6 in 10 Filipinos Have Been Cybercrime Victims. Most of Them Thought They Were Safe.

6 in 10 Filipinos Have Been Cybercrime Victims. Most of Them Thought They Were Safe.


Let me give you the most important statistic in this entire post before anything else.

96% of Filipinos rate their online safety habits as good or very good.

Only 48% consistently follow basic cybersecurity practices — like using unique passwords.

Read those two numbers again. Ninety-six percent feel safe. Less than half are actually doing the basics.

That gap — between how secure Filipinos believe they are and how secure they actually are — is where cybercriminals live. And they are thriving in it.

Fifty-seven percent of Filipinos have already fallen victim to cybercrime — well above the Asia-Pacific average of 39 percent. Three Filipino user accounts were compromised every minute in 2025 — 1.3 million breached accounts across the year. Phishing websites targeting Filipinos jumped 423% in one year alone.

I am an IT professional working in a Philippine government office. I am the unofficial IT support for my office. I have written about network loops, BIOS settings, fiber breaks, and aircon-induced outages. I have also written about the bike scam that cost me ₱7,500 on Facebook, the Google settlement phishing email that landed in my spam, and how AI deepfakes fooled my 83-year-old mom on YouTube.

I am not immune to any of this. Neither are you.

This is the complete, honest, practical cybersecurity guide for every Filipino in 2026.

Quick Answer

How many Filipinos have been cybercrime victims? 57% — well above the APAC average of 39%.

What is the most common attack? Phishing and smishing — social engineering now drives more than 75% of all financial fraud in the Philippines.

What is the single most effective protection? Unique passwords for every account plus two-factor authentication. Most Filipinos do neither consistently.

Where to report: PNP Anti-Cybercrime Group: #8-CYBERCRIME or acg.pnp.gov.ph | CICC: 1326

The Philippine Cyber Threat Landscape in 2026

The numbers that should make every Filipino stop scrolling:

Three Filipino user accounts were compromised every minute in 2025. Over the year that relentless drip turned into 1.3 million breached accounts — pushing the Philippines to 25th place worldwide for breached accounts.

Phishing websites linked to Philippine targets rose from 731 in 2024 to 3,824 in 2025 — a 423% increase — reflecting a move away from isolated hacking incidents to industrialized cybercrime campaigns aimed at the country's mobile-first population. 

93% of Filipinos reported encountering scam attempts — meaning almost every Filipino online has been targeted at least once. 

And the statistic that matters most for understanding why the numbers are so high: nearly 70% of Filipino respondents admitted reusing passwords across multiple accounts — increasing the risk that a single hacked account could expose several others. 

This is not a problem of Filipinos being uninformed about cybersecurity. The issue is no longer awareness — it's behavior. 

People know they should use unique passwords. Most do not. People know they should not click suspicious links. Most click first and question later. People know their personal information has value. Most share it freely across dozens of apps and platforms without reading a single privacy policy.

The knowledge exists. The habits have not followed.

The 6 Most Common Attacks Targeting Filipinos

1. Phishing and Smishing

The dominant threat. A fake email or text message that appears to come from your bank, GCash, Globe, PLDT, or a government agency — containing a link to a fake login page designed to steal your credentials.

Smishing, or SMS-based phishing, has emerged as a dominant tactic, with attackers now using telecom-level manipulation — including IMSI catchers that intercept mobile traffic — to bypass mobile trust barriers. 

I wrote about this in my online scams awareness post — the fake GCash messages, the fake bank alerts, the links that look right until you check the URL carefully. The volume has only increased since then.

2. Social Engineering

Deceptive social engineering tactics drove more than three-quarters of all financial fraud in 2025. Most successful fraud does not come from exotic hacking tools but from persuasion — smishing, phishing, vishing, and love scams. 

Social engineering means manipulating a person into giving up information or access voluntarily. The "tech support" call claiming your computer has a virus. The Facebook message from a "friend" whose account was hacked asking for money. The romance scam that builds trust over weeks before requesting help with an emergency. These work because they target human psychology — not software vulnerabilities.

