(2013 Top 10 Story) Scammers in Malaysia up their game with social engineering
By Gabey Goh February 13, 2014
(Originally published Nov 30, 2012)
This story serves as a reminder about how much of our real-world lives are tied to the digital world. While Digital News Asia (DNA) publishes its fair share of articles full of advice from experts in the security industry, having a human face to front such cautionary tales still remains the best vehicle to push the message forward.
This is certainly evidenced by the popularity of this article, which was published in 2012, yet continued to resonate in 2013 and was the eighth most-read story on DNA last year. Hopefully, the rising awareness and acknowledgement that individuals need to take the time and effort to secure their digital selves means we won't have another such story in 2014. – Gabey Goh
- Young consultant loses all money in her savings account
- Authorities aware, hampered by syndicates’ sophisticated methods
A LONG-awaited holiday to Bali was called off after Sheena Moses found herself the unwitting victim of a socially engineered scam.
On Nov 7, the 24-year-old consultant received a call from a telecoms operator with a message that she had an outstanding payment of RM3,040.
Unaware what this payment was, she pressed '0' to be connected to customer service and was told by the 'officer' that the outstanding bill was for UniFi VIP20 which was registered under her name in I0I Mall Puchong.
“At this point the first thing that struck my mind was that I was a victim of identity theft and this must have been the reason for my recently rejected housing loan application,” she recalled.
The customer service representative told Moses that if this was not in fact her details and if she did not subscribe to UniFi, that she should contact Bank Negara.
He provided her with the address and bank details of the person who had registered under her name, and asked Moses to call a specified number, which she did.
After explaining her situation to the operator, he explained the procedure involved making a report of such and said that her call would be recorded for court records under the 'identity theft' category for further investigation.
The operator, named Desmond, guided Moses through a series of questions, showing concern over how her identity might have been stolen, asked if she had lost her identity card recently and provided a lot of professional advice on how to be cautious of identity theft in the near future.
“At this point, I was utterly convinced that I was speaking to Bank Negara due to the level of professionalism and concern that was being showed. He then transferred me to the investigation officer 'Mr Yong' who continued to show concern and mentioned that a monitoring process needed to be done to ensure my savings account was safe,” she told Digital News Asia (DNA) via email.
Yong then asked Moses to proceed to the nearest CIMB Bank branch to secure her account PIN in order for the case to proceed. He mentioned that the process could be done at any ATM nearby but did not ask precisely where her current location was.
Moses went to the ATM and got a call back from Yong, who then guided her through the process, which included a change of PIN and what seemed like a cash transfer.
“At this point I grew slightly hesitant and started asking questions, but all my questions were answered with the utmost professionalism to try and make me feel stupid for asking. He also said that he could see exactly what I was keying into the ATM and that way it was easy for him to guide me. When he said this, I was assured that the only people who could get access to such detail would be Bank Negara -- again my doubts were cleared,” she said.
“Like a silly, I waited three days before I realized my money was gone and they were not answering my phone calls. My boyfriend started researching and only then did we realize the entire thing was a scam, from the UniFi call right up to Bank Negara,” she added.
The discovery was made four hours before Moses’ flight to Bali and the savings she had put aside toward the trip was all gone.
“A total of about RM2,000 was taken from our bank account and we lost about RM1,600 from the money that had already been paid for our trip, which was cancelled. That’s a total of RM3,600 in damages,” she said.
Aware and trying
Moses is not the only victim in this socially-engineered scam. When contacted for comment regarding this matter, Telekom Malaysia Berhad (TM) confirmed that it was aware of the ongoing scam activity.
In a statement released to DNA, TM said it has received reports of customers receiving emails, phone calls, Interactive Voice Response (IVR) calls and text messages that claim to be from TM or its collection agencies, notifying customers that they had outstanding TM bills and requesting them to pay to a specific third-party account number.
“We wish to highlight that these credit management procedures with such a modus operandi are fraudulent scams and are not from TM,” the statement read.
TM said it has lodged a police report on the matter and has posted public announcements in major newspapers and on the company’s website to alert members of the public.
The company said that it is common practice for service providers to send reminders for outstanding payments via emails, phone calls and/ or text messages but strongly advised customers to verify the outstanding amount by checking their bill online or the bill they have received via conventional mail, or by contacting TM directly.
