S$7.7m stolen through ‘tech support’ scams in first four months of this year, up 45 times from last year

SINGAPORE — When 61-year-old Ms Barbara (not her real name) received calls in mid-April from two men posing as a Singtel employee and a cybersecurity officer, she felt no reason to doubt them.

The Singapore permanent resident was told by the callers that she would have to help them track down hackers who had used her IP address to make illegal bitcoin transactions. She readily complied with their instructions, which included giving them her email address, bank account number, remote access to her computer and one-time mobile banking passwords.

It was only three days later, when the Singapore Police Force’s (SPF) Anti-Scam Centre (ASC) contacted her that she realised she had been scammed, and that the men had siphoned US$65,000 (S$91,040) from her bank accounts.

The amount taken from Ms Barbara is just one portion of the S$7.7 million stolen by such “tech support” scammers between January and April this year, a 45-fold surge from the S$169,000 lost to such scams in the same period last year, said the SPF on Thursday (June 4).

The most that was stolen by such scammers in a single case so far this year was S$958,500.

These perpetrators mostly use English to conduct their crimes, and around 70 per cent of their victims are aged between 40 and 75, said SPF.

In a tech support scam, victims will receive an unsolicited phone call from the scammer, who impersonates staff from local telco service providers or a government agency.

The impersonator then deceives victims into believing that they have issues with their internet connection or that they had committed a criminal offence, persuading them to install software applications that allow the scammer to remotely access the victims’ computers.

Once the software is installed, the scammer would tell the victims to log into their online banking account and later ask them for the online banking one-time passwords sent to their mobile phones. The scammer would then transfer funds out of the victims’ account.

Ms Barbara’s money disappeared over three transactions. Another transaction was stopped when one of her banks grew suspicious of the transfers, while another two are currently being blocked by another bank when she contacted it after finding out she had been scammed.

Had these three transactions also gone through, she would have lost a total of S$170,000.

“I was pretty frightened, it was pretty convincing,” she said in a phone interview with the media on Thursday, adding that when the scammer struck, she was already in an anxious state of mind over the Covid-19 situation and the circuit breaker, which kicked in on April 7.

Ms Barbara’s scammer told her that there were hackers using her IP address to make bitcoin transactions and that she was subject to taxes on these transactions.

While she initially doubted the caller’s legitimacy, she said the scammer seemed knowledgeable and gave her satisfactory answers to all of her questions. 

The scammer also provided her with fake employee identification numbers and telephone numbers, and even told her that the Government had set aside a budget specifically for hunting down cybercriminals.

Furthermore, as she was a Singtel customer, she did not think there was anything amiss with a Singtel officer knowing her telephone number or IP address.

The scammer also instructed Ms Barbara, who is single and lives alone, not to tell anyone else of the purported investigation and that the situation she was in needed her urgent attention.

Had the Covid-19 pandemic never happened, she would have been at work and likely have consulted someone else after she received the call, she said.

Over the next three days, the scammers used TeamViewer, a remote access application that they asked Ms Barbara to install on her computer, to watch her screen as they asked her to make a S$3,000 “test transaction” that they said would be returned to her.

She later provided them with banking one-time passwords, something she said on hindsight she should never have done.

By the time the ASC called her on the third day, the money stolen from her had already been whisked away through a Hong Kong bank account.

“I felt angry, then I was overwhelmed and then I was frightened… I’ve written the money off,” she said.

Ms Barbara said she will be much more vigilant from now on, and will verify the identities of callers claiming to be government officials or company staff by contacting the appropriate official hotlines.

“There’s always time to verify identity… Even if it takes a few minutes, that is definitely what I would advise,” she said.

“They make it sound very urgent, but taking a step back for 10 minutes and sitting down to think doesn’t really make a difference if my IP address has been compromised. You should take 10 minutes to try to verify the identity of the caller.”

Members of the public are advised to never provide their personal details, banking details or one-time passwords to unfamiliar or unverified persons, said the SPF.

If they realise that they have fallen prey to such a scam, they should log off from their computers to prevent scammers from conducting any further activities on their device, change their banking credentials and report the incident to their bank and to the police.