Woman looking to order tingkat meals loses over $20k after downloading third-party app

SINGAPORE — A food delivery order that was supposed to cost $58 ended up costing Lim (not her real name) over $20,000 after scammers took control of her Android phone and banking details remotely.

Lim, 54, lost almost $20,500 from a credit card account and two DBS savings accounts in hours after she clicked on a link to download a third-party app, following which scammers then increased her credit limits and siphoned out all her money.

She had been looking for healthy tingkat (tiffin) meal delivery options for her elderly parents, and on July 26, she made an inquiry after seeing a Facebook ad from a company called Healthy Box.

The ad appeared to be from local caterer Grain, whom she had ordered from before. Hence, she was not suspicious.

She contacted the poster of the advertisement via Facebook messenger, after which the conversation continued on WhatsApp at around noon that day.

After the person confirmed they were from Grain, they sent her a link via WhatsApp to download an app — one that she had not used before — to make the order. She then installed the app, which she said looked exactly like the mobile-enabled version of Grain's site.

When asked to make payment of $58 via PayNow to another number, she received a message saying that the vendor had not installed PayNow and that she could send the vendor a link to do so.

[[nid:639508]]

She then messaged the person to inform them that their PayNow was not working and asked them to check on it, but did not receive a reply.

Lim, who works in events and marketing, went back to her online meetings. About 90 minutes later, when taking a lunch break, she noticed that her phone felt "burning hot".

When she switched it on, the phone showed a blank screen and it had automatically performed a factory reset. Not suspecting anything, she followed the sequence to reset the phone and set it up again, as one would with a new phone.

Later that day, when she attempted to use her ATM card to withdraw money at around 6pm, she realised that her bank balance was zero.

She called the DBS customer service hotline, and an officer confirmed that $20,493.87 had been transferred out of her account.

A few days later, she went to the DBS headquarters in Marina Bay, where a customer service officer uncovered some of what had transpired.

First, the credit limit on her DBS Everyday credit card had been increased from $14,500 to $18,500.

A total of $17,850 was transferred from the credit card account to her POSB Savings account. Another $1,553 was also transferred to this POSB account from a third account she owns, a DBS Savings account.

Through Internet banking, the total amount of $20,493.87 — she is unsure where the additional amount of $1090.87 came from — was then transferred from her POSB account to three different Standard Chartered accounts in the amounts of $6,281.40, $6,258.95 and $7,953.52.

"It's very scary... how did (the scammers) manage to increase my credit limit without any verification?" asked Ms Lim, who also questioned how there were so many large transactions made without any notifications sent to her.

A week later, on Aug 2, she received a letter from DBS — dated July 26 — informing her that her request for a credit limit increase on July 26 had been approved.

She said: "I'm very shocked... when you try and increase your withdrawal or credit limit, they ask you so many questions, so why weren't any questions asked of that person (who made all the transactions)?".

Lim made a police report on July 26. Catering company Grain also made a police report on July 27 about scammers mimicking its mobile application. Police have told The Straits Times that investigations are ongoing.

After her savings were wiped out, Lim said she is unable to meet the payment deadlines set by the bank for her credit card bill.

The last message from the bank asked for an interest payment of $4,075, which has to be paid by Aug 12.

"We have nothing in the bank, we have nothing to return," said Ms Lim as she choked up in tears.

[[nid:642569]]

While she has friends who have extended money and supermarket vouchers to her family, she is worried about paying for her housing and other such loans.

She added that she is traumatised, and that "every (new) message on my phone now scares me to bits... I have lost confidence in phone banking".

In desperation, Lim sought help from her MP to write appeals to DBS, the police and the Monetary Authority of Singapore (MAS) to waive the amount that was drawn from her credit card account.

When contacted, DBS said it has dedicated resources to "act swiftly and assist" customers who are scammed, including a dedicated fraud hotline — 1800-339-6963 (from Singapore) or (+65) 6339-6963 (from overseas) — or the safety switch function on the digibank app, which would temporarily block access to funds.

"We will assist these customers with necessary follow-up actions, which include making a police report, or replacing their cards / re-securing their accounts," DBS said, adding that scammed customers can also report fraud in person at any DBS bank branch.

"While we continue to adopt multi-pronged measures to strengthen fraud prevention and recovery, customers remain the first line of defence in safeguarding against scams."  

Malware scams plaguing Android users on the rise

A spate of banking-related malware scams have plagued Android users in recent months, which have resulted in unauthorised transactions being made from victims' bank accounts. This has happened for users across banks, according to various media reports.

The police said they have seen an increase in the number of reports from Android users related to such scams, which have, in some instances, resulted in their bank accounts being emptied.

This occurred despite victims not disclosing their Internet banking credentials, one-time passwords or Singpass credentials.

Last week, 10 suspects were arrested by the police for their suspected involvement in malware scams, where at least two Android users lost $99,800 of their Central Provident Fund savings in June. Six others are assisting in investigations.

Modus operandi of scammers

The police said the victims fell prey to these scams after responding to advertisements on social media platforms, where scammers would instruct them to download Android Package Kit files from third-party app stores in order to make purchases.

[[nid:643127]]

Instead of a legitimate app, however, malware would be installed on their phones, with scammers urging the victims to enable accessibility services on their devices.

In doing so, their phones became vulnerable and this allowed scammers to take full control of the devices, including enabling them to record every keystroke and steal banking credentials stored on the phone.

The scammers could then remotely log in to victims' banking apps, add money mules as payees, raise payment limits, and transfer money. They could also erase their tracks by deleting SMS and e-mail notifications that the banks issued.

In a joint advisory on Tuesday (Aug 15), the police and the Cyber Security Agency of Singapore highlighted the "increasingly sophisticated tactics" that scammers use to steal sensitive information from people's Android devices.

They said that the openness of the Android operating platform — which allows for greater flexibility and customisation for developers and users — makes it an appealing platform for scammers.

"Users of Android devices are advised to be aware of the potential risks and to follow the best practices to safeguard their devices," the joint statement said.

Banks stepping up security features

Banks have also been stepping up security features, having acknowledged that scammers are deploying increasingly sophisticated tactics.

Last week, Android phone users with the OCBC digital app received a security update designed to protect customers from malware. Users who had downloaded apps from other portals instead of an official store found that they were unable to access their OCBC online banking services. They would need to delete these apps to be able to use OCBC app banking services again.

MAS explained: "Security measures will come with some measure of added inconvenience for customers, but they are necessary to maintain security of and confidence in digital banking."

Last week, Mrs Ong-Ang Ai Boon, director of the Association of Banks in Singapore, warned that "in general, consumers who do not take the necessary precautions will be expected to bear the losses arising from malware scams".

ALSO READ: Woman scammed of $7,000 over crab rolls due to 'cash on delivery' promise

This article was first published in The Straits Times. Permission required for reproduction.