From digital home invasions to discovering chunks of money missing from saving accounts, the emergence of the Internet has made the world a scarier place.

This Halloween, we have rounded up some of the terrifying encounters people have had with hackers as well as the safe precautions that can be taken to prevent such occurrences.

Who’s watching who?

Smart home security cameras make monitoring convenient, allowing owners to remotely view their houses on their mobiles while they are away.

What started out as a product that offered peace of mind has become a source of terrifying experiences for some.

Is someone secretly watching you from your home security camera? — Freepik.com

In 2019, a hacker gained access to a Ring security camera belonging to a family in the United States to harass an eight-year-old girl in her bedroom.

The hacker played Tiny Tim’s rendition of Tiptoe Through The Tulips, a song featured in the Insidious horror movie, before telling the girl: “I am your best friend. I’m Santa Claus. Don’t you want to be my best friend?”

The petrified girl could only listen in horror before crying out for her mother.

“They could have watched them (she has three daughters) sleeping, changing. I mean, they could have seen all kinds of things,” the girls’ mother, Ashley LeMay, told WMC Action News 5.

“Honestly, my gut makes me feel like it’s either somebody who knows us or somebody who is very close by.”Another family in the US reported a similar shocking experience.

On a Wednesday morning, Adam Krcilek and his daughter were in the kitchen.

He was not aware that a hacker was watching them through a Ring camera on the kitchen counter.

When he left the house to start his car, the hacker began making contact with his daughter, who was alone in the kitchen.

“What are you watching? Hey, what show is that? I’ve seen that show before. What episode are you on?” the hacker asked. She didn’t answer.

When Krcilek entered the kitchen, he heard a voice saying, “What are you eating?” followed by a faint laugh.

He eventually realised that the voice was coming from the Ring camera, which he unplugged immediately.

“Once I finally realised, I was like, who is this person talking to us and my daughter? There would have been other choice words if she hadn’t been down here,” Krcilek said to US news site 1011 Now.

He reported the incident to Ring and was told that another phone had logged into his account, but the company was not able to trace it back to anyone.

In 2020, a newspaper reported that footage taken from security home cameras in Singapore was being shared online, some even on pornographic sites.

A group on Discord, which claimed to be responsible, was even offering lifetime access to clips from various countries for a one-time fee of US$150 (RM710).

The group claimed to have shared over 3TB of footage, adding that those who pay more will be given tutorials and personalised sessions on how to watch a live feed and even record hacked cameras.

Tech tips: Ring, a company owned by Amazon, said in a statement that the hacking incidents were not due to the business suffering a data or security breach.

Instead, the company blamed the incidents on customers’ poor management of their usernames and passwords.

“Due to the fact that customers often use the same username and password for their various accounts and subscriptions, bad actors often reuse credentials stolen or leaked from one service on other services.

“As a precaution, we highly and openly encourage all Ring users to enable two-factor authentication on their Ring account, add Shared Users (instead of sharing login credentials), use strong passwords, and regularly change their passwords,” it stated.

Any device that is connected to the Internet is vulnerable to attacks, so it’s also important to make sure that the device has the most recent firmware to fix any security holes.

Using the same username and password for multiple accounts is one of the big no-nos. — Freepik.com

Hack attack

In 2014, Hao Kuo Chi, or “icloudripper4you”, as he is known online, “led a terror campaign from his computer” to distress victims, mostly women, according to the FBI.

In a statement, the US Department of Justice (DOJ) said Hao conspired with others to gain unauthorised access to iCloud accounts belonging to US users.

Hao was able to illegally access victims’ accounts by impersonating Apple customer service staff via email and tricking them into giving out their IDs and passwords.

He was in search of intimate photos and videos of young women, which he uploaded to a website to harass and embarrass them. Hao also traded the photos with others.

The DOJ found that Hao had over 500 victims’ photos and videos on 3.5TB of data stored on the Cloud and on hard drives.

He was sentenced to nine years in jail in June.

Tech tips: An online invasion could have a catastrophic impact on mental health, according to experts, as victims may struggle with feelings of powerlessness and vulnerability.

It could also cause depression and anxiety, as well as post-traumatic stress disorder if victims are reminded of the ordeal.

To cope with cybercrime, victims are urged to find support and talk about their issues with a trusted individual.

To avoid such incidents, don’t divulge usernames and passwords, even if a person claims to be support staff.

It’s also paramount that users tighten their privacy settings for online accounts and think twice before clicking on links received via email or social media messages.

Unknown user

Social media networks have made it easy for users to connect with anyone almost instantly.

However, do you know if the person you’re chatting with is really who they are claiming to be?

