they leave their laptops. They have a phone call, mako-order sila a coffee, iniiwan nila yung laptop, nakabukas pa. Yung tipong hindi pa nakalocked, nakabukas pa, iniiwan nila, kasi naga-address sila, or anything like that.

Philippe: Minsan iniiwan din yung phone nila. So, very hackable, in a sense, na, pag umalis yung may-ari ng devices, di ba, you could simply, or baka may dumaan, makakita ng, o, pag naglock-in, ito yung password, nakakita yung keystrokes, di ba?

Gone are the days, na feeling ng ibang tao, na, ah, nakahakto, kasi naging social ng software. Dating uso yan, di ba? Um, typing monitor, meron yan, parang, they would install it in a certain device. Hindi alam ng ano device owner, kasi, siguro, pinahirap ng laptop, or eh, may keystroke, ano, keystroke recorder.

Philippe: So, lahat ng keystroke mo, nararecord? Nararecord, pero yung, yung first few versions nun, keystrokes lang. Yung, yung, evolving versions, yung keystroke, kung ano application ginagamit, at anong, anong link ginagamit. Siguro, wow, nag-evolve. I, I don’t know if those are still existing, pero pretty sure, baka meron.

Pero yun nga, it’s most of the time, about social hacking. Oh, pag-usapan natin, real-life situations. Ang daming balita na hakang gcash, or napasa ng, ng pera, na wala ng pera, from your gcash, kasi, kahit dumating yung OTP, or meron isang, isang tao, punto sa tindahan, nagpa, ano ba yan, usually, cash-in?

Philippe: Nagka-cash-in daw, or cash-out, right? And then, syempre, I think cash-out, kasi kukuha silang pera, di ba? Pag cash-out, eh, hindi daw pumasok yung request, di ba? For cash-out, pero sinasabing, oh, meron yan, baka nag-delay yung text, and all that.

Social hacking na yun, kasi, ang ginagawa na, they’re trying to influence yung kausap, sa kausap nila, parang, ang tawag ng mga matatanda, parang, kinihipnotize, or binubudol, or something like that. But apparently, they’re, social hacking, minsan, may distractor pa, di ba?

Philippe: Sa mga movies, ganoon sila, for example, makakaroon ng diversion sa attention. And usually, hindi lang isang tao yung lalapit. Meron isang tao, tapos meron, kudayari, yung ibang cosplayer, bibili.

Mclaine: Makikisingit, ay, ipabili po nito.

Philippe: O, tapos, ay, dumating na yung pin, ano, yung OTP, ganyan, ipacheck mo, tapos, sobrang busy. That’s social hacking. And it still happens, whether may involved na gcash, or tech, or device. So, news ngayon, last night, I watched the news, sa palengke, or sa mall, I can’t remember, basta parang siyang ano, parang changge.

So, syempre, ang daming tao, siksikan. Yun pala, isang grupo na yun, parang apat lima sila, iipit nila yung isang babae, nagche-check ng, bibili ng kung ano man, bag, item, whatever, right? Yun pala, yung isa, dumudukot na, hindi alam. Di ba nangyayari ito sa mga changge, sa MRT, sa mall, iba-ibang lugar.

Philippe: Pero ang target nila is in a popular, in a high traffic area, kasi once succeeded na sila, they can, oh, yung dumukot, pinasa, umalis na, right? Syempre, in real life, wala tayong 2FA sa mga bags natin. Pero yung iba, meron nga, fingerprint, di ba? Para mag—pero ngayon, meron ano ha, parang yung size lang ng ATM card, na parang, I think, GPS tracker yata yun.

Mclaine: So, and, lately, nakita ko, rechargeable sa, parang, smart tag. Sinilaki lang sya, ng ATM. And then, super late, nung, charging, yung part, charging port. O, charging port, parang, antenna port, sa mga cellphone, gano’n lang. And then, nag-hold sya, na-charge, and it lasts for days.

Philippe: That’s good for a wallet, kasi akala nyo na, o, so, kung, yung wallet mo, is laging, may lamang pera, it’s, siguro, it’s better to, ano, mag-invest sa gano’ng klase, ng mga smart tags.

Mclaine: Para, at least, kung mawala man yung, either yung bag mo, or yung wallet, especially yung wallet, kasi nandun yung mga, wag na natisipin yung pera. Usually, lagi naisip nila yung cards, kasi ang hirap kumuha ng mga, mag-update ng card, o kumuha ng, ng duplicate.So, yun, isa siguro sa the best yun.

Kasi, yung ibang mga smart tag, ang lalaki na yun, di ba nga, yung mga Apple.

