Beware of financial scams and fraud calls
Watch these videos to learn how to safeguard yourself against scams.
Beware of scammers posing as Lembaga Hasil Dalam Negeri (LHDN) officers through messages, phone calls, letters or emails regarding collection of taxes/outstanding tax arrears.
Here are some red flags:
- They claim you have an unpaid tax or are involved in money laundering/tax evasion
- They threaten you with arrest/legal action or account blacklisting if their instructions are not followed immediately
- They request you to download an app which could be a fake Bank Negara Malaysia (BNM) mobile app
- They request you to provide bank login credentials or transfer money to a third-party account temporarily for investigation
When in doubt, contact LHDN for verification.
Useful link: https://www.hasil.gov.my/
REMINDER: NEVER click on suspicious links or disclose any personal details/bank login credentials. Stay alert and protect yourself.
Visit BNM’s Facebook Page to learn more about “Scam Notices” @ https://www.facebook.com/amaranpenipuan
With these few tips, you can enjoy the convenience of shopping online with peace of mind:
· Shop and pay through trusted online platforms
· Prior to purchase, check the seller’s testimonials or read reviews to hear what others say
· Use the PDRM CCID “Semak Mule Portal” to look up a seller’s bank account or phone number. Useful link: https://semakmule.rmp.gov.my/
- You receive an email, SMS or phone call claiming to be from Hong Leong Bank or enforcement officials, asking you to provide personal financial / security information or TAC (Transaction Authorisation Code which is the six-digit number sent to a bank account owner’s mobile phone to verify a transaction).
- You receive TAC even though you did not request for it.
- You receive emails or SMS containing a URL Internet link which will lead you to a fraudulent unsecured login site.
- You receive emails requesting you to open attachments or free software that may contain malicious software like viruses, spyware and trojans that are designed to steal your personal data.
- Pop-up advertisements asking for personal or financial information are likely fraudulent, so it's better to just close them.
Using Credit card or Debit Card for Online purchases makes shopping experience more convenient but are you aware that your personal information and card data can potentially be stolen? Here are a few tips to safeguard your personal and credit or debit card information.
- Use only secured Wi-Fi connection to perform online transactions via your Internet banking website, mobile banking app or e-commerce websites. Otherwise, use your mobile data instead.
- Only perform online transactions via a secured website. Look at the URL of the website before you key in your personal and card details, if it is begins with “https” and you see a padlock in the address bar, it means the site is secured.
- Do not store your card details in a third party browser.
- Monitor your online banking transaction history and credit card statement regularly for suspicious transactions and immediately report it to your bank if there is an unauthorized transaction, even if the amount is small.
- Report lost/ stolen credit /debit card immediately. You can also report this via Connect App or Online Banking if you have registered for Connect.
- Shred any documents that contain your card details before disposing.
- Do not reveal your personal and card information such as your CARD NUMBER, CARD PIN, online banking USERNAME and PASSWORD to anyone over a phone call. If you receive a call from any Bank or Authority, please call your bank (via number stated at the back of your credit / debit card) to verify the legitimacy of the call.
- Do not send your personal and card information over any communication medium, e.g. email, SMS, WhatsApp, etc.
- Please notify the bank in advance to update your latest contact details, i.e. correspondence address, mobile number and email address.
Hong Leong Bank has incorporated the following security features:
- Up to 256-bit encryption enabled by EV SSL certificate to secure online transactions.
- 8-16 characters of alphabets and numbers Password for all Hong Leong Connect customers.
- Debit Card PIN / Credit Card PIN / Temporary ID for registration or reset with Hong Leong Connect. TAC will be used as an additional method to identify that it is you who is authorising the session / transaction in Hong Leong Connect Online. TAC will be auto-triggered to your registered mobile number to authenticate certain online transactions, several settings, registration and reset.
- Security Question will be prompted when an unusual online or mobile banking activity is being detected.
- Security Picture to confirm that you are accessing the genuine Hong Leong Connect Online or Mobile.
- Hong Leong Connect Online or Mobile will automatically log off if there is no activity performed after a while.
- Your Hong Leong Connect account will be considered dormant, and automatically deactivated if you do not log in for 12 months.
- HLB Connect Mobile can only be accessed from one mobile device linked to the customers’ Connect profile.
- A mobile number to receive TAC can only be registered to one Connect user at any given time.
