Mother of all scams thread

[Mooose]

13 hours ago, Windwaver said:

 

this one, sorry to say the guy also a bit careless, otp sent by the bank, in the sms it does say the amount and merchant .. amount is obviously suspicious so should have double checked ..

sometimes we ourselves hold the final key to being or avoiding being scammed .. 

always we say we too busy, we flower eyes didnt see the small print its polish zloty instead of singapore dollars etc ..

really we all should take a step back and take things a little bit slower ..

stay safe everyone!

[Jman888]

21 hours ago, Rayleigh said:

My daughters friend also encountered similar scam tactics. Her saving of more than $1K earned from tuition was wiped clean clean. It looks so legit and it is also true that carousel has a legit payment platform. Hence the confusion. 

https://www.channelnewsasia.com/singapore/877-victims-s836000-lost-carousell-phishing-scams-december-spf-3171571

i dun use their caroupay platform, usually meet the seller/buyer and do cash/paynow on the spot, or via paynow for small amount, at least paynow got name, bank detail and record.

The more they want to protect, the more the scammer can make use of the weak links.

[Rayleigh]

47 minutes ago, Jman888 said:

https://www.channelnewsasia.com/singapore/877-victims-s836000-lost-carousell-phishing-scams-december-spf-3171571

i dun use their caroupay platform, usually meet the seller/buyer and do cash/paynow on the spot, or via paynow for small amount, at least paynow got name, bank detail and record.

The more they want to protect, the more the scammer can make use of the weak links.

That was precisely the problem. A secured payment option (caroupay) but not mandatory which resulted in many individuals not familiar with the know-how of secured payment platform. Hence the exploitation. I am aware but have not use Caroupay platform before and potentially, i might be the next victim. 

[Windwaver]

1 hour ago, Jman888 said:

https://www.channelnewsasia.com/singapore/877-victims-s836000-lost-carousell-phishing-scams-december-spf-3171571

i dun use their caroupay platform, usually meet the seller/buyer and do cash/paynow on the spot, or via paynow for small amount, at least paynow got name, bank detail and record.

The more they want to protect, the more the scammer can make use of the weak links.

Best is COD but got people sell HDB flats in carousell leh.

 

Edited December 29, 2022 by Windwaver

[Jman888]

31 minutes ago, Windwaver said:

Best is COD but got people sell HDB flats in carousell leh.

 

if you buy hdb online and still thinking that it was like buying things from shopee n lazada, then you deserved to be scammed

 

[Mkl22]

2 hours ago, Jman888 said:

https://www.channelnewsasia.com/singapore/877-victims-s836000-lost-carousell-phishing-scams-december-spf-3171571

i dun use their caroupay platform, usually meet the seller/buyer and do cash/paynow on the spot, or via paynow for small amount, at least paynow got name, bank detail and record.

The more they want to protect, the more the scammer can make use of the weak links.

yeah same. small item and couple of bucks paynow and i ship. big item or big ticket, cash and carry only. if cannot then, get lost! lim peh not selling or buying.

[Mkl22]

1 hour ago, Windwaver said:

Best is COD but got people sell HDB flats in carousell leh.

 

a good friend posted in carousel for his HDB. sold without agent and kept the commissions. i was the one who persuaded him to do so. 

[Stratovarius]

Recently alot of "recruiters" from JobStreet are impressed by my resume and ask me contact their manager... Lol. Come on la....

[Jman888]

56 minutes ago, Stratovarius said:

Recently alot of "recruiters" from JobStreet are impressed by my resume and ask me contact their manager... Lol. Come on la....

a lot.... i receive almost everyday!

profile photo from one of the sender, how to take the job that you offer seriously

 

[Stratovarius]

5 hours ago, Jman888 said:

a lot.... i receive almost everyday!

profile photo from one of the sender, how to take the job that you offer seriously

 

If the manager is the one on the right can consider to call. Lol 😆

[Windwaver]

10 hours ago, Mkl22 said:

a good friend posted in carousel for his HDB. sold without agent and kept the commissions. i was the one who persuaded him to do so. 

