Woman clicks on FB ad, downloads 3rd-party app via WhatsApp -- and loses $30k

Chin Hui Shan
The Straits Times
Jun 9, 2023

A 34-year-old woman lost close to $30,000 after scammers took control of her phone when she downloaded a third-party app.

Ms Tan (not her real name) chanced upon a sponsored advertisement on Facebook on May 21 which promised to give people a food blender worth $80 if they downloaded a shopping app and spent at least $30 on it.

Enticed by what seemed like a good deal, she clicked on the link, which directed her to a WhatsApp business account.

Following instructions given, Ms Tan later downloaded the third-party app from the WhatsApp account onto her Android phone.

Over the next few days, she tried but failed to check out groceries worth about $30 she ordered via the app.

Ms Tan alerted the WhatsApp account holder of her problem but was told that as the app was new, glitches were expected and that she should try again a few days later.

But on May 25, when the account holder said she could make payments, Ms Tan realised that another person was controlling her phone when a notification popped up asking her approval for a transaction of more than $4,000.

“I was quite shocked... The (display on the) screen started moving on its own. I could not reject the transaction and I tried to make calls to stop the transaction but I couldn’t,” said the administrative worker.

She then noticed that six transactions had been made through her DBS Bank account over 22 minutes. Every transaction was worth close to $5,000, and they totalled $29,877.90.

Mr Kevin Reed, chief information security officer of cyber-security company Acronis, said such a scam is a result of malvertising, or malicious advertising, where online platforms allow their users to create advertisements targeting a specific audience and include links to anything from a Web page to a direct software download.

He added that Android users are more susceptible to malware as the operating system allows software installation from outside the Google Play Store.

For iPhone users, he said, “Apple uses this ‘walled garden’ concept and installing applications outside the App Store is an extremely cumbersome process. It would be very hard to convince an ordinary user to go through it”.

However, he noted, malvertising may soon pose a higher risk to Apple users, at least in Europe, as the company may have to allow users to download applications outside the App Store under the EU’s new Digital Markets Act (DMA).

In response to queries, DBS said it will help customers who fall for scams by, for instance, replacing their cards.

DBS added: “While we continue to adopt multi-pronged measures to strengthen fraud prevention and recovery, including real-time blocking capabilities and loss recovery, customers remain the first line of defence in safeguarding against scams.”

It advises customers to take measures such as setting alerts for transactions using their accounts and cards for amounts as low as one cent, or temporarily locking or unlocking their debit or credit cards through their app immediately when they suspect fraudulent transactions have taken place.

DBS sent an e-mail to customers on May 28 to warn users of fake advertisements on social media and to not download dubious apps from unofficial sources.

Mr Reed advises Android users not to install apps from outside Google Play Store or through any other links, adding that if they suspect their phone is being controlled by a malicious actor, switching off the phone can help to stop the attack.

Scams where victims are lured to download apps from dubious sites are not new. In May, The Straits Times reported a woman losing $20,000 to a bubble tea survey scam while she was sleeping. She had scanned a QR code and downloaded a third-party app onto her phone to complete the “survey”.

In April, the police and the Cyber Security Agency of Singapore warned the public against downloading apps from dubious sites that can lead to malware being installed on their mobile phones.

That month, the police also alerted the public to the resurgence of phishing scams involving malware installed on victims’ Android phones. The police had said that since March, there have been at least 113 victims who lost at least $445,000.

The Straits Times

Get a copy of The Straits Times or go to straitstimes.com for more stories.