3. Account Takeovers Through Credential Stuffing

When your email and password from one data breach get tested against dozens of other platforms automatically — this is credential stuffing. If you use the same password for your email, your GCash, your online banking, and your social media — one breach exposes everything.

Nearly 70% of Filipino respondents admitted reusing passwords across multiple accounts. 

This means most Filipinos are one data breach away from losing access to everything simultaneously.

4. AI-Powered Deepfake Scams

I covered this in detail in a separate post — the ₱93 million doctor who lost everything to a fake presidential endorsement video, the senior citizen who was targeted by a fake investment platform, my own mom who saw a fake celebrity death video on YouTube.

Looking ahead, artificial intelligence will likely accelerate existing scams by making them faster, more convincing, and easier to scale. 

The deepfake problem is not getting smaller. It is getting more sophisticated every quarter.

5. Data Breaches from Third Parties

100% of organizations in the Philippines experienced cybersecurity incidents linked to supply chain vulnerabilities in 2025. 

This means even if you personally do everything right — use unique passwords, enable two-factor authentication, never click suspicious links — the companies and platforms holding your data may still be breached through their own suppliers and partners. Your information exists in dozens of databases you did not choose. Any one of them can be compromised.

This is not an argument for fatalism. It is an argument for limiting what you share, monitoring your accounts actively, and knowing how to respond when a breach happens.

6. SIM Swapping and Account Hijacking

A scammer contacts your telco — Globe, Smart, DITO — and convinces them to transfer your phone number to a SIM card they control. Once they have your number, every SMS OTP that goes to your number goes to them instead. This is why GCash phased out SMS OTPs in June 2026 — the SMS OTP was always the weakest link in mobile financial security.

The Complete Protection Checklist — Filipino Context

1. Unique passwords for every account. Non-negotiable.

I know you have heard this before. I know most people do not do it. Here is the practical solution that makes it possible:

Use a password manager — apps like Bitwarden (free), 1Password, or even the built-in password manager on Google Chrome or iPhone save and auto-fill unique passwords for every site. You remember one master password. The app remembers everything else.

If you are not ready for a password manager yet — at minimum, use unique passwords for your three most critical accounts: email, GCash/Maya, and your bank. Those three are the gateway to everything else.

2. Enable two-factor authentication on everything that offers it.

Two-factor authentication (2FA) means that even if someone has your password, they still need a second verification step — usually an app-generated code or biometric — to log in. Enable it on:

  • Your primary email account
  • GCash and Maya
  • Facebook and social media
  • Your bank's mobile app
  • Any platform that holds financial information

3. Enable push notifications for GCash — not SMS.

Following the June 2026 GCash transition, your OTPs now come through the app as push notifications rather than SMS text messages. This is significantly more secure — but only works if push notifications are enabled on your phone. Go to Settings → Apps → GCash → Notifications → ensure notifications are On.

4. Block your bank card when not in active use.

Most major Philippine bank apps — BDO, BPI, Metrobank, Security Bank, UnionBank, RCBC — now offer a card lock/unlock feature. Two taps to block. Two taps to unblock. A blocked card cannot be charged even if someone has the number. Use it.

5. Check if your email has been breached.

Go to haveibeenpwned.com right now — enter your email address. The site checks your email against a database of known data breaches and tells you if your credentials have been exposed. It is free, reputable, and takes thirty seconds.

If your email appears in a breach — change that password immediately on every site where you used the same credentials.

6. Slow down before you click.

The most powerful cybersecurity tool available to every Filipino costs nothing and requires no technology: a three-second pause before clicking any link.

Is this email or text actually from who it claims to be from? Does the URL in the message match the legitimate website? Was I expecting this message?

Three seconds. That pause has prevented more account compromises than any software solution.