Don't kena spam calls all the time?

[Windwaver]

[Windwaver]

The man spent nearly 2000 yuan online shopping for Apple mobile phones, but the seller sent the parcel, inside it was a piece of wood and four bags of air, and the alarm was discouraged.

[Windwaver]

https://www.asiaone.com/singapore/retiree-scammed-3-million-forced-sell-2-properties-pay-loanshark-debt

Retiree scammed of $3 million, forced to sell 2 properties to pay loanshark debt

She was swindled of $3 million and had to resort to borrowing from loansharks as well as selling two of her properties to pay off her debt.

In a Lianhe Zaobao report today (Jan 11), the 74-year-old retiree, Poon Sing Wah, recounted how she was cheated of her hard-earned money back in 2019.

According to Poon, a former Zaobao reporter, the caller had pretended to be an employee from courier company DHL, indicating that Poon had sent several forged passports to Beijing which were being detained at customs.

Later on, a man who claimed to be an "interpol police officer" in China told Poon that she was being investigated for masterminding a money laundering scheme and had been found guilty.

And as a result, all the money in her bank account in China would be frozen for two years.

Poon was born in Shanghai and still maintained a bank account in China, Zaobao reported, adding that the news worried the woman as she had been planning to use the sum of money the next month.

Losing $10,000 every three seconds

Preying on her distress, the scammer then offered to "clarify the facts" and even introduced a "general prosecutor" to help her.

They even got a female "police officer" to hand her the documentation of her "crimes" as proof, warning her not to tell anyone.

"Both times, the person would meet me at the carpark (at her condo in Singapore)," she shared in a video interview. Although she seemed evasive, they told Poon it was because the police were secretly helping her.

Just like that, Poon gradually fell into the web of deceit as she heeded every instruction from the scammers.

The elaborate ruse also saw Poon logging on to a website said to belong to the China police.

She was instructed to press the "ok" button on her digital token every three seconds to "verify her fingerprints".

Poon later realised that each time she pressed the button, tens of thousands was siphoned out of her account.

"I lost 50,000 (S$9,800) yuan every three seconds." 

According to Zaobao, Poon logged in to her China Zheshang Bank account a total of 266 times in 20 days, with the outflow of bank transfers amounting to an eye-watering 14.86 million yuan.

"That's the equivalent of 3.03 million Singapore dollars then," shared Poon in a video interview with the Chinese daily. 

Poon, who lives alone, claimed that she was unaware that her life savings were being gradually emptied during those 20 days.

She simply thought she could get out of trouble by following the instructions and allowing the "Beijing Bank supervisory committee" to review her account.

Left with 15 cents in bank account

But that wasn't all.

In addition to wiping out her entire savings, the scammers also requested that Poon remit more money based on stories that they'd constructed.

They told her that they had to prove her financial strength to Chinese authorities by transferring cash from her Singapore account to her China Zheshang Bank account.

She was also told to pay bail for a police officer who'd helped her, as well as pay the burial fees of a victim who died because of her.

To raise the additional money that they asked for, Poon not only borrowed money from friends but also approached loansharks.

Poon only came to the realisation that it could all be a scam when a friend told her of the possibility. But it was too late. 

Poon panicked when she realised she could not log into her China Zheshang Bank account. She called a bank representative, only to find out that she was left with just 0.76 yuan in her account. 

She flew to Shanghai two days later and made a police report but was told by the police there that it was out of their jurisdiction as the crime did not happen in China. 

Thoughts of ending her life

To clear her loanshark debt, Poon said she was forced to sell off two of her properties with her daughter's help, Zaobao reported.

Poon told the Chinese evening daily that she lost 10kg from the incident and had even thought of ending her life.

"Although I wouldn't have to care about anything if my life ended, but what about others whom I owed money to?"

Poon eventually decided to step forward and share her experience in hopes that it can serve as a warning to others.

"I would like to use this unfortunate incident to raise the public's awareness," she shared, likening the dreadful tactics of scammers to "terrorists".

