SINGAPORE – Mr Adrian Kong, 50, thought he was buying beer on the cheap online, but was instead led to download a virus-laden app that gave scammers total control of his phone.
They allegedly hacked into his phone overnight and entered his DBS Bank account while he was asleep to increase his transfer limit, then stole roughly $60,000 of savings meant for his children.
Mr Kong’s case, which is being investigated by the police, adds to a growing number of malware scams involving victims whose bank accounts were emptied after they unknowingly installed a virus. It is the latest weapon of choice for scammers, who have siphoned at least $345,000 using such methods since July.
Speaking to The Straits Times on Tuesday, Mr Kong, a consultant working in the finance sector, said he was browsing through Facebook at 9.30pm on Aug 30 when he saw an advertisement promoting alcohol at “50 per cent retail price”.
He contacted the seller – “Mr Dizzy” – on Facebook Messenger and asked if he could buy 12 cans of Asahi beer, which was listed as $42 in total.
He did not suspect a scam since the sellers claimed to accept cash on delivery, putting him at ease as he did not need to take the risk of making an online transaction.
The seller sent Mr Kong a URL on WhatsApp to install a third-party app called “Go-shop v3.6”, which he downloaded on his Samsung Galaxy Note 10. He placed an order on the app to receive a rebate, but did not make any transaction using the app at the time.
At 9.50pm, Mr Kong received a notification from DBS that $10 was received. “Mr Dizzy” then texted him, saying it was a rebate awarded to Mr Kong, and urged him to check his banking app to see if he had received it.
Mr Kong said: “Unknowingly, I went into my bank account to check. I think this was the point where the scammers were able to see my phone and look at all the details I keyed in.”
Around 2am, Mr Kong clicked on his OCBC account while he was scrolling through his phone but found that he could not enter the app. As part of a new security feature rolled out in August, the app notified him that a third-party app called Go-shop was interfering with his OCBC app.
The security feature, which blocks apps from non-official platforms and flags those with risky permission settings, was rolled out in response to malware scams that often hacked into victims’ bank accounts. The feature alerts the user to the third-party app detected on the device and advises the user to delete the app or adjust its accessibility settings.
When Mr Kong informed “Mr Dizzy” about this, the putative seller apologised for the trouble and offered to meet him to help uninstall the app.
“I had a funny feeling after I put down the phone and went to sleep,” said Mr Kong. “And true enough, the next morning the worst happened.”
At 9am, he opened his bank app and found four unauthorised PayNow transactions on his account for sums between $7,683.30 and $19,882.50 to unknown contacts named “Kumara” and “Mohammad Sharul”.
Another transaction of around $16,000 was declined. No money from his OCBC account was stolen.
Mr Kong also received an e-mail from DBS at 2.59am that his transfer limit to other banks was increased to $125,000, but he missed the notification as he was asleep at the time. He reported the incident to the bank and the police.
Mr Kong said: “$60,000 to a middle-income family is huge. It was set aside for my two children for their expenses over the next few years for their tuition and daily expenses.
“After rushing to the police station, I told my wife what happened. She was so shocked.”
He also alerted friends to whom he had forwarded the beer advertisement, informing them that he had been scammed, and reported the post to Facebook.
He said he hopes other users will be alert to such scams, and suggested that there ought to be a delay before large transfer limits are granted to prevent such incidents, since they are high-risk transactions.
Banks have been required by the authorities since 2022 to seek additional confirmation with customers to process significant changes to accounts, such as the activation of a new soft token, following a spate of phishing scams.
In reply to queries from ST, the Monetary Authority of Singapore (MAS) said additional measures to protect customers from scams, which include requiring additional customer confirmations to process significant changes to customer accounts, such as changes to online transaction limits, have been in effect since Oct 31, 2022.
In June 2022, MAS required all banks to set the default transaction limit for online funds transfers to $5,000 or lower and to provide a “kill switch” for customers to freeze their accounts quickly if they suspect a scam.
When asked about the incident, a DBS spokesman said: “We have been working closely with the Government and industry partners on measures to address the risks relating to malware scams.
“There is a need to take a considered approach for this. As we work to provide a robust level of protection for our customers, we also want to keep the customer journey as frictionless as possible.”
Mr Kong’s case adds to a slew of scams linked to third-party apps that introduce malware. In August, at least 27 victims lost a total of around $325,000 after sellers advertising mooncake sales on social media directed them to install Android Package Kit (APK) files that contained viruses.
Scammers employed a similar modus operandi to siphon more than $20,000 from a 54-year-old woman who was looking online for food options for her elderly parents.
The rise in malware scams has prompted organisations like those in the banking and telco industries to raise cyber-security measures over third-party apps.
The police urged the public to enable two-factor authentication for bank apps and set transfer limits on Internet banking transactions. It advised people to only install apps from official app stores and to disable “Install Unknown App” or “Unknown Sources” in their phone settings.
Users who suspect their phone is infected with malware should turn their device to flight mode and run an antivirus scan. They should also check their bank, Singpass and Central Provident Fund accounts for any unauthorised transactions by other devices and report them to the police, if any, the police said.
Join ST’s Telegram channel and get the latest breaking news delivered to you.
content: ” “;
font-family: “SelaneWebSTForty”, Georgia, “Times New Roman”, Times, serif;