In the last one week I received not one, but three warnings on my phone about Internet scams. Even more unusually, all of them were genuine. The first was a warning about e-mails purportedly from the Internal Revenue Board (or Lembaga Hasil Dalam Negara). It informed you that you had a tax refund pending that could only be banked in after you clicked a button to send them your bank account data.
A second warning came after a relative of mine received a phone call telling him that his credit card was overdue. He was then transferred to a police station in Kota Kinabalu where he was told drug dealers were involved and that he had to deposit some money into a bank account. A third warning came from the Malaysian courts about syndicates of people who masquerade as court officers, sometimes issuing forged letters purportedly written by the judiciary.
At times these attempts to con people are easy to spot. Something was clearly not right about the e-mail allegedly from LHDN. It was in English only, without a single word of Bahasa Malaysia, and the language did not match the formality I’ve come to expect from government correspondence.
My relative should have been more careful when the bank that called him and then forwarded him immediately to a police station in Sabah. Once he believed the officer was genuine, there was no hope.
The unusual thing is that the rational part of the brain should be able to understand the risks involved in these situations. I was most surprised at what happened with my relative because he’s a relatively smart guy who works as a consultant with a relatively well-known firm.
One reason why the Bad Guys can be so convincing is because not only do they know your phone number, they might also know other personal details, such as your name and IC number. As a result, they are very convincing.
But we should be more cautious, surely. Just last month it was reported in Malaysia that more than 46 million personal records were available for download over the Internet. Among them are records from most of the major Malaysian telcos.
The good thing is that these companies that have been affected have been talking with the authorities. What is less good is that until now, we don’t know much more about the situation other than there was a cyber breach.
In fact, the authorities had allegedly asked local press to retract the story originally. Until now, there has been a lack of transparency about what data was involved, which users were affected, and what the general public can do about the problem.
In this vacuum, someone who does have the data cobbled together a website where you can enter your IC number and it will tell you if your records are part of the breach. Unfortunately, I will not be sharing the URL in this article because I can’t be sure myself how legitimate the website is. If it turns out the owner has a nefarious agenda, I will be putting both this newspaper and myself into trouble.
This is what happens when our institutions and laws don’t do enough to protect us. Even though the Malaysia Personal Data Protection Act 2010 says that companies must keep our data secure, it is less clear whether they have to tell us if they find out our data has been stolen. And it’s definitely not clear if they have to compensate us, the end user, in the case of a breach.
What can be done about this? For a start, try drafting better laws.
In Australia, on Feb 23, 2018, the Privacy Amendment (Notifiable Data Breaches) Act 2017 will go into effect. Once that happens, if an Australian company discovers customer data has been stolen, it must inform its customers within 30 days, and provide risk mitigation advice. There may additionally be a public investigation that may result in civil penalties of up to A$1.8mil (RM5.7mil).
The other area where we can do much better is educating the public about these schemes and to be sceptical of parties that request personal data from you (I’m looking at you, condo security firms).
By sceptical, I mean assume that they might be bad guys and don’t trust them with anything. If they give you a phone number and say it’s the personal line of a police officer, assume it might not be and look for confirmation through alternate sources. If they ask you for your data, just say “no” if there is any doubt they may not be who they say they are.
Finally, inform the authorities when you’ve been contacted by a potential scammer. By itself it may not be worth much, but it is a data point that people can use to analyse over time where these threats are coming from.
Lastly, we should push authorities to do more about this. There is value in a trusted authority who gives good advice about risks and threats on the Internet – as opposed to a random WhatsApp message forwarded to you at 1am in the morning.