Poon also took legal action against China Zheshang Bank for their alleged lapses in security but failed to win the favour of the court nor managed to obtain any compensation.  

What gave her some comfort was that her children did not get angry nor reprimand her after finding out about the situation.

"I apologised and told them I was very sorry, as that sum of money was meant to have been theirs," said Poon.

[Windwaver]

https://www.straitstimes.com/opinion/forum/forum-group-using-teens-in-door-to-door-sales-to-evoke-sympathy-and-reap-abnormal-profits

Forum: Group using teens in door-to-door sales to evoke sympathy and reap abnormal profits

A group has been actively recruiting teenagers to sell blocks of ice cream door-to-door in Housing Board estates. The teenage son of one of my relatives is among these recruits.

They are often drawn to posts on Instagram in which teens show off the large sums of cash they have made from the ice cream sales.

Teens who are interested contact the group, and are assigned to a certain HDB precinct. They are provided with a push cart, an ice box and the ice cream. The locations change each day, perhaps to ensure that the same homes are not visited too frequently, which could lead to a complaint made to the authorities.

The teenagers who were recruited were instructed to wear only slippers and not shoes, and to avoid flashy clothing, with the aim of giving potential buyers the impression of less well-off students trying to earn some pocket money.

The group sells the teens the ice cream at $7.50 a block, and they are told to sell it door-to-door for at least $15 per block. The teens pocket the difference as profit.

I have been told that selling 10 blocks in three hours during the evening is easily achievable, which would net the teen $25 per hour of work – very good pay for a student, and way higher than the current rate for part-time jobs available to students.

The bigger concern to me is that a dangerous seed is being planted into these young minds, that one can evoke sympathy and make abnormal profits.

This group’s business activities need to be stopped; it is taking advantage of teenagers, and may be leading them down a dangerous path.

This group is clearly the biggest winner here – the larger the pool of teenage recruits, the larger its profits.

Chin A. Ong

[t0y0ta]

7 minutes ago, Windwaver said:

https://www.asiaone.com/singapore/retiree-scammed-3-million-forced-sell-2-properties-pay-loanshark-debt

Retiree scammed of $3 million, forced to sell 2 properties to pay loanshark debt

She was swindled of $3 million and had to resort to borrowing from loansharks as well as selling two of her properties to pay off her debt.

In a Lianhe Zaobao report today (Jan 11), the 74-year-old retiree, Poon Sing Wah, recounted how she was cheated of her hard-earned money back in 2019.

According to Poon, a former Zaobao reporter, the caller had pretended to be an employee from courier company DHL, indicating that Poon had sent several forged passports to Beijing which were being detained at customs.

Later on, a man who claimed to be an "interpol police officer" in China told Poon that she was being investigated for masterminding a money laundering scheme and had been found guilty.

And as a result, all the money in her bank account in China would be frozen for two years.

Poon was born in Shanghai and still maintained a bank account in China, Zaobao reported, adding that the news worried the woman as she had been planning to use the sum of money the next month.

Losing $10,000 every three seconds

Preying on her distress, the scammer then offered to "clarify the facts" and even introduced a "general prosecutor" to help her.

They even got a female "police officer" to hand her the documentation of her "crimes" as proof, warning her not to tell anyone.

"Both times, the person would meet me at the carpark (at her condo in Singapore)," she shared in a video interview. Although she seemed evasive, they told Poon it was because the police were secretly helping her.

Just like that, Poon gradually fell into the web of deceit as she heeded every instruction from the scammers.

The elaborate ruse also saw Poon logging on to a website said to belong to the China police.

She was instructed to press the "ok" button on her digital token every three seconds to "verify her fingerprints".

Poon later realised that each time she pressed the button, tens of thousands was siphoned out of her account.

"I lost 50,000 (S$9,800) yuan every three seconds." 

According to Zaobao, Poon logged in to her China Zheshang Bank account a total of 266 times in 20 days, with the outflow of bank transfers amounting to an eye-watering 14.86 million yuan.

"That's the equivalent of 3.03 million Singapore dollars then," shared Poon in a video interview with the Chinese daily. 

