Beware of your e-mail sender
Hacking is on the rise, with victims being fooled to pay scammers millions
Hacking is on the rise, with victims being fooled to pay scammers millions
PETALING JAYA: Fraudsters are getting away with millions of ringgit by hacking e-mails.
Intercepting e-mail exchanges, they fool their targets into sending money to their bank accounts instead of those belonging to the rightful recipients.
A businessman from a neighbouring country lost RM40,000 to a cyber criminal after his e-mail was hacked.
He was supposed to receive money for exporting a “processed commodity” to the Middle East but the payment ended up in a Malaysian bank account instead.
Panicking, he called his friend – local inventor Bugs Tan – for help.
“The bank account and invoice details were changed. Neither my friend nor his buyer suspected anything amiss.
“Payment was made to a Malaysian bank as instructed in the e-mail. But the account details were different from what my friend had sent. He called me on Aug 10, asking if I could look into it since I live here,” he said.
When Tan checked the hacked e-mail, he saw that the Malaysian bank’s address was someone’s house in Klang.
Tan tried to lodge a police report but was told that his friend would have to fly to Malaysia to lodge the report himself.
“I just want to warn the public that e-mails are not secure. Be careful. Just look at what happened to my friend,” he said.
E-mail hacking has been on the rise for the past two years, according to the Bukit Aman Commercial Crime Investigation Department (CCID) and CyberSecurity Malaysia (CSM).
The number of incidents recorded by the police has jumped from just two cases in 2014 to 73 last year. The total amount of losses spiked from RM974,832 in 2014 to RM39mil in 2015.
“Between January and August, there have been 29 cases, with RM11mil in losses,” CCID intelligence and operations deputy director Senior Asst Comm Roslan Abdul Wahid told Sunday Star.
He said the hacker intercepts an e-mail exchange between two parties, usually when a payment is about to be made.
“For instance, A is supposed to pay B. C, the criminal, impersonates B by using a very similar e-mail address or domain name to communicate with A.
“A is then fooled into paying C instead of B,” SAC Roslan said, adding that the hackers would have done research on their victims before striking.
He said most of such scammers have turned out to be Nigerians who abused visas enabling them to stay or study in Malaysia.
Targeting both foreigners and locals, their victims also include large companies.
“So far, no Malaysians were found to be in cahoots with such hackers,” SAC Roslan said .
He said the fraudsters use a type of software or malware, usually sold in China or Russia, to aid them.
He urged the public to be careful when dealing through e-mail.
“Always double check the bank account number with the recipient and ensure you are dealing with the right person,” he said.
CSM has also seen an increase in e-mail hacking reports – from 25 cases in 2014 to 62 in 2015.
And from January to July, there’s been 36 complaints, said CSM chief executive officer Dr Amirudin Abdul Wahab.
He said some scammers impersonate business suppliers and send the victim an e-mail, informing him of a new bank account number for payments. This happens after the victim receives an invoice from the supplier.
The e-mail doesn’t look suspicious due to the similar domain name and the supplier is usually foreign-based while the victimised companies are normally local, he said.
Urging victims to contact the CSM, Dr Amirudin said the agency could check if the e-mail was fake and guide them on preventing further loss.
Failing to log into your e-mail account, finding your account information changed, your inbox data deleted or logins from unfamiliar locations, not receiving expected e-mails and other users being spammed by your account were signs of being hacked, he said.
“Bosses should provide security awareness training for their staff. They must call the bank immediately if a transfer was made to a fake account number,” he said. To lodge a report, e-mail
cyber999@cybersecurity.my or mycert@mycert.org.my. You could also call 1-300-88-2999 or +6019 2665850.