Man who lost $149k after clicking on phishing e-mail among at least 10 victims in Case cyber attack

The police told The Straits Times the total losses amounted to at least $225,000. PHOTO ILLUSTRATION: ST FILE

SINGAPORE – A man who filed a dispute over a faulty computer with the Consumers Association of Singapore (Case) lost $149,000 in a matter of minutes after he clicked on a live chat icon in an e-mail purportedly from the consumer watchdog.

Mike (not his real name), who is in his early 50s and works in the education industry, was one of at least 10 victims who fell prey to the phishing e-mails in October.

The police told The Straits Times the total losses amounted to at least $225,000. Case said in October that 5,095 phishing e-mails were sent to consumers after cyber attackers hacked its mail server.

Mike received an e-mail on Oct 9 stating that he had been assessed by “Case” to be “eligible for compensation” after filing a dispute.

“I thought the e-mail was real because I had approached Case for mediation in June 2021 after buying a Dell computer that was faulty. I dropped the complaint that same month when I got a refund from Dell,” he recalled.

When asked why he had believed the content in the e-mail despite the issue being resolved more than a year ago, Mike said: “It did raise some suspicion that the e-mail was not real, but it said ‘payment is guaranteed’. So I was just curious to see what the compensation was.”

When Mike clicked on the live chat icon included in the e-mail, he was led to “what looked like a legitimate DBS website”.

“Everything happened quickly after that. When the site disappeared after I clicked it, I tried again. I later pressed ‘authorise’ on a notification that popped up on my mobile phone, which I was told would allow Case to look into the matter. And just like that, my money was gone,” he said.

Mike, who lost most of his life savings, filed a police report that night. The police confirmed the report and said investigations are ongoing.

Case executive director Lee Siow Hwee, who confirmed the watchdog had received feedback from Mike, said: “As the matter is currently under investigation, we are unable to comment further.”

When asked how Case was addressing the issue, Ms Lee declined to comment.

A DBS Bank spokesman told ST its systems remain secure and said: “The data leak at Case was used by criminals to successfully convince the victim to give up his banking credentials and transfer funds by carrying out multiple authorisations through a spoofed website.

“This is why data breaches require quick and clear communication to victims in accordance with data protection laws and best practice, so that impacted persons can take proactive steps to prevent further harm.”

DBS said the bank has processes in place to prevent its intellectual property from being abused, including resources to take down fraudulent websites as soon as possible.

“Our customers are reminded to be mindful of the URLs of websites they are using and, if in doubt, to verify via the bank’s official channels,” said the spokesman.

Mike, who is single, said: “It feels terrible. The money was a huge chunk of my life savings. I need it as my parents are in their late 80s and depend on me – there are medical fees and medicine to think about. I’m very concerned that I’ll be unable to support them.

“I’m not earning a lot and it is a large sum of money. I’m just desperate to somehow get my money back.”

He recently sought help from the Financial Industry Disputes Resolution Centre (Fidrec), which specialises in the resolution of consumer financial disputes.

It was reported last month that fraud and scams accounted for nearly a third of claims handled by Fidrec for the financial year spanning July 1, 2021, to June 30, 2022.

Case previously said it began receiving reports of the phishing e-mails on Oct 8. It advises those who have performed similar payment transactions to lodge a report with the police, and contact the Anti-Scam Hotline on 1800-722-6688.

Join ST's Telegram channel and get the latest breaking news delivered to you.