- Additional verification, in the form of Card PIN or Temporary ID, is required on top of TAC in order to set up HLB Connect Mobile.
- For Connect Mobile users, AppAuthorise is required to authorise payments or transfers that used to require SMS TAC.
1. What is a Fake App Scam?
- It is a scam involving the fraudsters setting up fake but legitimate-looking advertisements promoting services or items for sale with great discounts, free gifts and more. They will ask you to download their app from a link to enjoy the deals which will enable the fraudsters to steal the banking credentials and SMS TAC.
- Once downloaded the fake app will have access to your SMS function and divert all SMS messages (including SMS TAC/OTP) received on the customers’ devices to the fraudster.
- The app will also prompt the customers to register for a buyer account, login to fake e-Commerce website to make fake purchases and lastly select the checkout option, e.g. direct transfer from bank account via FPX to make payments.
- The customers will then be led to a fake payment website where they unknowingly enter and reveal their banking username and password or debit/credit card details to the fraudsters.
- Fraudsters will now be able to access your banking account/card to perform unauthorised transactions.
2. How to spot a Fake App Scam?
- Cheap bargains that are too good to be true or a promise of unrealistic high returns.
- You are asked to download a mobile app from a link, website, file or unauthorised app stores.
- When you launch the fake app, the app requests for permission to access and modify or inform you that it has access to your SMS settings to view, delete or divert your SMS.
- Your device alerts you with a warning that the file/app could be malicious.
- You are not able to see your security picture after you enter your online banking username.
- The website keeps saying that you have entered wrong username/password, even after you have entered the correct credentials. It will then suggest that you try to login with another bank.
- The website keeps saying that the credit/debit card details you have entered are invalid and suggest that you try another card.
3. Tips to avoid falling victim to Fake App Scam
- Be vigilant if you see advertisements claiming to be from reputable companies, promoting great discounts, free gifts and more. It may be a scam.
- Delete the app immediately if it asks you for permission to access or modify your SMS function in your device, or the device sends you an alert that the file/app could be malicious.
- If you receive unsolicited calls, emails or SMSes from service providers/authorities (which could actually be a scammer impersonating the service providers/authorities), verify the calls, emails or SMSes by calling the sender directly on the contact numbers listed on their official website.
- Download apps only from Apple App Store, Google Play Store or Huawei AppGallery, and NOT via 3rd party websites, links or files.
- If you are directed to a page that looks like a bank website/app login page, do not enter your online banking password if you do not see your security picture.
- Use and keep your anti-virus/anti-malware software updated for constant protection of your devices.
- Closely monitor for transaction notifications and history for any activity that you do not recognise. Call us immediately at 03 7626 8899 if you suspect that your banking account has been compromised.
- Keep up-to-date with the latest financial scams and protect yourself and your loved ones.
1. What is a TAC Scam
- TAC (Transaction Authorisation Code) is the six-digit number sent to a bank account owner’s mobile phone to verify a transaction. TAC Scams occur when the victim receives a TAC that they did not request.
- The scammers will then call the bank account owner, claiming that the TAC is actually for them and that it had been wrongly sent to the victim due to a mistake while registering their mobile phone number.
- They will ask the victim to tell them the code or forward the TAC message to them.
2. How to spot a TAC Scam call
The scammers will try to convince you that you have received a TAC belonging to them:
- “My TAC was wrongly sent to you. Can you please read or WhatsApp the TAC number?”
- “I have accidently updated your mobile number for my Internet Banking and the TAC number has been sent to your mobile phone. I desperately need to transfer money to my family member. Can you please WhatsApp me the TAC number urgently?”
3. What can you do if you receive a TAC when you did not request for it?
- Keep calm.
- Never reveal any TAC you receive to anyone under any circumstances.
- Contact the bank’s call centre and report the incident immediately.
- Be sceptical. The bank will never send a TAC to you when you have not asked for it.
- The fraudster will attempt to contact you and come up with creative reasons convincing you to share the TAC. Ignore all such reasons even if they appeal to your sympathies or pressure you to do so. Never reveal TAC to anyone under any circumstances, especially if you did not ask for it.
- Call us immediately to report about the incident.
1. What is a scam call
- A Scam Call occurs when a customer receives a call from an impersonator, often from a bank and claiming a defaulted payment such as in the case of credit cards or personal loans.
- The fraudster may attempt to obtain the victim's personal banking information by claiming to be an officer from Bank Negara Malaysia (BNM) or Police DiRaja Malaysia (PDRM).