Philippe: Apple tag, pero, gano’n sya kalayat, yun ang medyo bulky.

Mclaine: t saka, noticeable. Uy, smart tag. Isiksik mo lang sya doon sa mga ATM mo, or naka-slot doon sa, Hindi na alam na, tracker pala yung isa. Eh, pag tinignan mo din sya, kung hindi ka familiar, akala lang, just an ordinary card.

Philippe: Tapos may nabibili na, ano, na stickers on, Lazada, Shopee, na pwede may dikitla, parang ATM, di ba, parang black cock, yung mga stickers na, ano, pangyari.

Doon sa GCash, alam ko, when it comes to, two-factor authentication, meron OTP, pag login sa bagong device, you need to put your, and then you need to put your, pin code, and then, may OTP pa, right? May OTP from, para mag login sa new device.

Philippe: Maya does the same thing, but I think with, kasi ang dami na nagdamay sa GCash eh, and because of social hacking, most of the time, either, nasilip kung ano yung OTP, kasi means that, for example, yung mga tao sa tindahan, sa sobrang BC, talagang tatarant na, hindi na alam, tapos iniiwan lang yung phone, or yung malilid na phone for the OTP.

Ang, nahack din, it’s not even digital, alam mo yung QR code ng mga tindahan? There was a case, I think it was, I’m not sure what establishment, I don’t know kung Mercury siya, or, basta may establishment, mayroon silang QR, gusto mong buy ng GCash, may QR sila ng GCash.

Philippe: Yung magdanakaw, ginawa niya, piniktura niya yung, QR, pero bumili din siya, pero piniktura niya yung, design ng, kasi kahoy lang siya eh, ginawa, umuwi, nagpasadya siya ng, kamukha ng QR. Yung QR mismo, nilagay niya yung QR ng number niya.

So, every time, may magpa-purchase na customer, pumapasok sa anya, na hindi alam na may-ari ng store.
And nagtataka yung mga may-ari ng store, for a while, na parang, walang tumarating na, confirmation.

Philippe: So syempre, ah, waka na-delay lang. So sa dami nilang customer, hindi na, napansin. Kasi usually, papakita lang nila, sent lang po, hindi naman nila ibe-verify.

Mclaine: Basta nakita nilang cent, tapos nakita yung, kasi diba may name siya? Kunwari Mercury, Mercury.

Philippe: Pero usually, yung nagbabayad, hindi mo na ano, mas gusto mong bayit, alis na. Hindi mo tine-check kung Mercury, diba? Ah, but I’m not sure if this was Mercury drug. It could be any establishment,

but this is a good warning for any establishment. If you are, na kahoy, or nakalaminate, just make sure, na, i-check nyo lagi. Parang daily, i-check nyo pagpasok, i-check nyo kung, doon talaga ano. Okay

Mclaine: Kung dami transaction, no?

Philippe: Dami transaction, na pumasok na, kasi may, I think, Gcash, Maya, and CQRPH. Nagbibigay sila ng device, phone, phone, for the notification lang. Pag may pumasok, papasok doon yung text na, oh, pumasok na sa account. Okay. So, pata ka sila, di pa pumapasok.

One week na. Eh, siguro yung ano, meron yung isang supervisor, manager, parang i-check nyo. Pag-check nyo, hala, hindi account natin daw. Doon na, yung gumawa noon, hindi ata nahuli. Kasi, I think may, I’m not sure, privacy, privacy, hindi nila ma-ano yung tao, kanino account yan.

Philippe: Kasi, they have to file a case muna ng NBI para magkaroon sila ng warrant. And, ipadala nila kay Globe or Gcash or what. And then NTC. NTC and all that. So, ang habang na proseso, by the time they found out, they found out the name of the person of ano, fake din pala.

Noon na-verify. Totoong tao siya. Pero, yung gumamit, hindi yun. Tapos, na-trackback nila yung ano, na-trackback nila yung CCTV and all that. Syempre, hindi kita kasi nakaano. Ang nakalagay doon, pangalan ng babae, eh yung nagswap, lalaki.

So, parang, hindi nila na ma, I don’t know what happened, pero that’s what you call social hacking. Hindi nga nila hinack yung device, pero hinack nila yung QR code. Imagine that.

Mclaine: I think sa US, yung ginagawa nila, may sticker. Yung mismo, same yung QR code, sticker nalagay. So, ginagawa, same din yung scenario na may bumibili, then may isang sisingit na gano’n, so biglang didikitan.

