The Covid-19 pandemic has unfortunately brought about a rise in online-based scams. Notable examples include the online ‘Tengku royalty’ scam and scams involving those in search of jobs.
Recently, Smith Ang, a Malaysian took to his Facebook to inform the public of a new and innovative ‘phishing’ technique. ‘Phishing’ is a scam used to steal user data including login credentials and bank account numbers and occurs when a scammer pretends to be a trusted entity to dupe a victim into doing so.
He wrote, “I’ve been searching for cleaners, and Facebook prompted one of the ads that caught my attention. Promotion! Who doesn’t like a good 50% promo.”
“As you can see in the WhatsApp chat, I was asked to download an app, an APK file to be exact. Rarely do vendors ask their customers to download APK files directly.”
“Most will give you a link to the official app store. Don’t trust anyone who sends you an APK file. That doesn’t mean the official app store is safe either,” he added.
Part 4: Intel Gathering
He added, “The app is well-built, even had its PDPA disclosure done correctly. The registration info required is name, email, password and mobile number. Upon finding the date and package I wanted, I had to key in my address.”
Part 5: The Bank
The next part involved the supposed payment process. Instead of it being the real bank, it’s actually a FAKE bank login.
“Conveniently, the credit card payment is greyed out (under maintenance) and the only option available is FPX. There are a few banks to prey on: Maybank, Affin, Public, CIMB, BSN and RHB.”
“After selecting the desired bank, a very familiar bank interface appears in front of you. If you see the Maybank UI, there is a note: ‘Note: you are in a secured site’ that replaces the usual catchphrase.”
“So when filling up the bank login details, no matter what you put in, it will always show ‘Invalid User ID or Password [Err Code: FE0067]’, now, this gibberish error code is the same for all the banks you select. Don’t tell me all the banks are using the same system developer?”
“I had a bad feeling, but I brushed it off as I was too tired,” said Ang.
Almost losing RM4,860
The very next day, Ang detailed how he had received a text message which said “RM0 PBe DO NOT share this code. DuitNow Transfer RM4,860.00 to NOORALIF SAFWA.”
“I immediately logged into my bank account, and I received the ‘Duplicate Login’ and that’s when I suspected it. Without hesitation, I sprung into quick finger mode. I was fighting for access with the intruder for the login rights.”
“Whenever I tried to change my password, it (my account) will be logged out. Years of playing speed typing games during my younger days boosted my typing speed. I won the login match and changed the password,” he said.
He then noted all the possible data of himself that the scammer would’ve gotten if it was successful.
This includes:
- Name
- Phone Number
- Email Address
- Mobile Phone
- Address
- Bank User ID
- Bank Password
“This is a very sophisticated operation. Why? It preys on our weakness (got promotion ah?) and the fact that the entire scam ecosystem is well planned. From the curation of the marketing and advertisement to the almost flawless app,” he said.
“For those who are unaware, when you allow the app permission to read your SMS, this will include the incoming PAC/OTP code that your bank sends (SMS) to you for dual-factor authentication,” Ang added as a closing note.
So always beware of the possibility of falling victim to such scams. Always remember, if it feels suspicious, it probably is.
Have you ever fallen victim to an elaborate scam? Let us know in the comments.
Also read: Beware! New Scam Lures Victims With Promise Of Full-Time & Part-Time Jobs