New banking scam tricks

Scammers are becoming innovative when it comes to tricking their victims: now they use mobile apps for phishing.

Cyber scams have been going on since the dawn of the internet. Victims are scammed for their money and private data usually, via emails, phone calls or messages with links leading to a scam website. The techniques the scammers use are always changing, but the underlying principles remain the same: they pretend to be someone they are not and using this cover they lure you into doing something you won’t normally do.

Here’s a new scam technique that has just surfaced in Malaysia. It relies on several methods such as Social engineering, a scam website and a mobile app.

Part 1: Social engineering

In the past, scammers would call to identify themselves as an officer from a bank or other organization. They would provide their rank and ID if they have that to make them seem more credible. They would go on to request for you to read out your bank account number or even your personal identification number. After which, they would then proceed to ask you some “security questions” – of which when you tell them, you’d be giving away the information they want.

In a new twist, instead of receiving a call from a scammer, victims would receive an SMS or in some cases a WhatsApp message form a “Bank” informing them of a privacy breach and that their information has been compromised. In the message they are requested to go to the bank’s website to perform an identity verification.

The link provided leads them to a page that at first glance looks unsuspicious and almost similar in design to the real page – but it isn’t. It’s a well-designed webpage designed to mimic those of the real website of this bank.

Part 2: A New Twist – Download the app

It all seems quite like a regular scam, up until now. In the usual scenario, this page would be a phishing page designed to steal your data. But in this case it’s not. This page instructs users to download an app (an Android app – has already been removed from Google Play) under the pretext of a secure app for details confirmation, The victims are asked to install it, then open it and fill in the details within it.

image from Bank Negara Malaysia’s Twitter post

Now that’s phishing. Once the information is filled in, the scammers would use it to withdraw or transfer all the monies from the bank account – now that they have all the necessary data to access it. Once that has been done, the scammers would contact the victims via WhatsApp or SMS and request for them to delete the information they have submitted. The communication then ends.

How to stay safe?

There’re two things that help against such scams: knowing about them and being very careful. Now that you’ve read the post, you know about the new scam. And here’s how you can be careful to avoid similar scams:

  • If you receive a call or a message from a source that pretends to be a bank, contact the bank or organization directly. Use the contacts they have on their official website or in the app, but not reply directly to this call or message.
  • Do not click on links that come in e-mails and messages. Type out the link manually or if you cannot remember it, search for it via your favorite search engine and select the trusted link.
  • Do not provide sensitive information such as PINs, passwords or even CVV numbers in replies or while on the phone with a bank employee – banks would never ask for such information.
  • Install a robust security app such as Kaspersky Internet Security for Android which is able to warn you of phishing websites or fake apps.