Tapos kunwari magpupurchase sila ng ano, so parang ang mangyayari, para silang bumili na sarili nilang pera. Yeah. May QR nila, bayad na. Tapos pag-alis, tanggal nila yung sticker. So, parang wala. I think I saw that, I think sa US yan, sa mga convenience store.

Mclaine: Iba naman, may sariling, yun nga, same din. Nire-replicate nila, pagko-QR na, magtalikod nung ano, yung iba, alam nila kung nasaan yung camera eh. So bublock sila na ganyan, papalitan nila yung QR.

Kung yung QR stand, may dala silang sariling QR stand, tapos i-scan nila, papakita nila na babayaran. Once na bayad na, papakita, and then yun, palit na ulit, and then balik nila yung bago. Ayun dati.

Philippe: Grabe. that’s social hacking.

Mclaine: I think that was happening, ano na, years back na.

Philippe: Imagine that. So, most of the time, nakahack ka yung device. Kasi right now, with 2FA, with OTP and everything, very strong na yung security, device wise. Pero hindi pa din yung strong ang security when it comes to humans. Laging human error yan eh. Yes.

When we say human error, it’s because either na‑budol, na‑lito, or sinasabi na hypnotized, which I don’t believe so, na‑distract lang talaga. So, for example, yung QR na yun, sinabi mo, e, parang tumalikod. Dikitin mo lang yung QR mo. Yes, oo. Hindi na lang mapapansin eh. Sino na, papansinin ba natin yung QR ano? For example, naka‑ganyan yung nasa low ground, di mapapansin yan.

Mclaine: Kaya yung ibang store, hindi agad nila sinilalabas yung QR. Pag sinabing, ah, may QR kayo, tapos hahawakan nila, hindi nila bibitawan hanggang di mo naiscan. Pag hindi, ito, balik na ulit.

Philippe: Yan, ah, two-factor, second-hand authentication.

Mclaine: Actual, ano, 2FA, ano.

Philippe: Tapos yung iba, sa phone nga lang, ito yung QR, generate tayo ng bago.

Mclaine: Okay, mas okay yun, kasi, kailangan mag-generate, e. Pag hindi nag-generate, o, diba, or yung iba, yung ibang ginagawa, diba, iano mo nalang yung QR, parang lakihan mo nalang yung QR, parang ganyan kang laki.

Philippe: I don’t think you’re gonna, Or yung QR nasa, ano, nasa tarpulin, diba, malaki. Back up ko, back up ko.

Mclaine: Kailangan mo naman yun, hindi mo pwede. Pwede, pwede.

Philippe: Pampalitan mo yung tarpulin, i-sticker mo yun, alatang lata ka na, diba.

Mclaine: Sabi, pag sinabing, ah, QR nyo, you can see it on the back, diba, laki.

Philippe: Yan, isa pa yun, you can put it in the back.

Mclaine: Ano, laki nun, kasi, hindi ka talaga makaka- makaka-scam nun. Tapos meron pang isa, this ayaw, na-try ko rin, yung mga nagpapamigay ng pera sa Facebook. Eh, mga tinatry ko yan eh, yung mga, “oh, you won,” ganito.

“Gusto mo ba ng pera?” Click, click ako. Mahilig ako mag‑yes, since nakita ko na yung pang… nag‑change password ako, kasi nag‑notify sa’kin, may nag‑try na mag‑hack nung… yung ano kasi, yung GCash, you can access it with your number.

Philippe: Kasi yung mga payment portals, di ba? You need to log in there, not in your Gcash itself.

Mclaine: So, sa portal sila pumapasok. Enter the number, and then yung PIN. Kaya, sabi ko, uy, ako, yari.

Philippe: Madami din ang damay yan, sa mga texts, di ba? Ngayon, here’s the major problem, that people experience, but, are still, ayaw ko naman sabihin, dumb enough, pero syempre, sa daming distractions, nangyayari. Binsan, sa SMS, nakiklik nila yung links.

So, for example, ang notification natin, sa GCash, sa BDO, sa BPI, sa mga banks, anything that has to do with banks, with T-wallets, may texts yan, di ba? May promo texts, and all that, Or, paakuha ng text na, please verify your account, or your points has not been used and will expire.

Philippe: The problem with these SMS messages is that may device to hack the radius or the area kung saan siya. Nagsisend siya ng text, masking as BDO, BPI, or GCash, or Mayo, or any other payment, or banks, or T-wallets, right?

The thing is, when people, when people receive it, since namamask siya, so napupunta dun sa threads ng messages ng official banks. So for example, BDO. Kaka-receive ko lang ng text kahapon, your 5,000 points and rewards has not been used and will be expired.