- To make it sound even more convincing, the officer may inform the victim that there is an arrest warrant under the victim’s name.
- The fraudster would then ask the victim to transfer funds into a 3rd party account.
2. How to spot a scam call
The following common phrases may help you unmask a scam call:
- "You have a credit card transaction which requires verification”, where in fact you do not have a credit card with the bank
- “You have a personal loan of RMXX,XXX which is in default”, where in fact you do not have a personal loan with the bank
- “You have an arrest warrant and you are required to transfer your money to a 3rd party account”
- “You’ve been specially selected” (for this offer)
- “You’ll get a free bonus if you buy our product”
- “You’ve won one of five valuable prizes”
- “This investment is low risk and provides a higher return than you can get anywhere else”
- “You have to make up your mind right away as there is no time to waste”
3. Modus operandi example
- Victim receives a telephone call, requesting to confirm a credit card transaction for the purchase of goods or services.
- When the victim calls the telephone number provided, the fraudsters pretend to be an agent of a bank, and again, ask the victim to confirm whether the credit card transaction had taken place.
- When the victim says that he has no such credit card or transaction, the fraudster will sound concerned and advises the victim to lodge a report with Bank Negara Malaysia's ‘Unit Kad Kredit Palsu’, or with the commercial bank's‘ credit card management department’. The victim will be given a fake telephone number to lodge a report.
- Upon calling the telephone number provided, the victim is greeted by an automated voice message identifying them as Bank Negara Malaysia. The call will then be answered by someone claiming to be a Bank Negara Malaysia officer. This person will request personal banking information under the pretense of lodging a complaint on behalf of the victim.
- The fraudster now instructs the victim to transfer money out of his/her account. The victim either withdraws cash, or transfers money, to be placed with an unknown third-party account purportedly for safe keeping or investigation.
- In other cases, fraudsters will request information relating to the victim's banking and credit card accounts. Information gained will be used to illegally transfer funds out of the victim's bank account.
4. What can you do when you come across a suspicious caller
- Keep calm.
- Do not provide any of your banking information.
- Be skeptical – Bank officers will never call you to ask for your credit/debit card or personal banking information.
- Talk to your family or friends or contact your bank call centre before taking any action.
- In doubt, please contact the bank’s call centre which can be found via the bank’s official websites or the call centre contact number at the back of your credit / debit card.
- Remember that:
- Banks never request for your personal or financial information.
- Banks never asks customers to transfer money to a 3rd party account.
What is Phishing?
Phishing is an automated form of social engineering used by fraudsters to deceive one to give away sensitive information. The initial phishing email is designed to entice the recipient to open the email and click on the links provided. The fraudsters use multiple methods to do this including enticing subject lines, forging the address of the sender, using genuine looking images or text and disguising the links within the email.
How to protect yourself from Phishing?
Never click on unknown website links or open an attachment sent via email, SMS, Twitter, WhatsApp or other popular text/instant communication applications, especially when the content is related to financial matters.
1. What is a QR Code Scam?
- QR Code Scam is another form of Phishing, using bogus QR codes to substitute the real QR codes.
- It is a method that the fraudsters use to dupe customers into scanning a fake QR code that disguises a genuine one and redirects the customers to:
- a fake website with realistic bogus screens
- a malicious website, which include malware that may be directly downloaded to the victims’ smartphones
- a different person’s/merchant’s account who will be receiving the funds instead of the intended beneficiary account.
2. How to protect yourself from QR Code Scam
- Before scanning a QR code, check for any signs of tampering or if the QR code is on a removable sticker. If so, avoid scanning it.
- Be wary of scanning codes in public places, such as bus stops, train stations or walkways. Avoid scanning them.
- Always check the web page URL address, if the QR code launches your web browser, to ensure it is sending you the correct website. Consider using a scanner app that actually informs you of the website that the QR code is directing you to before it takes you there.
- If you scan a QR code and find yourself on a suspicious web page that asks for personal or account details such as online banking username and/or passwords, do not key in the information.
- If you are asked to install a mobile app on your device after scanning a QR code, check to ensure the links, publisher and requested permission details are all genuine before proceeding with installation.
- Verify the payment details (amount, beneficiary name, etc.) before confirming the transaction to ensure it’s going to the intended recipient/merchant.
- Install up-to-date anti-virus software on your device. Make sure it's updated regularly.
