Be vigilant: AI may be used to edit fund transfer screenshots. Here's how you can protect yourself
Artificial intelligence has evolved, allowing us to create entirely new photos from simple text prompts. But now, it comes with a jarring and alarming flipside: AI can alter bank transaction receipts.
A Facebook user exposed how AI can now be used to alter details on banking app proofs of payment, like fund transfer screenshots, with just a simple prompt.
On June 17, the user shared a screenshot of a ChatGPT conversation. In the exchange, the sender provided the chatbot with a proof of payment, then simply instructed it to modify the transfer amount to a higher value.
"Mag-ingat kayo, always check if pumasok ba sa account niyo yung transaction," the user warned.
The user recounted an experience where a batchmate sent her screenshots of payments, but upon checking her banking app, no such transactions were ever received.
"[Ang] mali ko is di ko nacheck right away," the user said, insinuating how she fell for the scam. She noted that other classmates had the same experience with the person in question.
PhilSTAR L!fe verifies the scheme
We tested things out using ChatGPT. In one upload, we used a screenshot from an old BPI transaction with a five-digit fund transfer. After a few minutes, the generated image showed that the transfer amount had been altered to make it less. Other details such as the date and time, confirmation number, transaction reference number, account name and number are all the same.
In another upload, we used a screenshot from an old BDO transaction with a four-digit fund transfer. In a moment, the generated image showed that the transfer amount had become a five-digit figure.
We noticed that the generated image is in PNG format, with a 1024x1536 resolution and a file size exceeding 1 MB.
The file name has 36 characters consisting of numbers and letters, divided into five sets and separated by four dashes. The format is 8 characters-4 characters-4 characters-4 characters-12 characters.
The generated fake BDO proof of payment, for instance, had the name "f798d85c-6303-47b9-8f26-57219ee5cb0a."
We also noticed that even if you shared a screenshot covering your entire phone screen—including the topbar with icons of the time, battery level, mobile signal, etc.—ChatGPT's generated image zooms in on the very transaction itself and leaves out other details of your uploaded photo.
How to spot fake transactions
Even before the height of ChatGPT, scammers have been using photo editing tools to take advantage of unsuspecting users.
In July 2024, a Facebook user shared how certain individuals sell services to create fake GCash receipts.
Amid the issue, GCash, in a statement, told users to verify fund transfers in the app's transaction history. The e-wallet platform said it's sending notifications through the app inbox to determine whether a fund transfer was successful.
This change comes after GCash shifted from sending text message confirmations to app inbox notifications during the peak of SMS scams and spam. This move aimed to eliminate clickable links from all email and text message alerts.
While users may permanently delete messages from their phone's inbox, the super app pointed out that their transaction history in the app cannot be deleted.
It also asked users to check their transaction's reference number, the unique 13-digit number that helps track and verify the transaction.
GCash told PhilSTAR L!fe on Thursday, June 19 that it has also started making in-app advisories for users to inform them about the proliferation of fake AI-generated transaction screenshots. It also reminded users to verify transactions under the transactions section on the app's home page and check the sender, amount, and reference number.
Back in December 2020, nine months into the COVID-19 pandemic, which saw a boom in online transactions and a surge in scams, BDO warned its users via a Facebook post about the dangers of fake screenshots used as proof of payment.
"Do not rely on photos or screenshots alone! Use BDO Digital Banking (now BDO Online) to double-check Send Money transactions to your account," it said.
BDO also noted that transfers from one BDO account to another and cash payments done over the counter reflect in real time, while transfers from other banks can take up to three banking days to show in the list of transactions.
BPI, in a June 18 Facebook post, or a day after the latest scheme went viral, sounded the alarm on edited or AI-generated proofs of payment.
It reminded users not to rely on screenshots and instead to check the BPI app or BPI online (web browser).
"Fund transfers between BPI accounts and interbank transfers via InstaPay are credited real-time kaya malalaman mo kung may pumasok talaga na pera sa account mo," it said. "Maging listo. Huwag magpaloko."