Poon, who lives alone, claimed that she was unaware that her life savings were being gradually emptied during those 20 days.

She simply thought she could get out of trouble by following the instructions and allowing the "Beijing Bank supervisory committee" to review her account.

Left with 15 cents in bank account

But that wasn't all.

In addition to wiping out her entire savings, the scammers also requested that Poon remit more money based on stories that they'd constructed.

They told her that they had to prove her financial strength to Chinese authorities by transferring cash from her Singapore account to her China Zheshang Bank account.

She was also told to pay bail for a police officer who'd helped her, as well as pay the burial fees of a victim who died because of her.

To raise the additional money that they asked for, Poon not only borrowed money from friends but also approached loansharks.

Poon only came to the realisation that it could all be a scam when a friend told her of the possibility. But it was too late. 

Poon panicked when she realised she could not log into her China Zheshang Bank account. She called a bank representative, only to find out that she was left with just 0.76 yuan in her account. 

She flew to Shanghai two days later and made a police report but was told by the police there that it was out of their jurisdiction as the crime did not happen in China. 

Thoughts of ending her life

To clear her loanshark debt, Poon said she was forced to sell off two of her properties with her daughter's help, Zaobao reported.

Poon told the Chinese evening daily that she lost 10kg from the incident and had even thought of ending her life.

"Although I wouldn't have to care about anything if my life ended, but what about others whom I owed money to?"

Poon eventually decided to step forward and share her experience in hopes that it can serve as a warning to others.

"I would like to use this unfortunate incident to raise the public's awareness," she shared, likening the dreadful tactics of scammers to "terrorists".

Poon also took legal action against China Zheshang Bank for their alleged lapses in security but failed to win the favour of the court nor managed to obtain any compensation.  

What gave her some comfort was that her children did not get angry nor reprimand her after finding out about the situation.

"I apologised and told them I was very sorry, as that sum of money was meant to have been theirs," said Poon.

Shanghainese got a lot of money.... that's the take-away from what I read.

Scammer squeeze and squeeze still got $$

I really hope those scammers get retribution on them, a accident with a out-of-control large truck (korean style) would be appropriate.

[Atonchia]

5 hours ago, Windwaver said:

https://www.straitstimes.com/opinion/forum/forum-group-using-teens-in-door-to-door-sales-to-evoke-sympathy-and-reap-abnormal-profits

Forum: Group using teens in door-to-door sales to evoke sympathy and reap abnormal profits

A group has been actively recruiting teenagers to sell blocks of ice cream door-to-door in Housing Board estates. The teenage son of one of my relatives is among these recruits.

They are often drawn to posts on Instagram in which teens show off the large sums of cash they have made from the ice cream sales.

Teens who are interested contact the group, and are assigned to a certain HDB precinct. They are provided with a push cart, an ice box and the ice cream. The locations change each day, perhaps to ensure that the same homes are not visited too frequently, which could lead to a complaint made to the authorities.

The teenagers who were recruited were instructed to wear only slippers and not shoes, and to avoid flashy clothing, with the aim of giving potential buyers the impression of less well-off students trying to earn some pocket money.

The group sells the teens the ice cream at $7.50 a block, and they are told to sell it door-to-door for at least $15 per block. The teens pocket the difference as profit.

I have been told that selling 10 blocks in three hours during the evening is easily achievable, which would net the teen $25 per hour of work – very good pay for a student, and way higher than the current rate for part-time jobs available to students.

The bigger concern to me is that a dangerous seed is being planted into these young minds, that one can evoke sympathy and make abnormal profits.

This group’s business activities need to be stopped; it is taking advantage of teenagers, and may be leading them down a dangerous path.

This group is clearly the biggest winner here – the larger the pool of teenage recruits, the larger its profits.

Chin A. Ong

NKF charity shows and all Charity shows also evoke emphathy, guilt and emotions to make phone calls.

Some acrobatic performance, key highlights of recipients. 

Then reminders in chorus of phone number to dial.

Likewise for the ice-cream 

Willing seller, willing buyer.

