Woman clicks on FB ad, downloads 3rd-party app via WhatsApp -- and loses $30k

Posted on 12 June 2023 | 8,157 views | 4 comments

Chin Hui Shan
The Straits Times
Jun 9, 2023

A 34-year-old woman lost close to $30,000 after scammers took control of her phone when she downloaded a third-party app.

Ms Tan (not her real name) chanced upon a sponsored advertisement on Facebook on May 21 which promised to give people a food blender worth $80 if they downloaded a shopping app and spent at least $30 on it.

Enticed by what seemed like a good deal, she clicked on the link, which directed her to a WhatsApp business account.

Following instructions given, Ms Tan later downloaded the third-party app from the WhatsApp account onto her Android phone.

Over the next few days, she tried but failed to check out groceries worth about $30 she ordered via the app.

Ms Tan alerted the WhatsApp account holder of her problem but was told that as the app was new, glitches were expected and that she should try again a few days later.

But on May 25, when the account holder said she could make payments, Ms Tan realised that another person was controlling her phone when a notification popped up asking her approval for a transaction of more than $4,000.

“I was quite shocked... The (display on the) screen started moving on its own. I could not reject the transaction and I tried to make calls to stop the transaction but I couldn’t,” said the administrative worker.

She then noticed that six transactions had been made through her DBS Bank account over 22 minutes. Every transaction was worth close to $5,000, and they totalled $29,877.90.

Mr Kevin Reed, chief information security officer of cyber-security company Acronis, said such a scam is a result of malvertising, or malicious advertising, where online platforms allow their users to create advertisements targeting a specific audience and include links to anything from a Web page to a direct software download.

He added that Android users are more susceptible to malware as the operating system allows software installation from outside the Google Play Store.

For iPhone users, he said, “Apple uses this ‘walled garden’ concept and installing applications outside the App Store is an extremely cumbersome process. It would be very hard to convince an ordinary user to go through it”.

However, he noted, malvertising may soon pose a higher risk to Apple users, at least in Europe, as the company may have to allow users to download applications outside the App Store under the EU’s new Digital Markets Act (DMA).

In response to queries, DBS said it will help customers who fall for scams by, for instance, replacing their cards.

DBS added: “While we continue to adopt multi-pronged measures to strengthen fraud prevention and recovery, including real-time blocking capabilities and loss recovery, customers remain the first line of defence in safeguarding against scams.”

It advises customers to take measures such as setting alerts for transactions using their accounts and cards for amounts as low as one cent, or temporarily locking or unlocking their debit or credit cards through their app immediately when they suspect fraudulent transactions have taken place.

DBS sent an e-mail to customers on May 28 to warn users of fake advertisements on social media and to not download dubious apps from unofficial sources.

Mr Reed advises Android users not to install apps from outside Google Play Store or through any other links, adding that if they suspect their phone is being controlled by a malicious actor, switching off the phone can help to stop the attack.

Scams where victims are lured to download apps from dubious sites are not new. In May, The Straits Times reported a woman losing $20,000 to a bubble tea survey scam while she was sleeping. She had scanned a QR code and downloaded a third-party app onto her phone to complete the “survey”.

In April, the police and the Cyber Security Agency of Singapore warned the public against downloading apps from dubious sites that can lead to malware being installed on their mobile phones.

That month, the police also alerted the public to the resurgence of phishing scams involving malware installed on victims’ Android phones. The police had said that since March, there have been at least 113 victims who lost at least $445,000.

The Straits Times

Get a copy of The Straits Times or go to straitstimes.com for more stories.

Get more of Stomp's latest updates by following us on Facebook, WhatsApp, Twitter, Instagram and YouTube.

Related Stories
The victim transferred money to the scammer twice, and would have done it a third time if not for the intervention of bank staff, who recognised it as a scam. ST PHOTO: KUA CHEE SIONG
Man in his 60s loses $50,000 after scammer claiming to be his 'kampung friend' asks to borrow money
Scam victims downloaded fake ScamShield app after answering online ads for food items like otak
Scam victims asked to download fake ScamShield app after answering ad for food items like otah
He used a third-party app to scan the QR code displayed on the machine with the intention of downloading the SG Recycle app.
Man uses 3rd-party app to scan legit QR code on recycling machine, duped into giving credit card info
Woman loses $50k, left with $7 in bank account after downloading app to buy durians
More About: 
scam
money
facebook
WhatsApp