1.0 What is Malware?
Malware is short for Malicious Software.
The commonly known malwares are like viruses, worms and trojan horses. Malware is any kind of hazardous software that is installed in your electronic device without your knowledge or consent.
2.0 How does the "Zeus" malware work on infected computers or mobile/tablets?
Once the device is infected with malware, the fraudster is able to inject modified fake contents or pages while you are accessing a legitimate online banking website via your Internet browser.
The bank will never communicate to you with urgent appeals that your account may be suspended or closed if you fail to confirm, verify or authenticate your company's banking information on the website.
3.0 Does the "Zeus" malware affect all smartphone operating systems?
Based on an initial analysis by Malaysia Computer Emergency Response Team (MyCERT), the affected systems are:
- Smartphones running on Android platform
- Vulnerable and unlatched Windows Operating System
4.0 How does malware infect your computers, smartphones or tablet?
4.1 From email with Website URL hyperlinks or attachments: Opening an email attachment or clicking on a hyperlink may contain and allow the malware to be installed into your PC, smartphone or table devices. When receiving an email with a hyperlink or an attachment, if the email was not expected or from someone you don't know, delete it. If the email is from an organisation or someone you know and you're not expecting it or requested for it, be cautious too; do not click on the given hyperlink or open the attachment as instructed, contact the sender to verify beforehand
4.2 From mobile SMS or MMS with website URL or attachments: Same as above emails with hyperlinks or attachments
4.3 From instant mobile or web messaging with website URL or attachments: Same as above emails with hyperlinks or attachments. Examples of instant messaging are WhatsApp, Twitter and Line.
4.4 Accepting without reading: A user accepts what is prompted on the screen without reading the prompt or understand what it's asking. For example: while browsing a webpage, an Internet advertisement or window appears that says your computer is infected with a virus or malware; you have won a prize; asking to complete a survey or that a unique plug-in is required. Without fully understanding what is it you're getting, you accept the prompt that will install a malware.
4.5 Downloading applications (apps) from a website: Download programs only from the reputable websites and with a valid digital signature. If you are unsure, leave the site and research the website and the software you are being asked to install. If it is OK, you can always come back to site and install it. Files that don't have a digital signature or were downloaded from an unknown source should always be treated as dangerous.
4.6 Not running the latest operating system, web browser or application updates: Running a web browser, applications or operating system that is not up-to-date with the latest updates can be a big security risk and can be a way your computer becomes infected. Some of the updates from your computer, smartphone,mobile, tablet manufacturers, web-browser or application providers (e.g. Microsoft, Apple, Blackberry, Samsung, LG, Adobe, Google, Mozilla etc), are security updates. Make sure you perform and have the latest updates to minimise the risk of malware infections.
4.7 No antivirus scanner: It's highly recommended that you have some form of antivirus on your computer, mobile or tablet to help clean it from any infections and to help prevent any future infections.
5.0 How to protect yourself from malware?
5.1 Never click on unknown website links or open an attachment sent via email, SMS, Twitter, WhatsApp or other popular text/instant communication applications, especially when the content is related to financial matters.
5.2 Be a smart surfer when browsing websites that are new to you, be careful of any pop-up windows that request for your personal information or prompts you to use certain program.
5.3 Be very selective of the files or programs that you would like to download, always double-check the genuineness of the website and the source, even if it comes from your friends.
5.4 Keep your operating system, Internet browser, applications and firewall up to date.
5.5 Install robust anti-virus, anti-spyware and firewall software on your computer and other devices and configure it to update automatically in a regular internals.
5.6 Run full system scan periodically to remove any new found virus or malware, and you must reset your password and clear all browser caches, history, cookies, before you log in to your online banking again.
5.7 Beware of messages that require you to click on links to download and install a mobile app on your phone. This could be a malicious app.
5.8 𝐃𝐄𝐋𝐄𝐓𝐄 the app immediately if it asks you for permission to access your SMS function or to enter your online banking username and password without showing your security picture.