While making connections is easy to do online, you can never be sure who you are chatting with. — Freepik.com

In 2012, American college football player Manti Te’o revealed that he had lost both his grandmother and girlfriend Lennay Kekua in two separate incidents.

Kekua had succumbed to leukaemia. Though distraught, Te’o soldiered on, not missing any games, as he had promised her that he would continue to play even if something should happen to her.

Te’o’s story of perseverance over a gruelling football season while dealing with heartbreak gained him national recognition, and he went on to become one of the most popular college football players at the time.

All of that changed in 2013, when a US news portal published a damning expose exposing that Kekua did not exist.

Kekua was a phoney online persona created by Te’o’s acquaintance using photos stolen from Facebook.

Though Te’o had claimed that he had met his girlfriend in-person, it was later revealed that he had only ever interacted with her on the phone and online.

He said in a statement, “It was painful and humiliating to find out that I was the victim of what seemed to be someone’s sick joke and constant lies.”

However, his reputation still took a hit and his ordeal became a cruel Internet meme. CNBC projected that Te’o may have lost at least US$8mil due to a loss of opportunities in sponsorship and the chance to be selected to join American football teams.

In Malaysia, fake online identities have been used by scammers to fool victims into developing relationships.

In June, a 66-year-old pensioner claimed to have lost over RM4.3mil to a man claiming to be an American geologist.

The woman allegedly made 190 bank transfers for a range of reasons, including helping him pay debts, obtaining a work permit, and settling lawyers’ fees for the man’s family estate.

She filed a police report after discovering she had been duped.

Tech tips: A catfisher is a term used to describe a person that tries to lure someone into a relationship with a fake persona, often using images of other individuals taken from social media.

A simple image search on Google is one of the easiest ways to reveal the original source of a photo.

Locally, police have urged members of the public to be aware of the modus operandi or typical tactics used by online love scammers.

In June, Johor police chief Comm Datuk Kamarul Zaman Mamat said scammers would often impersonate “successful foreign men’’ from countries like Germany and Japan.

They would target victims on social media and shower them with affection to gain their trust.

In most cases, the scammer would eventually claim to have sent a gift, which would require a fee to be paid to the Customs Department to be released.

He added that some individuals have also allowed their bank accounts to be used as mule accounts by online syndicates.

One way to find out if a bank account is linked to any suspicious activities is to check the Semak Mule portal of the Commercial Crime Investigation Department.

Dirty job

It started with an ad on Facebook offering a five-hour house cleaning service for RM50. Thinking that it was an irresistible deal, a woman called up the company and was given a link to download an app to pay an advanced payment of RM10 to book an appointment.

However, when she tried to pay through the app, the transaction was unsuccessful.

Thirty minutes later, she received a message from her bank stating that RM4,700 had been transferred out of her account.

Melaka police chief Datuk Zainol Samah said in a statement on July 18 that the victim had filed a report at the Kuala Sungai Baru police station and that the case is being looked into under Section 420 of the Penal Code for cheating.

“As a precautionary measure, people are asked not to easily believe advertisements on social media and not to download and install APKs sent directly to their phones by unknown individuals,” he said in a report.

A similar incident occurred last November. A woman lost RM4,255 after trying to pay an RM20 deposit via an app that she downloaded from a WhatsApp link sent to her by a so-called cleaning service.

Tech tips: A WeLiveSecurity report, “Fake E‑shops On The Prowl For Banking Credentials Using Android Malware 2022”, identified seven online services that were targeting Malaysians.

The services – six offered cleaning services, while the remaining one was a pet store – were only available in Malaysia.This campaign was first identified at the end of 2021, with attackers impersonating a legitimate cleaning service.

“Distributed through Facebook ads, the campaign tempts potential victims to download Android malware from a malicious website,” the report stated, adding that the goal of the operators is to obtain the banking credentials of their victims.

After victims pick a direct transfer option, they will be presented with a fake payment page and asked to choose one of eight Malaysian banks.

At this point, the entered credentials will be captured and sent to the malware operators.

“To make sure the threat actors can get into their victims’ bank accounts, the fake applications also forward all SMS messages received by the victim to the operators in case they contain two-factor authentication codes sent by the bank,” it stated.

WeLiveSecurity went on to say that the first step to protecting yourself from these kinds of threats is to ensure you are shopping on a legitimate website.

Users should verify that the website is secure by checking if the address (or URL) starts with https, it said, noting that most browsers will explicitly warn users or refuse a connection if it’s not.

It urges users to be wary of clicking ads or following paid search results, as they may not lead to the official website.

When downloading apps, it’s important to ensure that they are from the official store and not another source.

Finally, users should turn on software or hardware (such as fingerprint recognition) as two-factor authentication instead of SMS wherever possible.