An internet watchdog pressed BDO Unibank Inc. to explain a viral fraud case, but the bank fired back, rejecting claims of a breach and blaming lapses on the customer side.

Scam Watch Pilipinas co-founder Art Samaniego Jr. issued a statement on Facebook a day before BDO’s September 18 advisory, calling on the bank to explain how account limits could have been exceeded. The next day, BDO flatly denied any breach or insider involvement, attributing the case to customer-side lapses.

Samaniego said BDO’s initial framing of the incident — linking it to “social engineering” and “familial fraud” — failed to address the main issue.

“It leaves unanswered the most crucial question depositors are asking — how were the bank’s own security limits bypassed?” he said.

He explained that daily withdrawal and transfer caps are intended to serve as “circuit breakers” in case of fraud. “If PHP189,000 was withdrawn from an account with a PHP50,000 cap, that means safeguards failed. Customers cannot override these restrictions. If they were crossed, the compromise happened within the bank’s systems, not on the customer’s device,” he said.

Samaniego also cautioned against shifting responsibility onto depositors. “Fraud monitoring, OTPs, and account limits exist precisely because scams happen every day. When these defenses are breached, blaming the victim is not only unfair — it is irresponsible,” he said.

He called on BDO to publicly confirm the complainant’s daily transaction limit and explain how it was exceeded.

BDO, in its September 18 statement, rejected allegations of insider involvement and said its security measures remained intact.

“Recent social media posts by Maria Jamila Cristiana Gonzales Berenguer alleging a system compromise and insider involvement in alleged unauthorized transactions are baseless,” the bank said.

It explained that its investigation showed a password reset on September 14 followed by a device registration, both validated through a one-time password on the client’s registered device. “Such reset and device registration was validated through OTP on the client’s registered device, a day before the reported unauthorized transactions,” BDO said.

The bank added that the client admitted in an ABS-CBN interview that her mobile device had been in the hands of other people “at some point in time”. It also noted that alerts were sent promptly: “Log-in and registration alerts were sent to the client for these updates. Transaction Alerts were also sent promptly on September 15, 2025 — six hours before the client reported the issue via the BDO Hotline.”

BDO stressed that transfer limits were not bypassed. “BDO’s system remains secure, with no evidence of any breach or insider involvement,” the statement said. “The Bank reiterates that transfer limits were not bypassed, and our security controls remain in place.”

The statements came after Berenguer posted online about unauthorized withdrawals that reportedly drained ₱189,000 from her account, raising questions from depositors who want clarity on whether the loss stemmed from customer missteps alone or a breakdown in the very safeguards designed to protect their money.