A 60-year-old Singaporean woman fell prey to a bubble tea survey scam in May 2023 and lost $20,000 after scanning a QR code infected with malware.

She had been enticed by what seemed like a good deal when she visited a bubble tea shop and spotted a sticker pasted on its glass door, which encouraged customers to do an online survey for a free cup of milk tea.

Of course, like most Singaporeans, we can’t just say “no” to free things.

The victim was understandably encouraged to scan the QR code from the sticker, which led her to download a third-party application onto her Android phone to complete the “survey”.

Unfortunately, when things seem too good to be true, it probably is.

After downloading the “application”, $20,000 was transferred away from her bank account while she was asleep.

The “application”, which was actually a disguise for an information-stealing malware programme, enabled fraudsters to access personal details from her device and transfer money away from her bank account.

Rising Cases of Scams Using Malware-Infested “Apps”

Instances of malware-related scams are unfortunately not uncommon. 

Just three months ago, police and banks prevented losses that could have amounted to $260,000 in a sting operation involving 680 scam victims in February 2023. 

These cases included investment, job, e-commerce, phishing, loan, and government official impersonation scams.

Officers from the Commercial Affairs Department (CAD) and seven police land divisions conducted two islandwide enforcement operations between 10 and 24 February 2023, leading to the investigation of 500 scammers and money mules.

Most of the 680 scam victims only realised they had been deceived after the police engaged with them. 

Scam proceeds totalling more than $76,000 were seized, and the police prevented further financial losses of over $260,000 for these victims.

The trend of fraudsters increasingly targeting Android phones for malware-related scam operations is of concern. 

Since March 2023, at least 113 Android phone users have had their banking credentials stolen in phishing scams, leading to losses amounting to $445,000.

Like the 60-year-old bubble tea scam victim, individuals reported falling prey to scams involving malware and personal information theft. 

Authorities Warn Against Downloading Third-Party Applications

In April 2023, the police and the Cyber Security Agency of Singapore (CSA) warned the public about downloading apps from dubious sites due to the rising trend of fraudsters targeting Android phones. 

Despite this, it’s essential to note that Apple users are not immune to these scams either. 

In February 2023, fraudsters impersonated the tech giant to collect personal data from users by sending emails claiming that their Apple ID was locked following multiple failed sign-in attempts. 

Similarly, victims were then led to a QR code generation website to change their password, where fraudsters collected personal data through the malware-infested site.

Whether it be Android or Apple, these individuals are usually lured into these scams after encountering enticing advertisements from platforms like marketing home services or food-related deals on social media platforms like Facebook and Instagram. 

They are typically sent a link that leads them to download third-party applications to book the advertised “services”, which directs them to fake Internet banking login sites, where victims are asked to key in their banking details, including card information.

Like the 60-year-old bubble tea scam victim, victims often realise too late that they have been scammed, only noticing unauthorised transactions or charges to their cards after the fact. 

Mr Beaver Chua, head of anti-fraud at OCBC Bank’s group financial crime compliance department, shared that individuals must be increasingly vigilant as scammers become more innovative with their scam operations. 

In addition to website pop-up banners, which are most common, scammers are now pasting bogus QR codes outside food and beverage (F&B) establishments, which may be indistinguishable from legitimate QR codes and lure unsuspecting consumers.

Scammers Are Getting Smarter

If you thought that only the elderly would fall victim to such scams, you thought wrong. 

Scammers are only getting more innovative, and ironically, most scam victims are younger due to our heavy presence online.

In April 2023, a 14-year-old girl was scammed out of $1,122 by a fraudster posing as a hiring agent. 

The scammer had requested the victim to complete online activities that required the victim to deposit money for the promise of receiving rewards later.

On the other hand, this bubble-tea scam targets people of all ages with its seemingly harmless front as a “survey” that promises free milk tea.

According to Mr Chua, the application downloaded from the QR code contains malware that allows scammers access to the phone’s camera and microphone. 

Victims are also prompted to enable the Android Accessibility Service, an application intended to assist users with disabilities, allowing the scammer to view and control the victim’s screen.

Once the victim completes all the “steps,” the scammer disables the facial recognition function, requiring the victim to physically enter their mobile banking application login credentials and password. 

The scammer then notes the victim’s details and takes control of the phone using malware, transferring money from the victim’s bank account after checking that the victim has left the device unguarded by accessing the phone’s camera.

Mr Chua emphasised that these scams are particularly dangerous because scammers can control the victim’s phone and Internet banking account completely. 

Consequently, victims may not realise that their savings have been wiped out until it’s too late. 

Furthermore, scammers tend to paste these deceptive QR codes on lamp posts near traffic lights and authorised scan-to-pay signs around popular bubble tea outlets to trick unsuspecting victims into thinking these codes are legitimate.

Efforts To Tackle Scams

Authorities like the police and banks have been working together to tackle the rising trend of scams involving victims in Singapore.

During a joint operation conducted by the Singapore Police Force’s Anti-Scam Centre (ASC) and OCBC Bank in March and April 2023, live interventions were carried out to prevent losses of over $12.6 million for more than 700 victims.

The ASC and OCBC officers analysed the fund flows to more than 500 bank accounts that were linked to scam reports to prevent scams from occurring in real-time. 

They identified scam victims who had transferred funds to these dubious bank accounts and sent over 1,000 texts to alert them to ongoing scams. 

These early warnings helped to mitigate the victims’ financial losses.

Additionally, the National Crime Prevention Council (NCPC) established an anti-scam helpline in 2016 to combat the rapidly evolving scams. 

They also launched the ScamShield application in November 2020 to block incoming scam calls and text messages. 

For example, when an unknown number calls, the application checks it against a database maintained by the Singapore Police Force.

How to Remain Vigilant Against Scams

According to Mr Yeo Siang Tiong, general manager for Southeast Asia at cyber-security firm Kaspersky, a discerning public is the most powerful line of defence against scams, even as banks and authorities continue to monitor and recover from scams.

Individuals should exercise cyber-security discipline by avoiding clicking on unknown links or installing unknown apps or software on their devices. 

Meanwhile, businesses should also be vigilant about stickers and QR codes placed on their premises without their knowledge. 

Individuals should also be cautious and seek advice from the establishment if a code appears suspicious or tampered with.

This applies especially to Android users as Android’s operating system software is open source, allowing anyone to modify it.

This results in malicious apps finding their way onto Android devices quickly, increasing the susceptibility of Android users to attacks.

As such, Android users are advised to update their devices with the latest security patches and disable the “Install Unknown App” or “Unknown Sources” in their settings. 

They should also be careful about granting permission to persistent pop-ups that request access to their device’s hardware or data.

Meanwhile, iPhone users are less vulnerable to malware scams via applications as iOS users can download apps only from the Apple App Store, which has stringent guidelines that ensure only legitimate and secure applications are available for users.

Despite this, Mr Yeo states that malware scams are increasing for iPhone users and recommends all individuals to install the ScamShield app and enable security features such as two-factor authentication.

Setting up transaction limits for Internet banking is also advised to limit potential losses in case of a scam. 

Moreover, individuals can identify potential scams by asking questions, verifying personal information and money transfer requests, and validating online listings and reviews.

NCPC’s anti-scam site and hotline at 1800-722-6688 could also provide individuals with more information on scams, while the police’s site and hotline at 1800-255-0000 accept confidential scam reports.

Mobile users can also better protect themselves through advice on CSA’s site.