MANILA — January 12, 2026. GCash, the Philippines’ leading mobile wallet and finance superapp, has announced a major security upgrade: users will now receive their one-time passwords (OTPs) directly inside the GCash app through secure push notifications, instead of via SMS.

For years, SMS-based OTPs have been the standard method of verifying transactions. However, these codes have increasingly been exploited by scammers through phishing, SIM swapping, and text message interception. By moving OTP delivery into the app itself, GCash aims to eliminate these vulnerabilities.

The company confirmed that the in-app OTP feature will be fully available by the first quarter of 2026. According to GCash Chief Information Security Officer Miguel Geronilla, “Our upgrade to In-App OTPs is a strategic move to put an end to phishable SMS OTPs. We will shift users to instant, GCash app-verified authentication, to increase the security of their daily transactions.”

How In-App OTPs Work

Instead of waiting for a text message, users will now receive OTPs instantly through push notifications within the GCash app. This means:

• Faster transactions — no more delays caused by poor mobile signal or SMS congestion.
• Reduced risk of fraud — OTPs are tied directly to the authenticated GCash app, ensuring only the intended user can access them.
• Convenience — users no longer need to switch between apps or manually type codes.

GCash emphasized that this upgrade is part of its broader multi-factor authentication (MFA) strategy, aligning with global industry standards for digital security.

Protecting Users From Scams

The move comes amid rising reports of online fraud and phishing attacks targeting e-wallet users in the Philippines. SMS-based OTPs have been a common entry point for scammers, who trick users into revealing codes through fake websites or malicious links.

By eliminating SMS OTPs, GCash hopes to significantly reduce exposure to these scams. The company also reminded users to enable push notifications on their smartphones to ensure they receive OTPs seamlessly.

GCash’s decision mirrors global trends in digital finance, where companies are shifting away from SMS authentication due to its vulnerabilities. Other fintech platforms and banks have also begun adopting in-app verification methods, biometrics, and hardware tokens to strengthen account protection.

GCash users are advised to:

• Update their app to the latest version once the feature is rolled out.
• Turn on push notifications in their phone settings.
• Remain vigilant against suspicious links or messages, even with the new system in place.

The company assured that the transition will be smooth, with clear instructions provided to guide users through the change.

 Security Improves, Vigilance Still Required

GCash’s move to in-app OTPs is a welcome step. SMS-based codes have long been the weakest link in digital payments, easy prey for phishing, SIM swapping, and fake links. Shifting authentication inside the app closes a door scammers have abused for years.

But better technology should not create false comfort. Scams evolve fast, and fraud does not disappear just because one method is blocked. Criminals adapt, targeting user behavior, social engineering, and moments of panic rather than systems alone. Security upgrades work best when matched with informed users and quick response mechanisms.

This change also raises a broader issue. Digital finance now plays a daily role in Filipino life, from bills to small savings. Protection cannot rely only on app features. It requires continuous education, clear accountability, and strong enforcement against cybercrime.

With stronger tools now in place, the real test begins: will improved security reduce scams, or will complacency give fraudsters new openings?