Singaporean woman faces a loss exceeding S$20,000 from her credit card and bank accounts following the installation of a third-party app

SINGAPORE: An unfortunate incident occurred involving Ms Lim (pseudonym), whose food delivery order, initially valued at $58, ended up costing her an exorbitant sum of over $20,000.

This situation unfolded as scammers gained remote access to her Android phone and banking particulars as reported by The Straits Times.

Ms Lim, aged 54, found herself losing nearly $20,500 from both a credit card account and two DBS savings accounts within a matter of hours.

This financial loss transpired shortly after she clicked on a link to download a third-party app, following a series of events where the scammers exploited her.

They not only manipulated her credit limits but also siphoned all her funds.

The circumstances leading up to this unfortunate incident started when Ms Lim sought out healthy meal delivery options for her elderly parents.

On 26 July, she responded to a Facebook advertisement posted by a company named Healthy Box, mistaking it for the local caterer Grain, with whom she had previous experience.

This misunderstanding fostered a sense of trust, which unfortunately worked in favour of the scammers.

Initial communication occurred via Facebook Messenger, but it transitioned to WhatsApp around noon on the same day.

Believing she was conversing with a representative from Grain, Ms Lim was sent a link through WhatsApp to download an unfamiliar app for placing the food order.

Strangely, the app’s appearance closely resembled the mobile version of Grain’s website.

Upon attempting to make a payment of $58 via PayNow to an alternate number, Ms. Lim received a message indicating that the vendor’s PayNow functionality was unavailable.

She was prompted to share a link for the vendor to rectify this issue.

Despite alerting the individual and requesting assistance, her efforts went unanswered.

Later that day, when taking a lunch break from her online meetings, Ms. Lim noticed an unusual and alarming heat emanating from her phone.

Upon turning it on, she was met with a blank screen and an automatic factory reset.

Unsuspectingly, she followed the phone’s reset process, akin to setting up a new device.

However, her realization of the dire situation came when she attempted to withdraw funds using her ATM card in the evening, only to find her bank balance entirely depleted.

Swift action was taken as she contacted DBS customer service, who confirmed that her funds had been maliciously transferred.

Subsequently, she visited a DBS branch, uncovering details of the scam’s progression.

The fraudulent activities were unveiled: her DBS Everyday credit card’s limit was elevated from $14,500 to $18,500, with funds totalling $17,850 moved to her POSB Savings account.

Furthermore, $1,553 was transferred to this POSB account from another of her accounts, a DBS Savings account.

Via Internet banking, an amount of $20,493.87, including an additional $1,090.87 that remained unexplained, was funnelled from her POSB account to three separate Standard Chartered accounts, totalling $6,281.40, $6,258.95, and $7,953.52.

Ms Lim expressed her dismay and fear at the ease with which the scammers manipulated her credit limit without verification.

She also questioned the lack of notifications regarding the substantial transactions.

On 2 Aug, Ms Lim received a letter from DBS dated 26 July, notifying her of a credit limit increase approval on the very day of the incident.

This raised her further questions about the lax verification process for such actions.

A police report was promptly filed by Ms Lim, with Grain also making a report about scammers imitating their mobile application.

As police investigations continue, Ms Lim found herself unable to meet the bank’s credit card bill payment deadlines due to the drained accounts.

The emotional and financial toll this incident has taken on Ms. Lim is evident as she grapples with the uncertainty of her financial obligations.

The support of friends and loved ones has been vital, yet the concern for housing payments and loans remains.

Ms Lim’s trust in phone banking has been shaken, as each incoming message now sparks anxiety.

In a desperate attempt to rectify the situation, she sought help from her MP to appeal to DBS, the police, and the Monetary Authority of Singapore (MAS) for leniency regarding the amount fraudulently withdrawn from her credit card account.

According to ST, DBS acknowledges the prevalence of scams and has implemented measures to promptly assist affected customers.

For customers who fall victim to scams, there are specific measures in place to offer assistance.

These include a dedicated fraud hotline reachable at 1800-339-6963 (for calls within Singapore) or (+65) 63396963 (for international calls).

Additionally, the digibank app features a safety switch function that can temporarily restrict access to funds.

DBS also said it would continue to enhance fraud prevention and recovery, and customers are urged to remain vigilant as the first line of defence against scams.

The increase of malware scams affecting Android users

Malware scams targeting Android users have surged, causing unauthorized transactions from victims’ bank accounts.

Various media sources have documented these incidents, affecting users across different banks.

Law enforcement has observed an increase in reports from Android users falling victim to these scams, leading to significant financial losses despite victims not disclosing their banking details.

Recent enforcement efforts resulted in the arrest of ten suspects linked to malware scams, in which two Android users lost $99,800 from their CPF savings in June.

Just last month, in a similar case, such as Ms Lim, an unsuspecting preschool teacher, Diana Vigneswari V Ramachandran, found herself S$4,400 poorer after falling prey to a sophisticated new kind of malware scam targeting her bank account.

Diana discovered the unauthorized transfer from her POSB Bank account to an unknown UOB account via the PayNow platform at 2.31 am on 7 July, while she was still asleep. The money had been wired out of her account without her knowledge or approval.

Scammers’ operating methods

The scammers utilize a consistent approach, luring victims through social media ads to download Android Package Kit files from third-party stores.

Instead of legitimate apps, victims unknowingly install malware.

The scammers prompt victims to enable accessibility services, compromising device security.

This breach grants full control, allowing scammers to record keystrokes, steal banking credentials, access banking apps, alter settings, and delete bank notifications.

The police and Cyber Security Agency of Singapore (CSA) highlight scammers’ sophisticated methods of exploiting Android’s open platform, appealing due to customization, flexibility, and vulnerability.

Banks are intensifying their security measures

Banks are proactively enhancing security measures to combat evolving scam tactics.

Android phone users with the OCBC digital app recently received a security update, preventing access for those with unofficially downloaded apps.

The Monetary Authority of Singapore (MAS) acknowledged potential inconveniences from heightened security but stressed the importance of maintaining digital banking’s security and trust.

Mrs Ong-Ang Ai Boon, director of the Association of Banks in Singapore, warned that failure to take precautions could lead to consumers shouldering financial losses caused by malware scams.