Beware of 'gifts from big brands' for doing surveys

It might be the season of giving, but people should beware of "gifts" such as iPhones and Samsung handsets from well-known brands seeking feedback - it might just be a scam.

Cyber-security firm Group-IB on Tuesday warned that there has been a spike in a type of scam that gleans information from victims and uses the data to trick them into thinking they could win prizes from brands, particularly telecommunications companies, by participating in polls.

Telcos M1, Singtel and StarHub did not comment directly on the scam when asked, but advised customers to be vigilant, adding that they would never ask customers for personal data such as NRIC numbers and passwords over the phone, e-mail, SMS, surveys and suspicious links or sites.

The scam uses what Group-IB called a "targeted link". It was first seen in 2018, with crooks exploiting dozens of brands globally, but this year, the number has jumped to 121 brands in 91 countries.

Scammers mostly posed as telecoms companies, with more than half of the brands exploited worldwide coming from the sector.

In Singapore, scammers targeted telecoms companies too. In 2019, scams exploiting two brands were found - both involved scammers presenting themselves as popular telecoms brands. The number of brands rose to five this year, and included entertainment and electronics manufacturing brands.

The increase could be due to the success of the initial scams and the Covid-19 pandemic fuelling fear that scammers exploit, said Mr Ilia Rozhnov, head of Group-IB's digital risk protection unit in the Asia-Pacific.

This comes amid a general rise in scams here by 16 per cent in the first half of this year, from the same period a year ago, the police said in August.

The targeted-link scam works by first putting out a message to potential victims through channels like advertisements on social media, SMS, e-mails and website pop-up windows.

The message has a shortened URL as a link and promises valuable prizes for completing a survey or joining a lucky draw.

Once a person clicks on the link, he is redirected to sites that gather data about him, such as the country he is in. With the details, a targeted link is created that directs the victim to a phishing site passing off as one from a well-known brand in the victim's country.

This site asks the victim to take part in a poll, such as to give feedback on the impersonated brand, but within a time limit.

To get the prize, the victim is urged to fill in a form with his personal data, such as his full name, postal address, phone number and bank card details. He may also be asked to pay a tax or test payment.

Fraudsters can use the stolen data to buy goods online, register fake user accounts, or sell the victims' details on the Dark Web.

The targeted link can be opened only once and only by the intended victim. Group-IB said this makes it harder to detect such links, and hampers investigations and takedowns of the scam.

The firm expects the targeted-link scam to evolve and expand its reach next year, due in part to the pandemic driving scams globally.