As online scams become more rampant within the country, scammers, too, are constantly updating their tactics to swindle unsuspecting victims. The most popular mode these days appears to the phishing scams by getting victims to install malicious apps from external sources.

In a bid to raise public awareness, an app developer recently shared a demonstration of how dangerous it can be to download unverified apps outside of official sources such as the Google Play Store, Apple App Store, and Huawei AppGallery.

Shared on his Facebook page, Tan Aik Keong – who is also the founder of Agmo Studio, an enterprise mobility solution provider in Malaysia – demonstrated how these phishing scams work, from the beginning and where users would fall victim. In his demonstration, these scams begin with an SMS from an unknown number, informing potential victims that they have won a prize. To claim the reward, the victim is asked to download a mobile app through a link provided within the message. As you may expect, the link is not from an official source, and instead will download an Android Package (APK) file.

If you do end up installing this app, it will prompt you for permission to send and view your SMSes. Tan explained that this is a major red flag as allowing the app to do so enables the scammers to access transaction authorisation codes (TACs) – which are usually sent to you via SMSes to validate sensitive transactions. 

Once you have provided permission, you will then be directed to a page that features the prize that you have allegedly won. But before you can claim it – there is a catch! You may be required to first purchase an item (for instance, you may need to purchase a phone to get the prize). 

If you terminate the process at this point, then you are technically still safe. But if you do proceed with the purchase of the item, you will be led to a bogus website that mimics an actual bank’s site. As shown in Tan’s video, clicking on the payment button leads to a fake Maybank website, which looks remarkably similar to the real Maybank website. 

Upon keying in your username and password, Tan said an error message will usually pop out. For instance, you may be informed that the server is busy. At that point, you may think that your login is unsuccessful due to Internet connection or server issues, but in reality, this is all part of the scheme to capture your login details in the backend system. 

Now that the scammers already have your login details, all that is left is for them to log in to your bank account (through the real bank’s website, of course), and proceed to perform transactions. It is also possible for them to obtain the TAC required to approve these transactions as you have authorised the app to read your SMSes. 

As shown by Tan, it is quite easy for online scammers to trick us these days if we are not careful enough. Maybank, as well as other banks and governing bodies, have issued alerts to warn Malaysians of phishing scams that operate similarly. We have also reported similar phishing tactics that lure victims to download apps from unverified sources.

If you ever receive any suspicious SMSes that sound too good to be true, it most likely is. Be sure to avoid clicking on links in these text messages, and you should also always avoid installing apps from unknown sources.

You can watch the full demonstration here:

(Source: Tan Aik Keong (Facebook))

• TAGS:
• Online Scams
• Phishing
• Phishing Scams
• Scam Apps
• Scammers