JAKARTA (The Jakarta Post/Asia News Network): On the night of March 12, a Bogor resident who asked to be referred to as Regina lost Rp 4.5 million (US$308) after giving her banking credentials to someone claiming to be a customer service (CS) representative from Bank Negara Indonesia (BNI).
The so-called CS representative contacted Regina after she tagged BNI’s official Twitter account, @BNI, on the social media platform to complain about a problem with her mobile banking account.
The person then directed Regina to a WhatsApp chat. “Because I needed to resolve the issue fast and I was also not careful, I clicked the link they gave me and we chatted via WhatsApp, ” she recalled, adding that she gave her 16-digit card number, as well as the three-digit card verification code (CVC) and a one-time password (OTP) sent to her phone.
“I was reluctant to give them my OTP, but they convinced me that they were legitimate. The person even gave me their name and employee identification number, ” Regina told The Jakarta Post on April 5.
After realising that she had been scammed, she went to check with a teller the next day and found that the bank could not trace or return her missing funds.
“They told me that even if I reported the incident, there was no guarantee I could get my money back, ” she said.
“I hope banks have a way to respond to or block these scammers so that people know which accounts are real.”
Regina is one of 2 million bank clients that cybercriminals have tried to lure into similar scams. The fraudsters impersonated at least seven large Indonesian financial institutions, according to a report by Group-IB, a global threat hunting and cyber intelligence company.
The company found that as of early March, 1,600 Twitter accounts were impersonating the seven banks, 2.5 times more than the 600 fake Twitter accounts recorded in January.
“This scam campaign is consistent with a trend toward the use of multistage scams, which help fraudsters lure in their victims. They are successful because of the lack of comprehensive digital asset monitoring by financial institutions, ” said Group-IB digital risk protection head for Asia Pacific Ilia Rozhnov in a statement on March 31.
He added that because of such attacks, banks risked losing their customers’ trust and that banks should carry out round-the-clock monitoring of the internet to promptly detect any fraud attempts.
Rozhnov also said the company had only seen the scheme at “such a scale” in Indonesia.
However, previous Group-IB research showed that cybercriminals often chose one location as a testing ground for their activities before “exporting” it abroad.
“Given that the ongoing scam campaign has seen exponential growth and that cybercriminals continue expanding the infrastructure for the scam, it seems that [...] we are likely to see it rise further, possibly in neighbouring countries, ” he said.
There has also been a global surge of social engineering attacks, in which attackers try to breach companies’ security through their customers, who are easier targets than company staff members, who remain under corporate surveillance, Rozhnov added.
Twitter Indonesia did not respond to The Jakarta Post's request for comment. A 2018 PricewaterhouseCoopers survey found that Indonesian banks considered cybersecurity threats the biggest risk to the industry and that such threats would be the major risk for digital banking for the following two to three years.
Meanwhile, big data consulting company Drone Emprit founder Ismail Fahmi noted that from Feb 11 to March 12, Twitter activities with the keyword “LiveChat” were commonly found on accounts mimicking Indonesia’s largest banks by assets, namely Bank Rakyat Indonesia (BRI), Bank Mandiri, BNI and Bank Central Asia (BCA).
However, BNI corporate secretary Mucharom Hadi Prayitno said the company had not seen an uptick in online fraud cases.
“If you find someone asking for your personal data through social media, please ignore them and report them to us because BNI never asks for clients’ personal data through social media direct messages, ” he said in a text message on Thursday, adding that clients could contact the BNI call centre instead.
Bank Mandiri and BCA did not immediately respond to the Post’s inquiry.
“Fake CS scams are not new, but they have become more rampant as scammers can easily identify people who are having banking problems via social media, ” Ismail of Drone Emprit said on Wednesday.
Ismail added that while such scams also occurred on other social media platforms, Twitter had become a breeding ground for fraudulent accounts because criminals could easily create a programme or a “bot” that automatically replied to customers’ tweets.
Scammers tended get their victims' attention, he added, at night or during holidays, when official CS personnel were unable to immediately reply to messages.
“We should hold banks more accountable, and banks should also take a fast and more active stance. It is impossible to assign all responsibility to consumers, ” Ismail said, adding that banks should also set up an automatic detection and reply system that could notify users immediately after they were targeted by fraudulent accounts. - The Jakarta Post/Asia News Network