Commentary: That ‘too good to be true’ mooncake deal is probably a scam
Scam tactics for in-demand foods like mooncakes and durian reflect the growing sophistication of bad actors, says Bertha Chan of Google.
SINGAPORE: As the Mid-Autumn Festival nears, many of us are keeping up with the tradition of gifting mooncakes to loved ones. But this year, this custom has become marred by a new scam that targets unsuspecting people with attractive but fraudulent mooncake deals.
In August alone, 27 victims lost at least S$325,000 (US$238,000) to such scam deals in Singapore. Recently in September, a woman lost S$76,000 after downloading a third-party app to purchase mooncakes online.
It is not just mooncakes - we see similar scams involving seasonal and pricey foods like durian and seafood. These scam tactics usually get your attention via “too good to be true” deals, enticing you to click on malicious links.
These links may lead to a fraudulent website, or a request to download a malicious app which can gain access to your device. Any personal information, online account passwords or credit card numbers that you then enter may be harvested by scammers.
It’s a worrying trend that reflects the growing sophistication of bad actors exploiting the convenience and ease of online shopping, especially when something is in demand.
Scammers often create a sense of urgency, forcing people into hasty decision-making. For instance, in some mooncake scams, victims were told their orders were cancelled due to production or manpower issues, then instructed to install an APK file to obtain a refund - thus granting scammers access to their devices.
All it takes are a few clicks to lose one’s sensitive data, or even all of one’s savings. With the year-end shopping season fast approaching, we must stay alert when making purchases online.
STEPS TO STAY PROTECTED
Phishing domains have become more difficult for web browsers to block - today, 60 per cent of them exist for less than 10 minutes. When sellers redirect you to a website or URL link to make payment, it’s best practice to verify the site’s authenticity first by contacting banks, telcos, delivery services or government agencies.
If your smartphone has existing security protections built in, it will give a warning when an app is being sideloaded. Slow down and take time to read through the prompt before pressing “OK”.
Also, before downloading any app - whether from an official app store or a developer’s website - pay extra attention and check the details including user reviews, app permissions, number of downloads and even background of the developer.
For instance, if you find a globally popular app that has only several hundred or thousand downloads, it warrants suspicion that it is a malicious app masquerading as the official version.
In other cases, fake apps often ask for additional authorisations that are not necessary. For example, a calculator app should not be asking for access to your contacts or photos.
To keep your device safe, in addition to the built-in protection of your device’s app store that automatically scans potentially harmful apps, you should always pay attention to prompts or notifications alerting you of any risks.
Checking the data privacy section available on app stores can give you information on what data the developer is collecting and for what purpose; whether the developer is sharing data with third parties, and the app’s security practices such as whether the data is encrypted.
SHIFTING OUR MINDSET AND BEHAVIOUR
You might think that scams are all about deceptive messages and information you receive online. But sometimes scams function as a result of what we share online.
For example, we might share details like the names of our family members or friends on social media posts. A bad actor that sees this information might make use of it to craft scam messages to impersonate people you know - making the deceptive message more convincing.
Remember that anything you share online - whether on social media, online forums or instant messaging apps - could reach more people than you intended.
To protect yourself against scammers, these three golden rules apply.
First, slow it down. Are they telling you it’s urgent? Take your time and ask questions to avoid being rushed into a bad situation.
Second, do a spot check. Are they claiming to be from a specific institution? Do your own research and check the details you’re getting.
Third, don’t send. Are they asking you to make a payment now to get exclusive discounts or more incentives? If you think a payment feels fishy, it probably is. Report it as needed.
As bad actors continue to evolve, we must increase our resilience against them by building good online habits.
Bertha Chan is Asia Pacific Engagement Lead of Trust & Safety Global Engagements at Google.