Philippe: Please log in with this link. If you look at the thread before that, it’s BDO talaga. Yan lang, SMS is really low-tech, right? Na hindi ma-verify kung it’s the same sender. But apparently, what do you call those? Yung SMS senders? Yung device?

There’s a certain device na pwede mong, it’s portable. So within a certain radius, within a certain area, mari-receive mo yung text. Anyway, moving forward, makakita mo, oh, legit pala ito, galing kay BDO. Pagklinik mo yung link, at let’s say very distracted kaklinik mo, pupunta sa isang website, nakamukha ni BDO, maglalagin ka.

Philippe: Pero makifail siya. Sa sabihin, you have the wrong password. Yun pala, na-type mo na yung password mo, it’s a phishing site. Nakuha na yung details. At the same time, pag alam nila may, dito sa mga hackers, at the same time, when they know that someone’s logged in, magpiping yung sa nila. It gets pinged, maglalagin sila.

And then, mari-receive yung OTP. Sorry pala, hindi nakalagay yung wrong password. Mga successful login. Tapos may OTP pa. At the same time, na-hack din, na-type ng hacker, yung password nila. So, maka-receive ng OTP. Eh, tinype yung OTP doon sa phishing site. Hindi pala totoong BDO website pala. It just looks like it.

Philippe: Syempre, kung hindi ka familiar sa websites, hindi mo mapansin yung link. Usually, yung link nakalagay, it’s a bdoph.com.ph Sa una, ang dami pa ang letters na XYZ. Exactly. Ano din ang bumili ng domain ngayon. So, ganoon din sa text, yung mga links.

Mclaine: Ano pala nakita ko, IMC, International Mobile Subscriber Identity. Ayun. Yun yung ginagamit ngayon, system na pag na-cover, pag napasok nila yung pag nag-connect ka doon sa system nila, nakasama ka na sa database nila.

Philippe: So, for example, si BPI pwede din ma-mask, he could mask as GCash, and papasok siya sa threads ng notification ng SMS; yan ang problem, so if you’re not smart enough or you’re too distracted to notice, every time na-receive ka ng text message, make sure yung link, makikita mo naman eh, parang ang official site ng BDO is bdo.com.ph, or is it, so it’s bdo.com.ph;

pag napansin mo na iba yung URL or yung link, let’s say nakalagay bdotoday.xyz, magtaka ka na, but when you open those sites, I tried, same, itong mga hackers, magaling na web developers din eh, kung ano yung user interface ng BDO ngayon sa website, ganun na ganun, same with BPI, same with UnionBank, same with GCash, same with Maya, pati yung payment portal.

Mclaine: Pag in-explore mo din yung mga menus nila, it’s the same. Kopyang-kopya nila.

Philippe: So, make it a habit na tumingin kayo sa URL, sa link. Pakilinig mo kasi, pwedeng actually, pwede for example, Union Bank. Hindi mo alam, may kulang pala na I, walang Union. Union Bank. Diba? Dot com, dot ph, or dot ph. Diba? So, you have to always look at the links that they send.

And I don’t think these banks are gonna send anything for verification. I think tatawag na sila because of this. Yun lang, they haven’t solved the problem of SMS being hijacked. Diba? That’s a problem. So, siguro, just for safety measures, if it’s asking you to login, don’t.

Philippe: Diba? If it’s telling you your account has been compromised, you need to login here, don’t. Call the bank. But I think meron din scenario na ganyan.

Mclaine: Parang spam yung nareceive. So you need to call the bank. Tinawagan niya. Yung number na nandun is number siya noong teller ng banko pero kasabwat. I think nature turn BDO or BPI yung ganoon nangyari. Tinawagan niya, in-assess yung ano.

So wala siyang napansin na funny dahil same yung process kung ano ginagawa sa banko. I think days or weeks na yung lumipas. Walang response from the bank. I think nag-visit na sila dun sa banko and then nalaman nila na walang na-process na ganoon or I think nagbigay yata ng ticket number. They checked the reference number. It was not included in the decision.

Philippe: It’s still social hacking. Pero ito, ano na eh, strategized na. So it’s an inside job na hindi na siya social hacking kasi it’s a heist na eh. Social hacking usually on, naka‑strategize naman yun, naka‑plano.

Pero yung target nila, it’s nothing as big as a heist. Parang hindi lang long term pero malaki yan at the time. And nobody noticed. That’s the heist.

Mclaine: Maybe some people notice it. Pero sa nakikita ko sa sistema ng Pilipinas, pag konti lang apektado, di nila pinapansin. So parang kuna nagreklamo lang, 0.001% nang ano.

Philippe: Hindi nalang pinapansin.

