15th November 2021 - 4 min read
A Facebook user has shared his disturbing experience of almost losing his savings through a new and sophisticated phishing scam. Describing the series of events on his Facebook page, Smith Ang detailed how a Facebook ad for professional cleaning services led to him accidentally sharing his online banking account info and almost losing close to RM5,000.
The operation is surprisingly elaborate, involving creating a Facebook page offering professional cleaning services, and paying for ads on Facebook to lure unsuspecting victims. After all, professional cleaning services are quite common these days, with booking and payment usually done online.
To add legitimacy, the scammers try to mimic an existing professional cleaning service called Maid4u – but the Facebook ad is run by a page called “Magic Maid Cleaning”. Maid4u’s website lists some corporate clients, complimentary sanitisation services, support for credit card payments, but its services are only available in Cyberjaya. Crucially, it also does not have an app (though according to the website, it will be available soon) and its WhatsApp chat button leads to a different phone number to the scammers.
The Facebook ad includes a WhatsApp chat button, where the scammer will share a 50% discount promo for new users who book via their app. However, the link to the app download isn’t to the Google Play Store or Apple App Store, but instead is an APK file – an Android app installer package – that isn’t vetted by Google (since it isn’t submitted to be available in the Google Play Store). Conveniently, this app requires permission to read SMS messages (sometimes necessary for legitimate apps, among other permissions).
Upon installation, the app requires setting up an account that requires information including name, mobile phone number, and email address. Bookings and payments can be made through the app, supporting “credit cards” and “FPX” – the credit card payment was not available, but FPX bank transfers are online – a design decision that will prompt you to “log in” to your online banking website. Naturally, the username and password info is captured, and since almost every bank requiring SMS OTP authentication, the app’s SMS read permission comes into play – the scammer would now have everything they need to clear out your bank account.
Thankfully, Ang was able to secure his online banking access by very, very quickly changing his password before the scammer was able to authorise a RM4,860 instant transfer. As a technologically savvy user, Ang was able to protect himself from the scammers through luck and quick thinking – but this may not be the case for everyone else. There are several instances in the process that are red flags:
That said, the app was designed very well, and from the screenshot shared by Ang, mimics Maybank2u’s old website layout (which is used in FPX) almost perfectly. So again, unsuspecting victims hoping to grab a good deal may end up falling prey to this elaborate phishing scam.
You can read Ang’s full experience in the source link.
(Source: Smith Ang (Facebook))
Subscribe to our exclusive weekly newsletter and we’ll bring you the week’s highlights of financial news, expert tips, guides, and the latest credit card and e-wallet deals.
Stay tuned for what’s to come next in the personal finance world
Comments (5)
This is an old scammer on the lose. Don’t fall for it.
Raven Raj is what he introduced over email with his bank details as Public Bank 3130446115
Same email and domain
Yes, this happen to us a few days back.
The name of the agent is the very same Raven Raj with the very same account number.
Feel so cheated.
Thank you for the elaboration, a good write-up
I just lose 21k with 1 click by the link given, today within 5 min, just view the link given to check the price, then I got notified msg my money all gone
Companion Maids is probably the same company as doing the exact same… another scam