Covid-19 pandemic a trigger for bank scam epidemic

As millions of Indians adopted digital phone banking in the midst of a cash crunch, inexperienced users like the elderly and those uncomfortable with English became easy targets for scammers. PHOTO: EPA-EFE

BANGALORE - The world has been grappling with bank scams for years, but the Covid-19 pandemic has led to an explosion in such crimes.

Both the frequency and size of frauds have multiplied, wiping out bank accounts of online banking novices as well as the tech-savvy. Victims have included celebrities and financial experts.

As more people use mobile wallets and digital banking apps in Asia, they are also unwittingly becoming vulnerable to monetary and data theft.

The scams are as widespread as they are diverse, as rudimentary as the Nigerian letter hoax that lures victims into disclosing their bank data in exchange for a share of fantastic wealth, to something as sophisticated as relying on deep-fakes or creating links to impeccably reproduced websites.

Cybercrime officials attribute the rise in scams during Covid-19 to more remote working, with people using home computers or laptops with weaker online security than office systems; persons unemployed during the pandemic getting into hacking; and digital fatigue leading to carelessness.

But, perhaps, the saddest reason is that many desperate people, made poor during the pandemic, were easy victims.

Scam factories

In a "smishing" epidemic in the Philippines that coincided with the pandemic, regulators were inundated by complaints from people receiving text messages, sometimes more than 10 times a day, purportedly offering jobs that pay up to 8,000 pesos (S$210) a day, well above the minimum wage.

The messages contained links that opened a private channel on WhatsApp through which hackers - often with IP addresses traced to India and China - ran the scam that defrauded those desperate for a job.

"Fraudsters are always looking to take advantage of significant world events, like the Covid-19 pandemic and its corresponding rapid digital acceleration brought about by stay-at-home orders," said Ms Pia Arellano, president of data securities firm TransUnion Philippines.

Philippine central bank governor Benjamin Diokno said hacking and other malware attacks soared 2,324 per cent in 2020, when the country went through the worst of the pandemic, while phishing rose 302 per cent.

The Bank of the Philippine Islands, the country's fourth-largest bank by assets, said it took down close to 2,000 phishing sites in the first three months of 2021 alone.

The Bank of the Philippine Islands said it took down close to 2,000 phishing sites in the first three months of 2021 alone. PHOTO: AFP

Cyber sleuths said the spike in online scams seems to have coincided with the government's roll-out of a shoddy contact-tracing scheme that almost always requires Filipinos to just write down on a piece of paper their names, phone numbers, and e-mail and physical addresses.

No one is surprised by bank scams in India, but there was a quantum jump after November 2016, when the Indian government scrapped all 1,000- and 500-rupee notes overnight. As millions of Indians adopted digital phone banking in the midst of a cash crunch, inexperienced users like the elderly and those uncomfortable with English became easy targets for scammers. Online bank scams grew by 162 per cent between 2017 and 2019.

The outbreak of Covid-19 fuelled the scam factories further.

Last year, more than 83,000 instances of banking fraud occurred, siphoning off 1.38 trillion Indian rupees (S$25 billion) with only less than 1 per cent of the amount lost recovered.

Everyone's a target

Bangalore software engineer Vani Shivaprasad lost 55,000 rupees last August when she gave her one-time password (OTP) and customer details to a man impersonating a bank official.

"When I was filing a police complaint, the inspector scolded me for giving the OTP to random people. I feel foolish, but sometimes I can't tell what OTPs are confidential," said Ms Shivaprasad, showing the 453 unread SMSes on her phone, many of them with OTPs from shopping websites.

Although banks regularly send stern messages to customers reminding them not to share OTPs with strangers, experiences like that of Ms Shivaprasad show that the profusion of OTPs required to be shared with delivery persons, insurance agents and hospitals are leaving people confused.

While Internet novices are more vulnerable, education or status is no protection from scams. Authentic-looking websites have tricked the smartest, most careful customer.

Last month, Mumbai-based former cricketer Vinod Kambli fell prey to a scam in which a person claiming to be a bank official tricked him into installing a remote access application and transferred 114,000 rupees from his bank account.

    Former Indian cricketer Vinod Kambli was tricked into transferring 114,000 rupees from his bank account. PHOTO: AFP

    Malaysian banker Ahmad Razali, 47, was planning to buy his first house when he lost his entire savings of RM400,000 (S$129,000) 12 years ago. A caller supposedly from Bank Negara, the central bank, said his identity was stolen, and one of his bank accounts compromised; he was asked to transfer his money to a different account.

    "I really believed it was genuine because the phone number that appeared on my screen looked very close to the one belonging to Bank Negara. I also fell for the manner and the tone in which the person spoke and the details that she provided," Mr Razali told The Straits Times.

    Cybercrime police officials say the true number of scams is likely to outstrip those recorded. "Many victims don't file a complaint because the stolen amount is so small that they don't notice or bother, or they're too embarrassed to admit to being fooled," said inspector-general of police Praveen Sood, in India's tech city of Bangalore.

