What It Means
- The QRPh scam problem is not limited to GCash. It runs through the national QR payment system that connects over 70 banks and e-wallets.
- GCash and the CICC blocked over 3,200 merchants for using QR masking and fake payment pages to route users toward illegal gambling sites.
- The BSP’s June 2026 AFASA deadline for upgraded fraud management systems is three months away, and the QRPh infrastructure itself still lacks built-in anti-spoofing protections.
- Legitimate MSME merchants using QRPh may face tighter onboarding and verification as platforms scramble to close gaps.
- The enforcement action is reactive. The question now is whether the system can be hardened before the next round of exploitation.
GCash just purged more than 3,200 merchants from its platform for exploiting QRPh, the country’s national QR code payment standard. The operators were using QR masking and spoofed payment pages to redirect users toward illegal gambling sites and unauthorized transactions. GCash framed the move as proactive. The Cybercrime Investigation and Coordinating Center backed it publicly. And as a platform response, it was fast.
But the real problem is not what GCash did. It is what the QRPh scam pattern reveals about the infrastructure underneath.
QRPh Was Built for Speed, Not Verification
The Bangko Sentral ng Pilipinas launched QRPh in 2019 under Circular No. 1055 as the country’s unified QR code standard. The goal was interoperability. A single QR code that works across every participating bank and e-wallet, from BDO to Maya to ShopeePay. By 2026, QR-based payments account for roughly 60% of digital transactions in the Philippines, and the system connects more than 70 institutions.
That scale is the point. It is also the exposure.
QRPh was designed so that any participating institution could generate and accept QR codes across the network. The system prioritized reach and adoption. What it did not build into the standard was a user-facing verification layer that lets a consumer confirm, before completing a transaction, that the QR code they scanned actually routes to the merchant it claims to represent.
That gap is what every QRPh scam exploits. QR masking, fake payment pages, and spoofed interfaces all rely on the same structural weakness: the user has no reliable way to verify the destination before money moves.
GCash Acted. The Rest of the Network Has Not.
GCash’s enforcement numbers are large. Over 3,200 merchants blocked, coordinated with the CICC and the PNP Anti-Cybercrime Group since 2025. The company says it uses proactive monitoring to flag unauthorized merchants and disable links to fraudulent operations. It reports suspicious transactions to the CICC and the Anti-Money Laundering Council.
But GCash is one participant in a multi-institution payment rail. The QRPh scam problem does not stop at GCash’s perimeter. Maya, ShopeePay, GrabPay, and dozens of rural banks and e-wallets all participate in the same system. If a fraudulent QR code routes a transaction through a different institution, GCash’s internal controls do not apply.
No other major QRPh participant has announced a comparable purge or disclosed the scale of QRPh scam activity on its platform. That silence is not reassuring. It raises a direct question: are other institutions simply not detecting the same patterns, or are they choosing not to disclose them?
The Scale of Fraud Behind the Numbers
The QRPh scam wave sits inside a much larger problem. A 2025 report from the Global Anti-Scam Alliance found that 77% of Filipino adults encountered a scam attempt in the prior 12 months, averaging 239 scam exposures per person annually. Total estimated losses reached ₱280.5 billion. E-wallets were the channel used to collect illicit proceeds in 74% of cases.
The CICC recorded roughly 6,000 cybercrime complaints in 2025, down from a record 10,004 in 2024. But the GASA data suggests a much wider unreported base. Only 73% of victims said they reported scam attempts, and among those, 40% said no action was taken.
These are not just consumer losses. For MSMEs that depend on QRPh for daily collections, every QRPh scam headline chips away at customer trust in the payment method itself. A sari-sari store owner in Quezon City using a QRPh standee is now competing against the perception that QR codes might not be safe. That reputational cost is diffuse but real.
AFASA’s June Deadline Is Three Months Away
The regulatory backdrop makes this story more urgent. Republic Act 12010, the Anti-Financial Account Scamming Act signed in July 2024, requires BSP-supervised financial institutions to upgrade their fraud management systems by June 2026. The BSP has said it is not granting extensions.
Under AFASA’s implementing rules, covered institutions must build systems that detect behavioral anomalies, screen against blacklists, monitor geolocation, and track device and account changes. They must also limit reliance on SMS-based one-time passwords and move toward biometric and multi-factor authentication.
The QRPh scam pattern, where fraudsters redirect transactions through spoofed QR codes and fake interfaces, is exactly the kind of attack that upgraded fraud management systems are supposed to catch. The June 2026 deadline is the test. If another wave of QRPh scam activity hits after that date, the question shifts from “are institutions upgrading?” to “did the upgrades actually work?”
The Infrastructure Gap Is the Real Story
GCash blocking 3,200 merchants is a cleanup. It is not a fix. The QRPh scam problem is structural. It lives in a payment rail that was built for adoption speed and interoperability, not for real-time merchant verification at the consumer level.
Until QRPh includes a system-wide mechanism that lets users verify where their money is going before the transaction completes, platform-level enforcement will always be reactive. One institution blocks bad actors. Another may not catch them at all. The fraudsters simply move across the network.
The BSP built QRPh to bring millions of Filipinos into digital payments. That project worked. But the same infrastructure that made payments easy also made QRPh scam operations scalable. Closing that gap is not GCash’s job alone. It is a system-level problem that needs a system-level response, and the June 2026 AFASA deadline is the first real pressure test.
More developments that reshape the operating environment in National Signal section of Hemos PH.