[Windwaver]

Be careful when using eSIMs.

https://mothership.sg/2023/01/circles-life-esim-swap-fraud/

'Hacker' obtains OTP via help chat, activates Circles.Life user's eSIM & logs into her e-commerce accounts

The "hacker" made off with only S$6.99, but the ordeal has left the user distraught.

A typical evening for Circles.Life user, Sim, 34, was disrupted when she received an email of a chat log with a service agent -- one which she did not initiate.

What came later was a dramatic episode involving the attempted "hacking" of Sim's personal accounts, and Sim desperately defending herself against it.

Dec. 29: gaining entry

On Dec. 29 at around 8:07pm, Sim received an email containing a chat log between "her" and a Circles.Life service agent via the telecommunications company's online chat.

The alarming thing was, Sim did not initiate the conversation.

Based on screenshots of the chat seen by Mothership, the "hacker" impersonating Sim claimed that they could not "login my email id to get my otp".

The impersonator wanted help to "change my email".

After a chat bot sent several automated messages, a Circles.Life service agent entered the chat and attended to "Sim".

When the agent advised that the email could be changed through the Circles.Life app, the impersonator insisted that they could not get the OTP, explaining that it was "why i am here sir".

The agent then offered help with getting the OTP, but not before a security challenge to confirm the identity of "Sim".

Without much delay, the impersonator seemed to be able to provide the personal details that were requested.

Notably, from what is visible in the screenshot, while the service agent only requested the last four alphanumeric characters of Sim's NRIC, the impersonator was able to provide her entire NRIC number.

With these details, the impersonator passed the security challenge and was provided with the OTP.

The impersonator even agreed to give a "thumbs-up" to the service agent.

Sim shared that nothing else happened on Dec. 29.

A day later, Sim alerted Circles.Life.

She said:

"I contacted Circle.Lifes on Dec. 30 to escalate this potential hacking case to their security team, and emphasised that I have no intention to make changes to my account, urging them not to handle any request that may once again come through to them via the online chat."

After the call, a service agent from the telco wrote back, reiterating that Sim's concerns had been raised to the security team as it was a "serious matter".

Sim was also assured that this will not be taken lightly.

"The Circle.Life staff assured me that they were looking into it, so I didn't proceed to make a police case or port away my number knowing that Circle.Life was ‘working’ on this," Sim added.

Jan. 2: fraud attempts

The next few days proceeded uneventfully, until Jan. 2.

Same modus operandi as Dec. 29

Sim received an email from Circles.Life at about 7:56pm that day.

Again, the email detailed a chat log of a conversation between "her" and a service agent.

The impersonator acknowledged that they had sought help with the OTP in the "last few days", but claimed to have forgotten to "change my mail" at the time.

Again, the impersonator requested help with the OTP to resolve purported troubles with email access.

Similarly, a service agent replaced the chat bot upon the impersonator's request.

The agent issued a security challenge to ensure that they are "only coordinating with the main account holder".

As like before, seemingly correct personal details were provided

Eventually, the OTP was given to the impersonator.

This time, however, the impersonator didn't stop there.

eSIM activated

At the same time Sim received the email of the chat log, she lost connection to her phone line.

The moment it dawned on her that the impersonator might have activated the eSIM, Sim attempted to contact Circles.Life.

Unfortunately, she found that their live chat service ended at 8pm that day.

Desperate, Sim's husband reached out to Circles.Life on Facebook.

Sim's phone line was eventually suspended with the help of the telco's service agent slightly more than an hour later at 9:18pm.

Attempted access to e-commerce accounts

However, it seemed to be too late.

Sim shared that although she thought the line was successfully suspended, "there were actually activities going on in my Shopee account".

"As I was still in the midst of calling to cancel my various cards and suspend my bank accounts, my UOB card was still active at that point of time which allowed the hacker to top up S$500 to my Shopee Pay wallet", Sim recounted.

What ensued was a game of cat and mouse.

The impersonator attempted to make a purchase on Shopee with Sim's account.

