How many times have we heard the same story?

A victim sees a very tempting deal advertised on social media or e-commerce platforms. It could involve mooncakes, beer, wagyu beef or durians.

The victim contacts the seller and then clicks on a link sent to them over private messaging.

The victim loses money through unauthorised online banking transactions.

According to the latest police statistics released on Thursday, social media platforms such as Facebook and Instagram, private messaging tools like WhatsApp, and online shopping platforms hosted about two-thirds of all the 22,000 cases of scams that took place from January to June 2023.

The problem in many such cases is that it’s hard to tell a scammer from a genuine seller – until it’s too late.

That is because, to carry out their criminal activities, scammers borrow practices commonly used by legitimate sellers.

Many genuine sellers use social media like Facebook and Instagram and e-commerce platforms like Lazada and Shopee to peddle their goods and services. It is also normal for customers to fill out a clickable order form. But now, casually clicking on such links could empty out your bank account.

Remember Take.sg, an online ordering form that helps small businesses organise orders through WhatsApp? Take.sg was created in 2021 by Mr Youmin Kim, then a software engineer at Facebook, as a personal project to help hawkers affected by the Covid-19 pandemic lockdown. Customers click on a link to fill out a form, and view the invoice within WhatsApp as part of the process.

Now that easy-to-follow practice has been weaponised by scammers. The latest victim Mr Adrian Kong, 50, lost $60,000 via PayNow overnight after he responded to an advertisement for cheap beer on Facebook in August. The seller led him to click on a link to download an app believed to contain malware.

A similar thing happened to some 27 victims who lost a total of $325,000 from a scam involving cheap mooncake advertisements on Facebook and Instagram.

Another victim Ms Lim (not her real name) had more than $20,000 emptied from her POSB Everyday credit card account and two DBS Bank savings accounts in a matter of hours in July. Scammers impersonating catering company Grain on Facebook sent her a link via WhatsApp to download a fake app that looked like Grain’s mobile app.

So far, the key message has been: Be wary of all clickable links. In almost all of the reported incidents, victims had clicked on links sent via WhatsApp or SMS. Malware-infected apps then got downloaded, allowing scammers to hijack their phones to capture keystrokes and steal banking credentials.

The entire industry now needs to review some of these accepted practices.

We also need to shed the assumption that this happens only to vulnerable seniors, as even tech-savvy people can get scammed. So can Apple iPhone users and not just those using Android phones. Malware can get onto iOS devices via a similar sideloading process if apps are downloaded from portals outside of the Apple App Store.

The key takeaway is this: Customers may have to shed many of the practices that made transactions convenient, while the middlemen (including banks, e-commerce and social media platforms) may have to shoulder more responsibility to root out scams.