“We would like to caution our customers not to transfer money to personal accounts or companies that claim to act on behalf or are representatives of TM. TM does not accept payment for services in this manner and we urge all our customers to be mindful and cautious if ever they receive such calls or messages,” said TM.
The company added that payment for services can only be made directly to TM via bill payment facilities and not through personal accounts or companies that claim to represent TM.
Zahri Yunos, acting chief executive officer of CyberSecurity Malaysia, said that the agency had yet to receive any reports of the scam, possibly due to the victims reporting the matter directly to the parties involved or the agnecies 'used' by the scammers, namely Bank Negara and TM.
He added that if the problem prevails and if the agency receives a number of reports about it, it would release security alerts to the public and alert organizations on the matter.
“We would also offer to assist the relevant law enforcement agencies, namely the MCMC (Malaysian Communications and Multimedia Commission) and Bank Negara in conducting technical analysis and investigations on the scam,” he added.
Catch me if you can
Meanwhile, Moses said she was extremely frustrated at herself for not being more cautious and aware. “I am usually more alert but the level of professionalism and the entire thing seemed too real and I fell for it. 'Extremely angry and frustrated' just about sums up my emotions about this,” she said.
After realizing what had happened, Moses then made a police report (pic) and handed a copy of it to Bank Negara.
“Bank Negara and the police seemed very familiar with such cases and were not surprised. I then realized that this is a common case but cannot understand how it is okay that our national security is being threatened and so easily hacked into and they seem to take it like an everyday occurrence,” said Moses.
A police inspector also gave Moses a brief course on the types of scams she should be wary of and answered her queries about why the chances of catching the culprits were so slim.
“He explained that a syndicate that big and skilled is not one that can be caught overnight. Catching the person my money was transferred to is not a problem, but this person is probably getting one percent of the cut; the money would later be transferred to many other individuals or groups and tracing that is not an easy task,” she said.
“People know scams exist -- just as I did -- but are not aware of how good the scammers are," she said, adding that more should be done to educate people on how to overcome and avoid them, rather than just the basics of being made aware that they exist.
The weakest link
The scam Moses fell victim to leveraged on social engineering, the act of getting useful information by taking advantage of human behavior and not by breaking into or using hacking methods. It relies more on the scammer's skills of persuasion, rather than technical methods.
Computer security consultant Kevin Mitnick, in his book titled The Art Of Deception – Controlling the Human Element of Security summarizes why social engineering attacks so successful:
“It isn’t because people are stupid or lack common sense. But we, as human beings, are all vulnerable to being deceived because people can misplace their trust if manipulated in certain ways. The social engineer anticipates suspicion and resistance, and he’s always prepared to turn distrust into trust. A good social engineer plans his attack like a chess game, anticipating the questions his target might ask so he can be ready with the proper answers. One of his common techniques involves building a sense of trust on the part of his victim. How does a con man make you trust him? Trust me, he can.”
When asked what his advice to the public would be, Cybersecurity Malaysia's Zahri shared the following tips:
- Ignore any calls received from unknown callers that are suspicious.
- Do not reveal personal details to a stranger that you have never met in person
- Never ever transfer money from ATM or via online (Internet banking) to an unknown third party or a stranger that you have never met in person. If you must pay for something, make it a point to go to their branch office or an authorized payment collection center like the post office and always insist on an official receipt.
- Remember that you have the right to ask why and how another person obtained your personal information like MyKAD number and mobile phone number.
“You can always verify the authenticity of a phone call by cross-checking the phone number with the one published at the company’s official website -- or better still, if you could visit the company or the bank that is asking for payment,” he said.
“If you are suspicious about a strange phone call or email, immediately lodge a report to Cyber999 so we can advise you accordingly,” he added.
For those who do find themselves victims of the scam, Zahri advised the following:
- Victims must immediately inform their bank, so that the bank can monitor the account for suspicious activity or block the affected account or try to cancel the money transfer that the victim made to the scammer’s account.
- Victims must keep all the evidence like call logs, SMS, emails, and transaction slips issued by the bank or ATM , and then submit the evidence to CyberSecurity Malaysia’s Cyber999 Help Center or to the police.
- If a victim has lost money, immediately inform the bank then lodge a police report at the nearest police station together with evidence for their further investigation.
For more information, click here.