"Then there were many attempts to lock out each other, with me using my email to reset my Shopee password and for the hacker, it could likely be using the OTP sent to my phone number to reset the password", Sim surmised.

After five failed attempts to Sim's Shopee Pin, her Shopee Pay wallet was frozen.

Making contact with the malicious actor

With the impersonator now in the driver's seat of Sim's phone line, Sim's husband reached out to the impersonator via Sim's phone line at 9:11pm in an attempt to reason with the bad actor.

The impersonator responded in what appears to be Cyrillic script, with a taunt and presumably a ransom demand of US$300 (S$400).

The impersonator continued communicating with Sim and her husband via email.

That same night, attempts to top up cash into Sim's Lazada account failed.

Eventually, the attempts to take over Sim's account stopped.

"I would think it stopped when all my accounts that could be overtaken by OTP were overtaken. And with my bank cards and accounts cancelled or locked, there could be no further attempt to transfer out my funds," Sim said.

Sim shared that the impersonator successfully accessed her Shopee, Lazada, Grab and PayPal accounts.

She also lost access to her emails and WhatsApp account.

Thankfully, the impersonator only managed to make off with a grand total of S$6.99 from Sim's GrabPay wallet.

Sim has no clue how the impersonator managed to gather all her personal details.

"I did ask Circles.Life if it could be an internal data breach but after their investigation, they confirmed it is not due to their internal data breach", Sim said.

Left distraught after ordeal

Following the incident, Sim shared that she had to take time away from work to deal with the aftermath of the ordeal, including giving statements to the police.

The whole episode has caused her great distress, so much so that she has had sleepless nights since the incident.

"It took Circle.Life days before acknowledging their problem and the compensation they were willing to give to me is free 12-month mobile subscription with them", Sim said.

Sim pointed out that the telco clarified that what they offered was not "compensation" but "goodwill", and she has not accepted the offer.

On Jan. 3, Sim received a replacement physical SIM card from Circles.Life to "override" the eSIM activated by the impersonator.

Before the incident, Sim had been using Circles.Life for more than a year.

She has since switched telcos, although she is keeping the Circles.Life line active for now as she makes the transition to her new phone number.

In response to queries from Mothership, the police confirmed that reports were lodged and investigations are ongoing.

Perplexed by security process

In the wake of the incident, Sim was left with several realisations and wonderings about the telco's security process.

For one, Sim feels that there could have been "protocols in place" to prevent changes to the customer's account from the moment she reported about the suspicious activity on Dec. 29.

"This should have made my account a high-risk case that would warrant their immediate attention as I did highlight to them how detrimental it could be if the 'hacker' succeeded in taking over my account", Sim opined.

From the experience, Sim also realised that she was left with little means of emergency assistance, such as a 24-hour hotline, on Jan. 2 after 8pm.

Sim guessed that the impersonator might be exploiting this fact, since the chat on Jan. 2 was initiated close to 8pm.

Crucially, Sim shared that she was later told by Circles.Life that the phone line suspension "is for outgoing calls and data usage only".

As such, the impersonator was able to receive "incoming messages nonetheless", including the OTPs, Sim speculated.

"I would think they could have fully suspended my line after I reached out to them via FB messenger", Sim wondered.

Full protection extended following incident: Circles.Life

A Circles.Life spokesperson told Mothership that the telco regards customer data safety as a "top priority".

According to the spokesperson, its in-app Live Chat function is available from Mondays to Fridays, 8am to 11pm.

It is also available on Saturdays, Sundays and Public Holidays from 8am to 8pm.

Users will also be able to "obtain timely responses" on Facebook messenger [daily from 8am to 11pm], emails and voice calls, the spokesperson added.

Speaking on the incident, the spokesperson said:

Following the incident, Circles.Life moved swiftly and decisively to extend its fullest protection before escalating the matter to the relevant authorities and support teams to resolve the matter.

We can therefore confirm the absence of any further suspicious in-account activity post-suspension following a comprehensive review process. As a result, the customer has also accepted Circles.Life's offer to reactivate the line and is in the midst of discussions regarding compensation for any inconveniences incurred. We empathise with the customer over the circumstances, and will continue to render support to the fullest extent possible.