7. Separate your digital wallet balance from your savings.

Keep only what you need for current transactions in your GCash or Maya. Link it to a bank account that does not hold your primary savings. If your e-wallet is compromised, the exposure is limited to the current balance — not your life savings.

8. Tell the elderly people in your household — today.

58% of Filipinos expect someone in their household to become a cybercrime victim within the next year. 

The most vulnerable members of most Filipino households are the ones who built their understanding of media and communication before digital fraud became industrialized. Your lola who watches YouTube. Your lolo who uses Facebook to follow the news. Your parent who receives SMS messages and trusts familiar-looking sender names.

One clear, loving conversation — "before you click anything surprising or send any money, show me first" — is the most effective cybersecurity protection available for the elderly people in your home.

What To Do If You Have Already Been Compromised

If your account was hacked:
Change your password immediately. Enable two-factor authentication. Check for any linked accounts or apps that may have been authorized without your knowledge. Report the compromise to the platform directly.

If money was transferred without your authorization:
Call your bank or GCash/Maya immediately and report the unauthorized transaction. Ask them to freeze the transfer if it has not fully processed. File a complaint with the PNP Anti-Cybercrime Group at acg.pnp.gov.ph or call #8-CYBERCRIME (#8-29274-2463). Report to CICC at the 1326 hotline. Document everything — screenshots, transaction records, phone numbers, conversation logs.

If your personal data was exposed in a breach:
Monitor your bank accounts and e-wallets closely for unusual transactions. Change passwords on any account using the same credentials. Consider placing a fraud alert with your bank. Do not wait for problems to appear — act preemptively.

The Honest Truth About Philippine Cybersecurity in 2026

I want to end this post with something that is not in any cybersecurity report.

The reason 57% of Filipinos have been cybercrime victims — while 96% think their habits are good — is not stupidity. It is the natural human tendency to underestimate threats that are invisible, evolving, and increasingly sophisticated.

The scam that cost me ₱7,500 on Facebook during the pandemic did not happen because I was careless. It happened because the scammer was good at what they did, I was excited about a purchase, and I moved faster than I should have. I knew about online scams. I still got caught.

The protection is not perfection. The protection is habits — consistent, practical, low-friction habits that reduce the opportunity for the next scam to succeed.

Unique passwords. Two-factor authentication. Three seconds before clicking. Card locked when not in use. One conversation with the elderly person in your household.

Five habits. Any Filipino can implement all five today at zero cost.

Seeing breaches as inevitable can breed fatalism or fear. A different response — practical vigilance paired with structural reform — is less exhausting and more effective. 

The threat is real. The defense is available. Use it. 

Disclaimer: This post is for public awareness and informational purposes only. Cybersecurity threats and best practices evolve rapidly — always verify current guidance from official sources including the DICT, PNP-ACG, and BSP. For cybercrime complaints, contact official channels directly. Think of this post as a diagnostic report — your security habits run the actual repair.

Mavs' Final Diagnosis

I am a BS Information Technology graduate who has been working in a Philippine government office for nine years. I fix network loops and BIOS settings and aircon-induced network outages. I design product labels for MSMEs in Photoshop. I walk 2km home every day.

I have been scammed on Facebook. I have received phishing emails. My mom has been targeted by AI deepfakes. My office colleagues have been socially engineered by people pretending to need IT help.

None of this is theoretical. All of it is the Philippine digital reality in 2026.

The statistics say 57% of Filipinos have been hit. I am in that 57%. You may be too. The question now is not whether cybercrime is coming — it already has, for most of us. The question is what we do next.

Check your passwords. Enable your 2FA. Lock your card. Have the conversation with your family.

The system needs maintenance. This is the maintenance.

Sources:

https://insiderph.com/more-than-half-of-filipinos-hit-by-cybercrime-despite-feeling-safe-online

https://www.philsecsummit.com/blogs/cyber-threat-trends-in-the-philippines-from-2025-to-2026-what-businesses-must-know/

Post a Comment

0 Comments