74-year-old man loses $70k after downloading third-party app to buy roast duck
For six hours, a 74-year-old man chatted online with a friendly roast duck seller he met on Facebook, only to find his life savings almost wiped out after.
Mr Loh lost about $70,000 to scammers who siphoned money from his DBS and POSB credit card and bank accounts after infecting his Android phone with malware.
He had chanced upon a Facebook advertisement for a peking duck from a supplier called “Xiao Xiao Ya Zi” on Aug 26.
He was enticed by the deal that offered $23.80 for a 1.5kg peking duck with $5 shipping and contacted the seller on Facebook.
The seller texted Mr Loh on WhatsApp and instructed him through voice messages to download a third-party app called Grab&Go on his phone. The app prompted him to make a $5 payment through PayNow as a “deposit” before his order could be placed.
Mr Loh, who used to work as an importer, was initially suspicious of the ad but let his guard down when the seller convinced him that the promotion was not a scam.
“I asked him: ‘Is this a scam?’ He said that no one would be cheated of $5 and that this was a small thing. He told me that I had a lot of wisdom and experience. I agreed to proceed since this was a matter of only $5,” he told The Straits Times.
Within minutes, while he was still chatting with the seller, he noticed that his phone screen had gone blank.
When his phone restarted multiple times within 30 minutes, Mr Loh tried to close the third-party app and turn off his phone but failed.
Panicking, Mr Loh reached out to the scammer, who then reassured him that the phone reset was normal.
His wife, who overheard the conversation, realised something was amiss and called their daughter. She then got her brother to call DBS immediately.
The bank officer told the family that the scammers had raised Mr Loh’s transaction limit, which was set at $3,000. They transferred about $59,000 out of his DBS current account and POSB savings account. The scammers also took a credit advance of about $11,000 using his DBS credit card.
He said he had set aside that money for his retirement and medical expenses.
“I couldn’t believe the news. I thought: Why am I so stupid? I was so angry at myself for being cheated of my life savings. My family is frustrated and I ended up quarelling with my wife,” said Mr Loh, who has three children.
His daughter, who only wants to be known as Ms Ang, said that she had warned her parents about such scams.
“As his children, we are all heartbroken that he was scammed even after we educated our parents about such scams. We thought we had done enough to minimise the risk,” she said.
He sought help from DBS and made a police report on Aug 27.
The police confirmed that a report had been made and investigations are ongoing.
ST has contacted DBS, which also runs POSB, for comment.
Mr Loh also questioned why he did not receive any notifications when his transaction limits were increased.
“I know that some banks require a 12-hour cooling off period when there is an increase (in funds transfer limits). But my credit limit was changed immediately without my permission and knowledge,” he added.
Mr Loh has since changed his handphone and deleted his Facebook and Internet banking apps.
He said: “What I learnt was to not trust people online so easily. I’m not familiar with technology so it would be best to ask my children to help me buy something online rather than I do it myself.”
In the first half of 2023, at least $10 million in total was lost by over 750 scam victims due to unauthorised banking transactions performed by malware, which also resets the victims’ phones.
From mooncakes to fish and durian day tour tickets, the “sellers” of such goods and services on social media have been instructing interested buyers to click on links to download a third-party apps, which then allowed them to take control of the victims’ phones.
OCBC, UOB and DBS have recently announced greater controls aimed at protecting customers against malware-enabled scams.
For example, DBS will be pushing out a new anti-malware tool on its DBS/POSB digibank app progressively from September.
The anti-malware tool will restrict DBS users’ access to their app if it detects the presence of malware, apps downloaded from unverified app stores with accessibility permissions enabled, or ongoing screen sharing on a customer’s device.
Once a known malware is detected, customers will receive a pop-up notification requesting that they secure their devices. They can do so by disconnecting their mobile devices from the Internet and deleting suspicious apps to regain access to their banking app.