Targeted scams: Beware of 'free gifts' from well-known brands for doing surveys

The scam uses a "targeted link" directed at victims. PHOTO: GROUP-IB

SINGAPORE - It might be the season of giving but people should beware of "free gifts" such as iPhones and Samsung handsets from well-known brands seeking feedback - it might just be a scam.

Cyber-security firm Group-IB on Tuesday (Dec 21) warned that there has been a spike in a type of scam that gleans information from unsuspecting victims and uses the data to trick them into thinking they could win prizes from brands, particularly telecommunication firms, by participating in polls.

Local telcos contacted did not comment directly on the scam but advised customers to be vigilant.

The scam uses what Group-IB called a "targeted link" directed at victims. It was first seen in 2018, with crooks exploiting dozens of brands globally, but this year, the number has jumped to at least 121 brands across 91 countries.

Scammers mostly posed as telecoms firms, with more than half of the brands exploited worldwide coming from the sector. This was followed by e-commerce and retail brands.

In Singapore, scammers targeted telecoms firms as well. In 2019, scams exploiting two brands were found - both involved presenting themselves as popular telecoms brands. The number of brands rose to five this year, and included entertainment and electronics manufacturing brands.

The increase could be due to the success of the initial scams and the Covid-19 pandemic, said Mr Ilia Rozhnov, head of Group-IB's digital risk protection unit in the Asia-Pacific.

"The pandemic has fuelled more fears. You can hardly expect critical thinking from stressed-out and fearful citizens. People are overwhelmed with coronavirus fears. And scammers capitalise on that," he added.

This comes amid a general rise in scams here by 16 per cent in the first half of this year, from the same period a year ago, the police said in August.

The targeted-link scam works by first putting out a message to potential victims through digital marketing, including through advertisements on social media platforms, SMS texts, e-mails and website pop-up windows.

To evade detection and blocking, the initial message does not mention specific brands and has a link in the form of a shortened URL to mask the real address.

The message promises victims that they can win valuable prizes by completing a survey or joining a lucky draw.

Once a person clicks on the link, he is redirected to various sites that gather information about the victim, such as the country he is in, his language preference and time zone. Using the details, a targeted link is created, which finally redirects the victim to a phishing site passing off as one from a well-known brand in the victim's country.

This phishing site asks the victim to take part in a poll, such as to give feedback on the impersonated brand, but within a time limit.

To presumably get the prize after that, the victim is urged to fill a form asking for his personal data, such as his full name, e-mail address, postal address, phone number and bank card details. They may sometimes be asked to pay a tax or a test payment before they can receive the prize.

Fraudsters can use the stolen data to buy goods online, register fake user accounts, or sell the victims' details on the Dark Web.

The targeted link can be opened only once and only by the intended victim. Group-IB said this means that such links do not stick around for long, which makes it harder to detect them, and hampers investigations and takedowns of the scam.

The company expects the targeted-link scam to evolve, cover new brands, and expand its reach next year, due in part to the ongoing pandemic driving scams globally and more time spent online by people.

Telcos said they would never ask customers for personal data such as NRIC numbers and passwords over the phone, e-mail, SMS, surveys and suspicious links and sites.

Singtel said that it was "extremely concerning" that scammers keep targeting customers of telcos and other service providers to prey on people's trust, adding that it has a scam awareness campaign.

StarHub said that if customers have any questions about the validity of e-mails, SMS texts or social media advertisements, they should contact the telco directly to verify.

Among the safeguards M1 said it has put in place is one that involves working with the authorities to take down scam sites, where possible.

To further protect themselves against targeted link scams, Group-IB said consumers should not send money to anyone for prizes as this is not a practice of legitimate companies.

It also advises consumers to always pay attention to the URL address of a site to check if it looks suspicious and to not trust promotions that have a quick countdown timer.

Bank card details should be entered only into trusted websites, and people should always check on links before opening them, even if they come from a friend or relative, said Group-IB.

Join ST's Telegram channel here and get the latest breaking news delivered to you.