GCash has warned Filipino users about a new scam exploiting QRPh, the national QR code standard, where fraudulent payment pages mimic legitimate merchant portals to divert funds to illegal gambling sites.
The Philippine fintech firm aims to continue to strengthen its anti-fraud efforts as vulnerabilities in digital payments arise, urging the need for stronger consumer vigilance and regulatory oversight.
‘Quishing’ Scams and How They Work
Quishing scams, sometimes referred to as QR code phishing, work by exploiting the trust and convenience associated with QR codes.
Fraudsters create malicious QR codes that appear legitimate, often mimicking those used by banks, e-wallets, or merchants. When a consumer scans the code, they are redirected to a fake website designed to look like an official payment portal.
These counterfeit sites typically request sensitive information such as login credentials or prompt users to authorize transactions that secretly transfer funds to the scammer’s account.
Because QR codes themselves are opaque to the user, it is difficult to visually distinguish between a genuine and fraudulent code, making this form of phishing particularly effective.
Rise of QRPh and Hack Attempts
QRPh, launched by the Bangko Sentral ng Pilipinas (BSP) in 2020, was designed to standardize QR code payments across banks and e-wallets, enabling seamless transactions nationwide.
By 2025, QRPh adoption had surged, with BSP reporting over 10 million active QRPh transactions monthly.
The system was hailed as a breakthrough for financial inclusion, allowing small merchants and consumers to transact digitally without expensive point-of-sale terminals. However, its popularity has also made it a target for fraudsters.
How GCash was Targeted
GCash, the country’s largest e-wallet with more than 80 million registered users, recently uncovered a network of illegal gambling websites using fake QRPh interfaces.
These sites created counterfeit GCash payment portals and generated fraudulent QR codes that redirected funds to unauthorized merchants. Instead of facilitating legitimate payments, unsuspecting users were tricked into funding illicit operations.
The mechanics of quishing often involve social engineering.
Scammers distribute fake QR codes through emails, text messages, posters, or even embedded in counterfeit merchant payment systems. For example, a user might receive a message claiming to be from their bank, urging them to scan a QR code to resolve an urgent issue.
Once scanned, the user is taken to a spoofed site that captures their credentials or initiates unauthorized payments.
In some cases, fraudsters embed these codes in advertisements or online promotions, luring victims with discounts or rewards. The automation of QR-based payments means that once a user authorizes a transaction, funds can be moved instantly, leaving little time for reversal.
Staying Vigilant
GCash reminds users to stay alert for key warning signs before completing any payment:
- Suspicious website URLs that imitate GCash domains (e.g., “gcash-payments.com,” “gcsh.payment.com” instead of the official “payments.gcash.com”)
- Mismatch in merchant identity, especially when the name displayed is random, incomplete or unrelated to the actual business (e.g., “XJ82q” or “Merchant_123”)
- Payment pages that feel inconsistent or unfamiliar, despite using GCash or QRPh logos
Safeguard are Needed
To restore confidence, regulators and industry players must work together on several fronts. First, consumer education campaigns should be intensified, teaching users how to spot fraudulent QR codes and verify merchant details.
Second, technological safeguards such as AI-driven anomaly detection and blockchain-based transaction verification could be deployed to make QRPh more resilient.
Third, legal enforcement against operators of illegal gambling sites must be strengthened, sending a clear signal that fraud will not be tolerated.
For consumers, the lesson is clear: convenience should never come at the expense of caution. Verifying merchant names, avoiding suspicious links, and transacting only within official apps are simple but effective steps to protect against scams.
For the market, the challenge is to ensure that digital innovation continues to expand access without compromising trust.