Mclaine: They were not going to ano. Pero sa ibang bansa, pag may nagreklamo, action agad.

Philippe: With credit cards, action agad. And then pwede pa i‑reverse. But with bank accounts, I remembered, sino ba tong influencer? Babae ito eh. Na-hack yung BPI account niya. And for, I think, for a whole week, 50,000 daily na wi-withdraw. Can’t remember what her name was. Pero zika siya.

She was an influencer, negosyante siya. I remember, this is BPI. Hindi siya pinapansin. Sabi nga, baka glitch lang. And then she filed a case. She opened a case with NBI atat. And since influencer act, gumawa siya ng video about it. Sumabog. So they had to work on it.

Philippe: They had to investigate. I’m not sure kung naretrieve yung pera, but the question there is, paano nakaroon ng access yung nag-hack? It’s a personal account pa. It’s a personal account from what I can recall from this. I believe it’s social hacking.

Malamang she had her phone somewhere. Somebody tried. They know her password. It’s a long game kasi, di ba? And most of the time, ang gumagawa, kakilala mo. Or lagi mong kasama on a daily basis. Kasi makakita mo naman yung habits. Minsan iniiwan yung phone sa kanya.

Philippe: Minsan, di ba? So it’s most of the time, someone who is close to you. Katulad yung sinasabi mo, yung teller, yung kasambot. That teller is close to the bank, close to the phone calls, di ba? The ones that hacked the bank was the teller, di ba? May kasabwat sa labas.

Pero ibig sabihin, it’s really my inside job, di ba? At yung mga iba, for example, na wala ng pera, na transfer sa ibang account. Always, ako I always think it’s an inside job. Kasi it’s impossible. Kasi for someone like me, ano ako eh? Paranoid ako. I have 2FA, MFA. MFA multiple eh.

Philippe: Kasi 2FA, parang 2 step lang. Multiple, you have multiple steps to go through. May facial recognition, may pin, may ganyan-ganyan. Now when it comes to that, sometimes, di ba? Nung pansin natin yung Facebook, someone’s trying to log in to your…

Parang, huh? Is this even possible? Pero totoo talaga. Syempre papalit mo yung password, right? Pero how the hell did they know your password? The problem with updating passwords, updating phone numbers, updating this for better security, hassle lang.

Philippe: Yan ang problem. There are other software companies na ginagamit ko din, but I only use it for work and only for particular devices and websites. Meron, there’s, there are a lot of applications out there na password manager.

So you could change it to a strong, any of your devices, your accounts, you could change it to a very strong password. May 2FA and everything. And then that password manager is pag, if you go to the website, let’s say you go to a bank website, let’s say you go to BDO again, automatic sa login, i‑input niya yung password without showing it.

Philippe: Or pipiliin mo yung account, if you wanna go login, pipiliin mo, ispeak niya yung password. Tapos yung password, talagang… Hindi naman, you could, actually you could view it, because wala naman ganoon sa browser, you could view the password if you want to, right?

But the password is very strong. Ang haba, parang 15 strings of alphabet, alphanumeric, special numbers, di ba? The problem with these password managers is that, how sure are you na protected ka? Kasi hawak din nila yung password mo.

Philippe: So anyone in-house from that password company, software company, can be like, oh, ito yung password na ganoon niya. He could use that password.

Mclaine: Or maybe there would be, download the details.

Philippe: They could sell it, which happened a lot back then sa BPO industry. They have all the credit card details with the, what’s that number in behind?

Mclaine: CVB.

Philippe: CVB, yeah. And then ididispute lang nila, since it’s a credit card, ididispute naman, diba? The problem is, they don’t, hindi na report agad. So ang daming talaga during that time. But this time around, with password managers, they’re very useful, to be honest.

They’re very useful. Kasi if you don’t remember your password, oh, ito lang yung gagamitin, password manager. Yun lang, you don’t know how safe it is in terms of their privacy. But what’s good about them is that if they notice that one of your website has a password that has leaked before, iwa-warning ka, you have to change it, which is a very nice thing. Chrome does it, LastPass, your application does it, and madaming password manager.

Mclaine: And also make sure na walang masyadong gumagamit ng laptop mo. Kasi, let’s say, for example, iniwan mo. Ay, parang, can I borrow your laptop? Check. Login sila Facebook. Oop, minsan, kasi, anything, any password na, since the password manager, kung ano lang naman yung ilalagay mo doon.

Kasi, di ba, pag first time doon, magpo-prompt siya. You wanna update or you wanna save? O yan. So, pag importante, sinasave mo. Meron po, for example, pag mga, ano lang na mga software or magda-download ka lang, hindi mo na kailangang save. And then you would recall doon sa password manager mo.

