Woman loses over $20k from credit card and bank accounts after downloading third-party app , Latest Singapore News - The New Paper

Woman loses over $20k from credit card and bank accounts after downloading third-party app

A food delivery order that was supposed to cost $58 ended up costing Ms Lim (not her real name) over $20,000 after scammers took control of her Android phone and banking details remotely.

Ms Lim, 54, lost almost $20,500 from a credit card account and two DBS savings accounts in hours after she clicked on a link to download a third-party app, following which scammers increased her credit limits and siphoned out all her money.

She had been looking for healthy tingkat (tiffin) meal delivery options for her elderly parents, and decided to make an inquiry on a Facebook ad from a company called Healthy Box on July 26.

The ad appeared to be from local caterer Grain, whom she had ordered from before, hence she was not suspicious.

She contacted the poster of the advertisement via Facebook messenger, after which the conversation continued on WhatsApp at around noon.

After the person confirmed they were from Grain, they sent her a link via WhatsApp to download an app - one that she had not used before - to make the order. She then installed the app, which she said looked exactly like the mobile-enabled version of Grain’s site.

When asked to make payment of $58 via PayNow to another number, she received a message saying that the vendor had not installed PayNow and that she could send them a link to do so.

She then messaged the person to inform them that their PayNow was not working and asked them to check on it, but did not receive a reply.

Ms Lim, who works in events and marketing, went back to her online meetings and about 90 minutes later, when taking a lunch break, she found her phone felt “burning hot”.

When she switched it on, the phone showed a blank screen and it performed a factory reset automatically. Not suspecting anything, she followed the sequence to reset the phone and set it up again, as one would with a new phone.

Later that day, when she attempted to use her ATM card to withdraw money at around 6pm, she realised that her bank balance was zero.

She called the DBS customer service hotline, where an officer confirmed that all her funds had been transferred out and there was also a bank transfer of $20,473.87.

A few days later, she went to the DBS headquarters in Marina Bay, where a customer service officer uncovered some of what had transpired.

First, the credit limit on her DBS Everyday credit card had been increased from $14,500 to $18,500.

A total of $17,850 was transferred from the credit card account to her POSB Savings account. Another $1,553 was also transferred to this POSB account from a third account she owns, a DBS Savings account.

Through Internet banking, the total amount of $20,493.87 - she is unsure where the additional amount of $1090.87 came from - was then transferred from her POSB account to three different Standard Chartered accounts in the amounts of $6,281.40, $6,258.95 and $7,953.52.

“It’s very scary...how did (the scammers) manage to increase my credit limit without any verification?,” asked Ms Lim, who also questioned how there were so many large transactions made without any notifications sent to her.

A week later, on Aug 2, she received a letter from DBS - dated July 26 - informing her that her request for a credit limit increase on July 26 had been approved.

She said: “I’m very shocked...when you try and increase your withdrawal or credit limit, they ask you so many questions, so why weren’t any questions asked of that person (who made all the transactions)?”.

Ms Lim made a police report on July 26. Catering company Grain also made a police report on July 27 about scammers mimicking its mobile application. Police have told The Straits Times that investigations are ongoing.

After her savings were wiped out, Ms Lim said she is unable to meet the payment deadlines set by the bank for her credit card bill.

The last message from the bank asked for an interest payment of $4,075, that had to be paid by Aug 12.

“We have nothing in the bank, we have nothing to return,” said Ms Lim as she choked up.

While she has friends that have extended money and supermarket vouchers to her family, she is worried about paying for her housing and other such loans.

She added that she has been traumatised, and that “every (new) message on my phone now scares me to bits...I have lost confidence in phone banking”.

In desperation, Ms Lim sought help from her MP to write appeals to DBS, the police and the Monetary Authority of Singapore (MAS) to waive the amount that was drawn from her credit card account.

Contacted, DBS said it has dedicated resources to “act swiftly and assist” customers who are scammed, including a dedicated fraud hotline - 1800-339-6963 (from Singapore) or (+65) 63396963 (from overseas) - or the safety switch function on the digibank app, which would temporarily block access to funds.

“We will assist these customers with necessary follow-up actions, which include making a police report, or replacing their cards / resecuring their accounts,” DBS said, adding that scammed customers can also report fraud in person at any DBS bank branch.

“While we continue to adopt multi-pronged measures to strengthen fraud prevention and recovery, customers remain the first line of defence in safeguarding against scams.”  

Malware scams plaguing Android users on the rise

A spate of banking-related malware scams have plagued Android users in recent months, which resulted in unauthorised transactions being made from victims’ bank accounts. This has happened for users across banks according to various media reports of scammed victims’ accounts.

The police said that they have seen an increase in the number of reports from Android users related to such scams, which have in some instances, resulted in their bank accounts being emptied.

This occurred despite victims not disclosing their Internet banking credentials, one-time passwords or Singpass credentials.

Last week, 10 suspects were arrested by the police for their suspected involvement in malware scams, where at least two Android users lost $99,800 of their Central Provident Fund (CPF) savings in June. Six others are assisting in investigations.

Modus operandi of scammers

The police said the victims fell prey to these scams after responding to advertisements on social media platforms, where scammers would instruct them to download Android Package Kit files from third-party app stores in order to make purchases.

Instead of a legitimate app, however, malware would be installed on their phones, with scammers urging the victims to enable accessibility services on their devices.

In doing so, their phones became vulnerable and this allowed scammers to take full control of the devices, including enabling them to record every keystroke and steal banking credentials stored on the phone.

The scammers could then remotely log in to victims’ banking apps, add money mules as payees, raise payment limits and transfer money. They could also erase their tracks by deleting SMS and e-mail notifications that the banks issued.

In a joint advisory on Tuesday, the police and the Cyber Security Agency of Singapore (CSA) highlighted the “increasingly sophisticated tactics” scammers use to steal sensitive information from people’s Android devices.

They said that the openness of the Android operating platform – which allows for greater flexibility and customisation for developers and users – makes it an appealing platform for scammers.

“Users of Android devices are advised to be aware of the potential risks and to follow the best practices to safeguard their devices,” the joint statement said.

Banks stepping up security features

Banks have also been stepping up security features, having acknowledged that scammers are deploying increasingly sophisticated tactics.

Last week, Android phone users with the OCBC digital app got a security update designed to protect customers from malware. Users who had downloaded apps from other portals instead of an official store found that they were unable to access their OCBC online banking services. They would need to delete these apps to use OCBC app banking services again.

But the Monetary Authority of Singapore (MAS) explained: “Security measures will come with some measure of added inconvenience for customers, but they are necessary to maintain security of and confidence in digital banking.”

Last week, Mrs Ong-Ang Ai Boon, director of the Association of Banks in Singapore, warned that “in general, consumers who do not take the necessary precautions will be expected to bear the losses arising from malware scams”.