PETALING JAYA: Public Bank has issued a scam alert urging customers to be wary of advertisements on social media selling mooncakes that require a third-party app to make payments.

It said third-party apps not hosted on official app stores pose a security risk, potentially containing malware and allowing scammers to obtain full access to a user’s device.

In an email notice sent to customers, the bank said that a malicious app, if installed, can capture users’ personal and financial details when making payments at the checkout page.

With this information, fraudsters would then be able to access the users’ bank accounts and transfer out all the remaining funds, it said.

Public Bank advised customers to be on the lookout for red flags, including if the app was being offered only through links or APK files from sellers and not official app stores.

It said customers should also be on the lookout for the permissions the app asks for during installation and if their Personal Login Phrase (PLP) appears after entering their banking user ID and password.

The bank advised users who suspect they have responded to a scam to report it to their bank or deactivate the account via the official online banking platform.

The warning comes after reports of online mooncake scams in Singapore, which saw at least 27 victims lose about S$325,000 (RM1.11mil) in August alone.

In another recent case, a woman in Selangor paid RM440 for four boxes of mooncake but never received her order.

The victim only realised that she had been scammed when the seller told her to install a third-party app and input her personal details for a refund.