    In China, one of the world's most cashless countries where it's second nature to receive and make electronic payments via the phone, Beijing-based marketing manager Wu Qiangdi, 33, told ST he has developed the habit of using a fake name for all his deliveries to prevent having his personal information fall into the wrong hands.

    He also uses a black marker to cross out his mobile number and address on receipts and delivery boxes as an added measure before discarding them. "All my friends go to such lengths to protect ourselves from falling prey to scams. I don't think our actions are extreme," he told ST.

      The police in China had investigated some 1.4 million fraud cases in 2019. PHOTO: REUTERS

      The police in China had investigated some 1.4 million fraud cases in 2019.

      "We cannot be too careful because some of these thieves are very cunning and can come up with elaborate plots. Also, once the money is transferred out, it is very unlikely that victims can ever get it back," he said.

      High-tech scam

      But few people stand a chance when scammers use technological aids. According to the authorities in Dubai, in the United Arab Emirates, on Jan 15, 2020, a branch manager of a Hong Kong bank received instructions from a corporate client via e-mail and a phone call to transfer US$35 million (S$47.5 million) to several accounts to fulfil the requirements of acquiring another company.

      The voice on the call was a familiar one; the branch manager had spoken to the individual - a director of the client company - before. Or so he thought.

      In reality, it was a "deep voice" clone of the director's voice.

      The entire operation was "a complex scheme involving at least 17 known and unknown defendants", the Dubai authorities told their US counterparts while tracing the funds moving through numerous accounts, including two American ones.

      In South Korea, voice phishing is rampant.

      Ms Lee Sol-yi, the wife of South Korean comedian Park Sung-kwang, got a text message on her phone last week about a 959,000 won (S$1,075) payment that she did not authorise. Instead of calling the "customer service centre" hotline given, she posted the whole message on her Instagram.

      "Received a voice phishing message," wrote Ms Lee. "If you call the customer centre to verify, they will be able to extract your personal information. Don't be a victim!"

      On Jan 26, the Gyeonggi Nambu Police Agency worked with the Chinese authorities to arrest 10 scammers - six Koreans and four Chinese - who worked from a call centre in Zhejiang province, China, to trick 236 Koreans into transferring 8.3 billion won to the fraudsters.

      Their modus operandi was to send fake text messages like the one Ms Lee received, telling victims that a payment was made and to call a number if it was wrong. Scammers would then guide the victims to transfer their money into another "safe account".

      South Korean police data shows that some 700 billion won was lost in such fraud cases in 2020 - up from 247 billion won in 2017.

        Voice phishing scams are rampant in South Korea. PHOTO: REUTERS

        In Japan, fraudsters are exploiting security weaknesses in mobile e-payment systems.

        In 2020, telecommunications provider NTT Docomo's e-payment service experienced more than 120 improper withdrawals from customers' bank accounts that amounted to 28.5 million yen (S$334,750). This followed similar issues in 2019 with SoftBank's PayPay and Seven-Eleven's smartphone payment service.

        In an effort to fight this scourge, six companies including NTT Docomo and Line Pay are teaming up to launch an information-sharing system against fraud, the Nikkei daily reported last month.

        Banking system gaps

        Scammers often exploit loopholes in banking systems.

        Last October, Thailand experienced one of its largest-scale banking-scams when about 40,000 people saw unauthorised transactions on their debit and credit cards amounting to about 130 million baht (S$5.3 million).

        Hundreds of fraudulent transfers were made for goods and services from businesses registered overseas. Each transaction was for tiny amounts of around 35-100 baht and went undetected by the customers and banks.

        The card holders did not receive one-time password verification for the payments because some banks do not trigger the OTP security feature for low-value transactions.

        Since Thailand's small-baht scam, the authorities have introduced new guidelines for banks, including additional verification measures, and monitoring of suspicious transactions for small and frequent transaction amounts.

          The Hong Kong Monetary Authority issues alerts every month on its website to warn about fraudulent banking sites, phishing e-mail and fake SMS texts. As at yesterday, it has issued 11 such alerts for this month involving Dah Sing Bank, Bank of Singapore, and Hong Kong and Shanghai Banking Corporation.

          Beyond warnings and educational campaigns, banking experts like Indonesia's Paul Sutaryono suggest that banks respond faster to complaints, and prepare proper instruments to protect customers from potential cybercrimes.

          Between March and November last year, Indonesia's Ministry of Communication and Information recorded nearly 200,000 reports of fraudulent activity, with WhatsApp and Instagram serving as the most widely used media.

          • With additional reporting by Nirmal Ghosh in Washington, Aw Cheng Wei in Beijing, Chang May Choon in Seoul, Walter Sim in Tokyo, Claire Huang in Hong Kong, Katherine Wei in Taipei, Raul Dancel in Manila, Hazlin Hassan in Kuala Lumpur, Tan Tam Mei and Tan Hui Yee in Bangkok, and Linda Yulisman in Indonesia

          Join ST's Telegram channel and get the latest breaking news delivered to you.