Mclaine: Makikita mo lahat ng site mo na naisave mo. Minsan nag-check ako, sabi ko, pinunta ako lahat itong site na to. Sabi ko, it’s almost a hundred sites. Oh my goodness. Tapos makikita ko, eh, ito pa rin yung mga password ko. Review ako ng password ko.

Sabi, oh, delete, delete, unsubscribe. Ibat, pinupunta ako mismo yung site. Even yung sa mga email, makikita ko yung mga sa email ko. Subscribe ako. Hah, ano ko na subscribe dito? So, medyo hassle yung pag-unsubscribe. Unsubscribe. Pero kung talagang importante yung email mo.

Philippe: You’ll do the effort. Yeah, effort talaga. It’s still hassle. That’s why I would say, put aside cyber security, put aside engineers, developers, yung mga talaga. The majority of the population. Oh, simple. In every family, there’s only one of any family.

Family mo, ikaw lang for sure nagpapalit ng password. Ako sa family, siguro dalawa lang kami. Diba? Fili ko, isa lang. Kasi, okay, may two-factor authentication. Pero you’re taking the, taking different steps to make sure na, ano, your passwords are protected or your passwords are changed.

Philippe: One in every family. So, sabihin natin, 90% of the population, in anywhere, even sa US, even sa Europe, they don’t matandaw, I changed my password. So, email.

Mclaine: Yeah, create another one, right.

Philippe: My Facebook account, create another one. And that’s a problem, especially with, ano, I don’t mind if I don’t change my password. If my password, they can log it, what are they going to steal? That’s the problem, right? Corporates, in many, in corporate, it happens a lot.

Because one computer is being used by three shes, like BPOs, BPOs, right? One computer, three. Three people who use this. For three shifts of that day. One in the morning, one in the mid-shift, one at night. So, they’re using the same computer. Sometimes, they save, they have different accounts, but sometimes they don’t log out.

Philippe: You know, they could be hacked socially. Kasi yung isa, oh, I forgot to log out. Pakilog out na lang. You never know, the next person on it, hindi naglog out, ano pa, nag-snoop around. You never know, it happens. Or sometimes, it does happen, there are some hackers out there who are still high-tech.

USB, may software, may malware, deploy nila na hindi halata, and then every keystroke, since all their devices are connected to the internet, they would access an IP address, send the details of what they’re typing. It’s still, ano, that’s, that one’s high-tech hacking.

Mclaine: Pero meron ang device ngayon na nag-transmit ng free Wi-Fi. Nakita ko, meron isang post sa Facebook na, I think yung, sino yung sinabi mong kilala na podcaster, yung bald guy?

Philippe: Si Joe Rogan.

Mclaine: Yes. Ginest niya yung nag-create ng somehow, USB? I’m not sure na panood mo na yun.

Philippe: I don’t think it’s Joe Rogan, pero kalbo din siya. He has a podcast, usually ang ini-invite yung military, ex-CIA, SEAL, kasi dating SEAL, SEAL siya. Retired and everything, kasi he got injured, so he retired, he created a podcast.

He invited a guy who invented, who invents spyware. So ang dami sa spyware yan, USB, isasak mo, you could hack the Wi-Fi, it clears all the Wi-Fi, it masks the same Wi-Fi address, and when you connect to it, anything that you browse online, makakita niya.

Mclaine: Pero ito, hindi siya USB, charging cable.

Philippe: Charging cable, that’s small.

Mclaine: Sabi niya, insert mo ito sa phone. Pag-insert niya, would you believe that I already got your details?

Philippe: Imagine.

Mclaine: Tapos sabi niya, here’s your details. So, oh my God, how did you do that? Sabi niya. So imagine, ganun kaliit.

Philippe: Kaya, no? Oo, diba? Kasi sinaksak niya.

Mclaine: Sinaksak niya. I think pinakita niya, kahit di siya naka-plug sa power source, basta sinaksak mo lang yung…

Philippe: Kasi may sariling power source siya. Grabe, they get so small. And you don’t know, di ba? Sabi, oh may cable ka for…

Mclaine: Para pa charge.Or sabihin natin, ilagayin nila sa free charging station. Tapos na, diba? Tapos ang laban, ilagayin mo dun sa mga busiest area, nasa office districts. Free charging station. Free charging.

Philippe: Hindi nila alam, free, pero nahack na sila.

Mclaine: Better to bring a power bank.