6.0 Take note of any unusual signs on the daily handling of your mobile devices:
6.1 High frequency of apps crashing unexpectedly
6.2 Device battery drains out quickly
6.3 Pop-up notifications or advertisements to install other apps
6.4 Overall device performance becomes sluggish without apparent reasons
6.5 Outgoing and incoming SMS/calls being disrupted
7.0 IMPORTANT REMINDER when you're assessing Hong Leong Connect:
7.1 Do not respond to any form of pop-up screen or window or additional web pages asking for your personal info and smartphone platform (Android, Windows, etc)
7.2 Do not simply download and install/update any app on your computer or mobile/tablet without verification
7.3 Do not root or otherwise 'Jailbreak' your computer or mobile/tablet devices and avoid side loading (installing from non-official sources)
7.4 Notify the Bank immediately when you came across anything suspicious or unusual web pages asking for personal information when you are about to login to your Hong Leong Connect BIZ.
7.5 You are advised not to proceed with your online banking transactions until your computer or device has been checked and disinfected
Password cracking is a common way to retrieve a password by repeatedly trying to guess for the password. The most common method of password cracking is guessing and dictionary attack.
Keystroke logging or more commonly known as key logging is a way of obtaining passwords or info by capturing what user's type. It is a diagnostic tool that comes in the form of software or hardware (i.e. inserted in the keyboard).
Login spoofing is a way of obtaining a user's username and password. The user is presented with the bank's Login page to prompt for the username and password. When the username and password are entered, the information is then passed to the attacker.
Shoulder surfing as it suggests, is a way of obtaining a user's username and password by peeping.
Spyware is a computer software that is often installed into a PC without user's knowledge and usually takes place during user's download of free software, games or subscribing to free online services from the Internet. Once installed, it does not only monitor user's surfing activity but also capable of retrieving any personal and sensitive information that is being transmitted on the Internet before it is sent in the background to interested parties.
Trojan horse is a type of malware (malicious software) which allows unauthorised access by attacker to user's computer and more often for the purpose of data theft (e.g. personal information, bank account numbers and password). It can be spread through opening email attachment from unknown person or visit to unknown websites.
As the result of responding to spam email or job recruitment that offers opportunities to make easy money, a person could fall for a mule scam. This person is known as "money transfer agent" or "money mule" whereby a mule's bank account is used to receive stolen money from phishing victims and such account also act as a transit prior to the funds being sent abroad and later to be withdrawn by the fraudsters.
ATM Card Skimming
A skimming device is used to copy an ATM card's security information on its magnetic stripe in order to reproduce the customer's information on a counterfeit card.
ATM Card Swapping
A customer's card is swapped with another card without their knowledge during an ATM transaction.
ATM Card Jamming
An ATM's card reader is tampered with the intention to trap a customer's card. The criminal removes the card once the customer has walked away from the ATM Machine.
Shoulder Surfing & ATM Pin Number Compromising
An individual stands next to someone and observes as they enter a PIN number at an ATM machine. Shoulder surfing can also be done via long distance with the aid of either a binoculars or other vision-enhancing devices.
Telephone tapping is the unauthorized monitoring of telephone and Internet conversations and / or key tone by a third party. Phone Tapping is possible on a public switched telephone network and can be difficult to detect. To minimize the risk, consider disabling your mobile phone's Bluetooth connection to prevent any unauthorized access to signal sent from and to your phone. Visit BNM Financial Fraud Alert website for more info.
Sharing is not Always Caring
Never share information such as your username, password, MyKad number and etc. via emails or pop-up windows and phone calls.
Links in emails, SMS, or pop-ups. Always type the web address yourself.
Always type in the correct Internet banking website address directly into the address bar of your Internet browser.
Shred or Securely Store
Your printed statements.
Make It Complicated
Your password that is. Create one using a combination of alphabets and numbers, which makes it harder to guess. Make sure you never write your password down and that it's changed regularly.
Check & Monitor
View your transaction records as often as you can! This way you will notice if there is anything suspicious.
Keep It Private
Never use a public computer or an unsecured wireless network (WiFi) when performing online transactions.
Disable the Auto-Complete / Auto-Save Functions
For usernames and passwords.
Clear Your Cache
After every online session, clear your browsing cache. This function is usually found under the Internet Options section of your browser.
Look out for the Padlock Icon on Your Browser
When visiting websites that require you to share your security information, make sure the icon is there as it indicates that the websites use secure connections. For more on online safety, visit www.mycert.org.my for the latest Internet threats.
We've put together a guide to show you how to do your banking safely online. Click here to view.
If You Doubt It, Junk It
No matter how legitimate it may seem, never respond to unsolicited emails.
Invest A Little
In computer security such as a personal firewall, anti-spy, and anti-virus software. Make sure it's updated regularly!