[...]

While users are encouraged to protect their personal information via periodic reviews of their data security measures, Circles.Life also plays an active part in reminding and reinforcing its comprehensive data protection policy extending across all its users with educational materials such as regular eDMs and bite-sized social media content. More information is available here.

Mothership followed up by asking Circles.Life what their "fullest protection" entailed, and if plans to modify their security protocols, such as extending helpline hours, and the process of escalating urgent requests are being considered.

In response to these queries, the spokesperson added:

The modus operandi for scams and fraud cases are ever-evolving and we want to continuously remind the community to remain vigilant against new variations. As soon as the potential of fraud was ascertained, Circles.Life suspended the account in question as part of our damage control protocols to minimise data compromisation, while maintaining an open line of communication and support with the customer.

[...]

Following the incident, Circles.Life will be setting up a dedicated Scam & Fraud taskforce to manage future incidents of a similar nature, thus ensuring quicker response times as a result of a streamlined issues escalation process. Amidst a backdrop of evolving scams, Circles.Life will continue to work in tandem with all relevant regulatory bodies to educate users on the risks associated with personal data protection, while advising its users to remain vigilant and exercise discernment as we continue to re-assess our security protocols and issues escalation processes to safeguard our community.

Responding to queries from Mothership, an Infocomm and Media Development Authority (IMDA) spokesperson said that IMDA is currently investigating the incident.

"We are unable to share more information as investigations are ongoing", they added.

Mothership has also reached out to the Cyber Security Agency for comments, and will update the article as soon as more information is shared.

Process issue, not "hacking": Cybersecurity expert

Speaking to Mothership, Aaron Ang, Director of Education at Right-Hand Cybersecurity and Chief Executive (Cyber Youth Collective) at Cyber Youth Singapore, shared that this is not a case of "hacking" nor a matter of vulnerability.

Method used by malicious actor

Rather, the malicious actor had employed a method known in the industry as "social engineering".

Ang shared a video which helped exemplify "social engineering" and was similar to the modus operandi of the malicious actor in Sim's case.

Simply put, it involves bad actors using emotional cues to trick call centre service agents, among others, into giving access to a victim's accounts.

In the case of Sim, the malicious actor had the added advantage of Sim's personal information to trick the telco's staff:

"What’s likely to have happened is that the user’s personal details were leaked through certain means, and the perpetrator is using that info to get access to the account."

When asked if the ease of activation for eSIMs was an issue, Ang said no, although using an eSIM does "bypass certain traditional verifications that traditional telcos have".

"It’s more of a process issue rather than a vulnerability", Ang shared.

A lot of “hacks” don’t happen because hackers hack technical stuff... It happens because of lapses in policies and processes.

What went wrong with the process

Process-wise, Ang pointed out that OTPs should not be provided over chat.

"It just defeats the purpose of [having an] OTP," Ang said.

If a user reaches out to request for changes to an account, there should be "added verification", and it "can't just be over chat".

Ang provided an example of what "added verification" may look like:

One way of verification would be to use the Singpass app to verify your identity (same way you use it to log on to government websites -- scan the QR code with the SingPass app). Corporates can already make use of this service, as I’ve seen some companies do that to verify identity.

However, Ang recognised that more security checks may mean more inconvenience to the users.

For a user who may have genuinely lost their devices and do not have access to apps like Singpass, "it might add frustration".

Small but significant part users can play

When asked what users can do to protect themselves, Ang highlighted that it is incredibly easy for bad actors to gain access to one's personal identifiable information (PII).

He shared:

"Even something as simple as posting a family photo saying "the Tan family wishes all a happy new year" and tagging everyone in the picture can allow a social engineer to work his way in to get PII of someone."

What users can do is to be more aware of the importance of protecting one's personal data, such as their NRIC numbers.

"People usually think 'I’m not some big shot, so what if they have my NRIC number?'" Ang said.

However, things that may seem trivial, such as "knowing your rights when it comes to personal data", can go a long way.