Philippe: Well, you know, yun nga. The advice is, don’t log in to public Wi-Fi. It’s na free. That’s one. Don’t leave your laptop open. Don’t leave your phone unattended. Lock your phone. Kasi may mga phones na matagal ma-auto lock, diba? Yung ibang phone, hindi na na-lock.

Kasi ayaw nila ilagay. Hassle eh. I think it, it goes down to human error talaga. No matter how secure you think you are. For example, ako, very ano ako, sensitive data, the work that we do, it has to, a lot of numbers, a lot of money going here and there. I can be hacked as well.

Philippe: You never know. Baka, we’re outside, we’re here. Nag-CR lang ako, may dumaan, nakita. You never know. Even if you’re the most paranoid person, you’ll make sure you’ll take all the measures. But there’s always that time na mag-slip ka talaga.

Maybe nasa biyahe ka, nasa public transportation ka, you didn’t know, na-distract ka, somebody grab your phone na. It’s the same as ano, it’s not about theft anymore. It’s really about hacking the people. Diba? If something, dito, right now, if somebody distracts us, for example, dyan sa labas, sunog, sunog, diba?

Philippe: First thing we do is, we run. Naka-bukas yung laptop, naka-iwan yung phone, everything, sure we’re thinking of our safety, yun pala. When we run out to the elevator to go down, or the stairs, mayroon yung ibang team pumasok. Diba? Hindi ko naman devices, pero hinack.

Mclaine: Hindi pa naman ganon ka-high-tech tayo dito sa Pilipinas.

Philippe: Hindi tayo ganon ka-high-tech, but I know, I believe there’s a lot of spywares na bibili online.

Mclaine: Yes.

Philippe: Kahit hindi tayo high-tech, very creative tayo for social hacking. Banggain mo lang yung isang tao sa public transfer, ay, sorry.

Mclaine: Paranoid yung pang dating, ano?

Philippe: Binangga mo lang, ganon. Yung iba, parang, hi, Paul. Huh? Ay, sorry, akala ko si Paul ka. Okay. Huh? Fungko. Distraction. Distraction. The worst of these is not this one time may nakabangas or yung na-corner. The worst thing is yung mga kakilala mo na yung surrounded by you na matagal na that they’ve been planning this for a very long time.

Alam nila yung habits mo. Alam nila yung routine mo. Alam nila na iniiwan mo bukas yung laptop or yung phone. Alam nila yung paaka or charge mo and once you give them a routine, once na predictable ka, you’re prone to social hacking. It happened.

Philippe: Na-experience ko. Not to me, pero na-experience ng mga kakilala ko and nakuwento nila and that part of that one specific person disappear. Pero si social hack around her, nakakakilala ko, hindi ako nadamay kasi that person yun ang medyo ano ako eh when it comes to details,

andami ko napupansin sa side o anong ginagawa. May routines ako pero I’m not as predictable as yung mga tao, yung iba predictable kasi. So alam nila, ah ito uuwi ng 5pm so dapat i-ano natin, i-check natin yan bago umuwi.

Philippe: Lately, there was one social hacking nangyari, I read it in the forums. Imagine, I think nasa planning stage to, meron nag-utos na pick up parcel Lalamove. Lalamove to, nothing, the Lalamove driver has nothing, na-book lang siya.

Pumarada yung Lalamove rider doon sa isang residence and then sabi ng nag-book, picture mo, picture mo, yung tapat lang ng bahay. So picture siya ng picture, eh napansin ng may-ari ng bahay, sabi po saan ang ginagawa mo.

Philippe: Ay, sabi kasi ng sender, picture lang ko yung ano. Hindi, delete mo yung mga yan, sino ba yung sender na yan, o sino ba yung nag-request niyan. Inutos lang ako tapos, I don’t, I think the Lalamove driver was innocent. He had nothing to do, pero syempre yung binook mo. Okay sir, picture, gagawin naman nila eh, bayad naman sila just to take pictures.

Mclaine: Just to verify, or just to give details na ito nga ba yung place na dapat na nandun siya

Philippe: Eh sinasabi doon sa forum, ingat kayo kasi baka inutos nga sa, dinamay pa yung mga riders. Yung mga nagtatrabaho, para mag-picture ng isang lugar. Para ma-ano nila, para ma, for the hackers or for the thefts, for the thieves. Para makita yung mga strategist, ah ganito may aso sila, so dapat ingat tayo.

So they’re choosing their targets, you know, and they’re using the normal services. So they could, ano, so they could plan ahead and see how can we hack this person. Break into the house, or, it’s social hacking in a different level. Imagine pinaplano na, ginagawa, uy, punta ka dito, ano.

