Phishing scams unmasked: What really happens from planning to their aftermath

Phishing scams and attacks through emails and text messages have been intensifying in recent times. Often, the ones who fall prey to such scams are those who are less tech-savvy, like the elderly or those who know of such scams happening.

Meanwhile, other customers fall into the deception because the phishing scams are just too realistic. For OCBC’s case, the SMS messages were spoofed and appeared in the bank’s official thread.

Preparations work bad actors do to plan phishing scams

As you can see, all of the aforementioned current phishing scams are localized, which means they are unique to Singapore. If the scammers are located abroad, they are most likely collaborating with someone local, or the team may be partially or totally locally.

These persons must understand the typical flow of what a targeted victim should or would expect to go through when they visit a phishing scam website (under the impression that it is a legitimate activity); thus, the local person(s) here will supply that knowledge.

Also Read: January 2022 PDPC Incidents and Undertaking

The time it takes to design a phishing scams website and the possibility to take down phishing scam websites

There are open source or proprietary tools that scammers or hackers can use to clone any website’s frontend UI in under a minute. This type of software mimics the HTML/CSS code to make it look exactly like the original or targeted site.

The hacker only needs basic coding knowledge to create a forwarding or backend to receive the keyed-in credentials that victims enter on the phishing site. The URL plays a critical role. For example, scammers can purchase www.internet.ocbc.com/internet-banking, even the real OCBC banking sites such as www.internet-ocbc.com.sg, www.ibanking-ocbc.com, www.internet-ocbc.business, or www.internet-ocbc.finance, which all these domains are available for purchase right now at the time of writing.

Having an SSL certificate lends credibility to the site by displaying a padlock icon in the URL bar, and anyone can obtain free, open-source SSL certificates online.

Such phishing sites can be taken down by informing the original or targeted site owners, for example, OCBC. They will immediately contact the web hosting provider using legal procedures to remove such sites.

Reporting to the police or relevant agencies, such as MAS, are other options, but they will almost certainly notify the concerned party, in this case, OCBC. Singapore Police Force, in collaboration with IMDA (at their discretion), can also prevent the specific site from being accessed from Singapore by requiring Internet Service Providers in Singapore to refuse access to its internet customers.

It should be noted that scammers will also attempt to conceal their true identities, so the name and registration information are usually falsified, as are payment card details using disposable debit cards, or in some cases, paid with cryptocurrency for web hosting providers that accept such payment methods.

To verify the availability of the specified available domains, go to www.namecheap.com and enter them.

If the phishing scam website is being taken down, they can still scam people by setting up a new phishing website in a short period of time

Scammers can reroute the URL to another hosting server where the exact same site can be operational immediately in a few minutes. Alternatively, scammers may have already purchased numerous similar domain names, a practice known as “domain parking,” which means that if the authorities and block have detected www.internet-ocbc.com.sg, the scammers can quickly activate www.ibanking-ocbc.com.

They only need to alter the hyperlink in their email or SMS to the recipients of such messages.

Where does the money go, and is it difficult for the authorities to recover?

Once a scammer has stolen a victim’s login credentials and OTP, they can use this information to set up a digital token in another phone’s OCBC app to receive OTP, preventing the victim from receiving SMS.

The scammer can cheerfully and slowly create as many third-party accounts as payee receivers and begin transferring funds, keeping an eye on the daily limit, and avoiding doing any activity that will cause an SMS to be sent to the victim’s phone.

Even if SMSes are delivered to the victim’s phone, such fund siphoning is often done in the early hours, when the victim is most likely sleeping.

Furthermore, even if a user calls the bank urgently, even though it has a 24/7 hotline for banking individuals, it may take a long time to connect, and by then, funds have already been transferred out or withdrawn from ATMs from those 3rd party accounts. The customer service officer on the helpline also requires specific approval to freeze or pause any funds transfer, giving scammers plenty of time.

Scammers will either withdraw money from such 3rd party accounts via ATM (while taking care not to let the ATM camera catch their faces), transfer money overseas via various fast remittance services, purchase cryptocurrencies and send them to new decentralized wallet addresses, or purchase expensive items from online stores.

How many people could be in the team to run such a scam？

It can be as simple as an OMO (One Man Operation) with the appropriate information or as complex as a syndicate of tens of people. There is an Operations department, a Technology department, a Marketing department, a Finance department, and a Cyber Security department, just as in a business.

Operations include the planning and execution of various department tasks, as well as the acquisition of victim credentials and an OTP to set up a digital token. Web hosting, domain name acquisition, and mass email/SMS blasting software are all examples of technology.

Marketing: Creating victim profiles and obtaining “leads” is simple with a dictionary attack on mobile phones or by purchasing mobile number databases.

Finance: In charge of preparing 3rd party/proxy bank accounts, typically by paying a fixed amount of money to debt-ridden individuals looking for “quick cash” in exchange for their existing or new bank accounts, or purchasing bank accounts and ATM login information from foreign workers who are returning to their home countries and no longer require their local bank accounts.

Cyber security: Utilizing forged credentials to sign up for required internet accounts, using a VPN to hide their IP address while conducting scams, and so on.

Tips to prevent falling to scams

Always call back the main hotline to confirm facts by looking up the contact information online. Do not click on any links in SMSs or emails. The Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) have ordered that banks delete clickable links in emails and SMSs in the future.

Always double-check and double-verify URLs. If you receive a call from the authorities, ask for their name, designation, and department, as well as a publicly verifiable phone number where you may contact them back. Normally, they will terminate the call at this point.

SMS, which we are all used to receiving notifications, can simply be faked to convert the sender ID to a recognized entity such as a bank, CPF, or government. Always check in to your web account or mobile app separately to confirm any notifications.

If something appears to be too good to be true, it most likely is. Trust your instincts if something doesn’t feel right.

Also Read: Managing employee data under Singapore’s PDPA