15 Nov - 4 min read
A Facebook user has shared his disturbing experience of almost losing his savings through a new and sophisticated phishing scam. Describing the series of events on his Facebook page, Smith Ang detailed how a Facebook ad for professional cleaning services led to him accidentally sharing his online banking account info and almost losing close to RM5,000.
The operation is surprisingly elaborate, involving creating a Facebook page offering professional cleaning services, and paying for ads on Facebook to lure unsuspecting victims. After all, professional cleaning services are quite common these days, with booking and payment usually done online.
To add legitimacy, the scammers try to mimic an existing professional cleaning service called Maid4u – but the Facebook ad is run by a page called “Magic Maid Cleaning”. Maid4u’s website lists some corporate clients, complimentary sanitisation services, support for credit card payments, but its services are only available in Cyberjaya. Crucially, it also does not have an app (though according to the website, it will be available soon) and its WhatsApp chat button leads to a different phone number to the scammers.
The Facebook ad includes a WhatsApp chat button, where the scammer will share a 50% discount promo for new users who book via their app. However, the link to the app download isn’t to the Google Play Store or Apple App Store, but instead is an APK file – an Android app installer package – that isn’t vetted by Google (since it isn’t submitted to be available in the Google Play Store). Conveniently, this app requires permission to read SMS messages (sometimes necessary for legitimate apps, among other permissions).
Upon installation, the app requires setting up an account that requires information including name, mobile phone number, and email address. Bookings and payments can be made through the app, supporting “credit cards” and “FPX” – the credit card payment was not available, but FPX bank transfers are online – a design decision that will prompt you to “log in” to your online banking website. Naturally, the username and password info is captured, and since almost every bank requiring SMS OTP authentication, the app’s SMS read permission comes into play – the scammer would now have everything they need to clear out your bank account.
Thankfully, Ang was able to secure his online banking access by very, very quickly changing his password before the scammer was able to authorise a RM4,860 instant transfer. As a technologically savvy user, Ang was able to protect himself from the scammers through luck and quick thinking – but this may not be the case for everyone else. There are several instances in the process that are red flags:
That said, the app was designed very well, and from the screenshot shared by Ang, mimics Maybank2u’s old website layout (which is used in FPX) almost perfectly. So again, unsuspecting victims hoping to grab a good deal may end up falling prey to this elaborate phishing scam.
You can read Ang’s full experience in the source link.
(Source: Smith Ang (Facebook))
Subscribe to our exclusive weekly newsletter and we’ll bring you the week’s highlights of financial news, expert tips, guides, and the latest credit card and e-wallet deals.
Stay tuned for what’s to come next in the personal finance world