The National Privacy Commission (NPC) on Wednesday concluded that the unauthorized fund transfers from the mobile wallet GCash were the result of a “meticulous phishing scheme.”

“Upon our thorough investigation, we have determined that the unauthorized transactions in GCash accounts were a result of a meticulous phishing scheme,” Privacy Commissioner John Henry Naga said.

“Unknown threat actors took advantage of vulnerable GCash users, triggering the phishing scheme through online gambling websites such as ‘Philwin’ and ‘tapwin1.com.’”

The finance app temporarily halted its services on May 9 after unauthorized withdrawals from GCash accounts were reportedly transferred to accounts held by the Asia United Bank (AUB) and East West Banking Corp. (EWB).

Both AUB and EWB said they immediately acted on these reports.

Later in the day, GCash said they had already adjusted the e-wallets of all affected GCash users.

GCash’s own investigation also traced the incident to “a deliberate phishing attempt that happened outside of the GCash app.”

“Some users may have unknowingly shared their information [with] suspicious sites [masquerading] as legitimate brands or institutions. Upon detection of these unusual transactions, GCash immediately activated security protocols, and deployed its preventive security measures. This swift action enabled us to mitigate the impact [on] our customers, which [is] why we were able to correct their e-wallet balances immediately within 24 hours,” GCash said in a statement on May 13.

“We placed the app on extended preventive maintenance in order to ensure we’d exerted all means necessary to mitigate the impact of this incident.”

Naga said the NPC would employ the “full extent” of its powers under the law to penalize those who violate the Data Privacy Act of 2012.