Philippe: For example, pabili, sila lang may ganon pabili, diba? Kunyani, bu, ay, saan bahay to, ano to? Ay wala, ano, ikakancel ko. Pero picture na mo, babayaran ko. And then meron sa Lalamove na stopover, diba?

Mclaine: Nag-book ka Stopover?

Philippe: Stopover Kunyani, ano, diba?

Mclaine: Itadagdag mo yun sa bibil, kunwari Ano ba naman yung additional 50 pesos para lang mag-stopover ka To get a detail na, ano, diba?

Philippe: Tapos pakicheck, ano kung may doorbell sila o may aso sila, ano yun, diba? So, ingat lang, you know, this is not just about cyber security It’s not about, it’s about social security Not SSS, but we’re talking about, iwasan yung social hack, diba?

Social hack is, it’s a very simple framework They distract the target, and then there’s a whole team behind it to attack Once they attack, they get the item, they get their password, they get their anything Spread out na yan, they disappear Just like, just like the heist sa US, yun, the Italian job What’s that movie kay Will Smith?

Mclaine: Enemy of the States

Philippe: No, no, no, no, Will Smith, let me look at this, Will Smith. There’s a movie called Focu by Will Smith. It’s a really nice movie. He is the mastermind, and he has a group. He has a big

group. They would go to Vegas, and then they have a strategy on how to steal.

Mclaine: Oh, yeah, yeah, yeah

Philippe: All of the ones in the team are professional thieves. So you could steal the watch, you could steal a necklace and all that. And then they do it in bulk and do it massive, so nobody would notice. Most of the time, what happens in heists is they take one item — a diamond or whatever. This one, in the movie, they go big.

Mclaine: I like the part dun sa stadium That is social hacking on a different level Sobrang gay Na-influence yung target nila on so many levels All they had to see was the number, 88? 55?

Philippe: 55, 88, whatever — they hacked that person. From the time that, well, for a week, everywhere that person looked, they kept seeing that specific number subconsciously. Galing. Iba na yun. That’s super. That’s just targeted. Kaya Focus, diba?

Yes. Every time you see, let’s say, a certain number — you keep seeing that certain number, let’s say 88. And then for a whole week, hindi mo napapansin pero dito nakalagay 88, plate number ng kotse 88, anywhere you go 88. Tapos may ads, 88. Diba? Dito 88. Punta ka sa lotto, 88. Kung meron, 88. You go to a scratch card and you pick 88, diba?

Philippe: Grabe. That’s social hacking on a different level. Iba na yun. Ano na talaga yun? Heist. Ano na talaga? Con artist. Iba na yun. Brilliant. Brilliant mind na talaga yun. Sobra. On a different level na. Iba.

Okay. So stay safe. Secure your devices. Secure your passwords. Yes. Your GCash, your Maya. Make sure ingatan niyo yung mga links. Kung medyo BDO.xyz, huwag na yun, diba?

Mclaine: Ako sa SMS, anything na new na natatanggap ko, binubuksan ko pero hindi yung links. Tinitingnan ko lang kung ano siya. Especially pag yung mga nag‑online gaming — remember, once na nakapag‑register kayo, expect niyo na that you will be receiving text messages from different platforms or different numbers.

Ang nangyayari niyan is pinamimigay nila or dinidistribute nila yung number details — yung mismong number mo. It circulates on online gaming platforms. You will receive from I1bet, tapos…JL whatever

Philippe: Here’s the problem: I don’t think it’s only for online gaming platforms. Ang dami nating nakaregister na number — sa Meralco, sa SM promos, whatever. Nakaregister sa Robinsons. Pag nag‑fill up ka for reward cards, any database can be hacked. Not only gaming platforms but any database.

Kasi people say, “Ah, galing sa Globe yan, alam nila, baka may nagbenta ng information.” Could be. Pero yung iba, kung sino man yung nagko‑collect ng information. For example, surveys. For example, rewards cards — number one yan.

Philippe: You go to Robinsons, may rewards card. You go to… basta kung sino may rewards card, may database na yan. Sa BPO nga, diba? May listahan na of credit cards Nangyayari na offshore I’m sure it happens here And that’s in a BPO Diba?

Pag nag-sign up ka anywhere Raffle Sa mall Raffle Magayang number mo Magayang number mo Diba? Naglagay tayo may raffle ng motor sa pinagkakainan natin Doon pa lang Doon pa lang May database May nag-input noon Diba?

Mclaine: I remember yung raffle na yan Nilagay ang buong stab hindi pinunit Sabi ko Paano tayo mananalo yan?

Philippe: Hindi kinuha yung control number pambihira

Mclaine: Funny