E-banking scams take new guise
SMS messages purporting to come from banks con customers into parting with data
published : 20 Dec 2020 at 06:22
newspaper section: News
The Royal Thai Police is intensifying its hunt for Thai and foreign criminals who run scam call centres that send fake SMS messages to trick victims into replying with their bank account details.
The widespread adoption of online payment methods in Thailand was highlighted by the Ministry of Digital Economy and Society showing that the number of internet users in Thailand has leapt from about 18 million in 2009 to more than 50 million in 2020. More than one in five activities carried out on the internet involves a financial transaction of some kind.
In early December, 29 Siam Commercial Bank (SCB) customers received an SMS after they contacted its call centre. The SMS told them to send back their 13-digit ID number and a one-time password (OTP). The scammers then reportedly used the ID number and OTP to sign up to a mobile banking app which they used to transfer funds from the victims' accounts.
MONEY TRAP: Siam Commercial Bank warns customers to beware of scammers who use fake websites or SMS.
SCB is the only bank that allows the use of its mobile app on more than one device and denied any involvement or data breach on its part.
On Dec 14, all 29 victims filed complaints with the Police Cyber Taskforce (PCT), and its chief, Pol Maj Gen Phanthana Nutchanart, pledged a full investigation.
Thanawat Saengphet, 23, from Samut Sakhon province, one of the victims, said he had contacted SCB on Dec 6 to change his address with the bank.
Half an hour later, he received an SMS asking him to update his information by clicking an attached link. Assuming the SMS was sent from the bank, he provided his name, ID number and the OTP generated by the website he visited. The next morning he woke to find 20,000 baht had gone missing from his account.
According to a PCT report issued on Dec 18, police had arrested suspects from at least three groups linked with fraud involving bank customers' credentials.
A number of Vietnamese nationals led by a man police named as Tran Dimh Lam were accused of swindling eight victims out of a total of 200,000 baht.
Meanwhile, five suspects of Chinese and Taiwanese origin were linked with similar crimes leading to three arrests. One of them, a Chinese man called Pei Hong, stands accused of swindling more than 40 victims out of two million baht.
The third group consists of five Thais, four of whom have since been apprehended. This gang is alleged to have swept up more than a million baht from 10 victims.
Police are investigating links between the groups as it is suspected they may be part of the same criminal network.
Pol Maj Gen Phanthana said the modus operandi of the three sets of suspects was largely identical, with all the victims having received fraudulent SMS messages after making contact with the SCB call centre.
"The problem is they believed that the SMS was real as they had just contacted the bank," he said.
He said the fraudsters used SMS to trick people to provide personal data.
"In one day, one culprit sent SMS to more than 100 people -- five to 10 of them would believe it was real. The fake SMS was similar to that sent by the bank but with a request to send back personal details such as the 13-digit ID number or OTP.
"Once the victim sent his information to the culprit, the culprit would use it to sign up on the bank's mobile banking app. There's only one bank whose app can be used on more than one mobile phone. This is the loophole that allows the culprit to get personal information from the bank's customers," Pol Maj Gen Phanthana said.
Police found the culprits had wired the victim's money to other countries. These SMS fraud syndicates often work with foreigners and hire Thai people to work for them.
Pol Maj Gen Phanthana said Thai police are investigating, in collaboration with foreign officers, to find out which countries are involved.
As for the protection of personal information, Pol Maj Gen Phanthana suggested banks tell the public what the fake SMS messages look like and advise customers they will never ask them for their OTP.
"In a case like this, we cannot fully blame the victim despite what the law says. The bank should change its system so it will be more secure," he said.
Pol Lt Col Wichai Suwanprasert, a director of the Bureau of Technology and Information Inspection Centre under the Department of Special Investigation (DSI), described this use of bogus SMS messages sent to defraud people as "phishing."
A SMS message purporting to come from the SCB.
Phishing is "the fraudulent practice of sending emails purporting to be from reputable companies to induce individuals to reveal personal information, such as passwords and credit card numbers".
He said the DSI has received complaints about the SMS con since May. A preliminary investigation found the scam is indeed backed by a transnational syndicate including a cyber fraud syndicate in Taiwan, he said.
"Sometimes, a fake SMS contains the bank's official number to trick the recipient into updating his personal details with the bank," he said.
Pol Lt Col Wichai warned people never to send their personal detains such as their ID number, credit card number, date of birth, ATM password and OTP to anyone.
An expert on phishing scams from a commercial bank admitted it is hard to prevent phishing.
"It is difficult to prevent because these criminals do not target banks' highly secure systems. They instead target customers who may not be aware of this kind of fraud," he told the Bangkok Post.
"The best way to protect yourself is to be cautious at all times when making financial transactions. When unsure, check with the bank to verify the SMS.
"On the banks' side, they should frequently remind their customers of new forms of phishing which have come to light," the expert said.
On Dec 16, SCB warned customers on its website of fake SMS messages and links.
The warning message said fraud has even taken the form of fake bank websites with a pop-up window to warn users of fraudulent activities.