Criminals socially engineer their way to bank details with fake arrest warrants

When an organization experiences a massive data breach, it knows (at least) that it needs to inform the federal government about the cybersecurity incident, get law enforcement involved, and then inform its clients and affiliates. Seems simple enough, but this process, which countries from the West have been abiding by, is the result of countless breaches in the past, followed by a myriad of digital crimes that took advantage of those leaked and stolen data.

Unfortunately, not all governments in the world are in the same boat when handling incidents of compromised data—something every country has been familiar with, along with its associated victims. And while some governments continue to deny the real-life impacts of such online incidents and lawmakers are still figuring out what to do, consumers are left to fend for themselves with no real help in sight from law enforcement.

Such was the case of @TheVenusDarling, a Twitter user in Malaysia. She was targeted by online scammers who used her personal details gleaned from an April 2022 data leak that affected 22.5 million people.

Note that Venus’s case is just one of many. After she shared her experiences on Twitter, some came forward to tell a similar tale that, more than losing money, left them feeling traumatized for a long time. Without Venus’s quick thinking and help from a cybersecurity pro, she would’ve been left in a far more difficult situation.

Scammers put victims in a swirl of “too much”

It began with a phone call.

The caller, a female who was purportedly working for the Inland Revenue Board of Malaysia (IRBM), an agency responsible for collecting taxes, said that “Venus” owed at least RM50,000 ($11,000) in arrears for a business created under her name.

“The caller seemed authoritative and convincing and even supplied a reference number,” said Munira Mustaffa, the expert who helped Venus in her case. It didn’t stop here. In further attempts to sell the legitimacy of the call and the integrity of the person on the other end of the line, the caller connected Venus to a “police inspector” (PI), who then instructed her to hang up and Google the number of the local police headquarters. She then received a call from a number matching the number she had just searched.

Mustaffa, who founded the Chasseur Group and serves as its executive director and principal analyst, is known in counter-terrorism and organized crime circles. In her post, she broke down the scam into four phases, reflecting the scammers’ intent in each stage: Dismay, Isolate, Overwhelm, and Intimidate.

The so-called PI proceeded to inform Venus that there was an arrest warrant for her because her ATM card was linked to money laundering and fraud activities [Dismay]. He then passed the call to a “high-ranking officer” (HRO), who instructed her to move to a quieter place to ensure the call’s privacy [Isolate]. The HRO then sent Venus a copy of the purported arrest warrant, containing her legitimate details, via WhatsApp [Overwhelm]. He also told her to download and install an APK file he sent via the messaging app to aid them in their investigation.

easset upload file96611 232696 e

The fake arrest warrant the supposed “high-ranking officer” sent to the victim. It contains the official emblem of the country’s law enforcement body and contains legitimate details of the victim gleaned from the April 2022 leak. (Source: Chasseur Group)

Venus did what she was instructed, including filling out the form in the app. When she was about to enter her bank account PIN, she remembered she wasn’t supposed to share it with anyone. She then realized she was about to be scammed. Sensing her hesitation, the HRO began shouting to further freak her out into giving up the PIN [Intimidate].

She then ended the call, uninstalled the app, and sought Mustaffa’s help.

“Unfortunately, in this instance, uninstalling the app is not sufficient,” Mustaffa said. “Even with the application deleted, we had to assume that the device remained infected with malware. Hitting reset would have been the recommended option; however, that would result in data loss—an outcome not many are willing to go for.”

Scammers know what people don’t

If this scam is not spotlighted and people are not educated, many more will continue to fall for this campaign. Scammers find success in what they do because not only do they have the tools to take advantage of anything ill that happens to people—they know what people know and what they don’t.

In this case, they know that citizens are largely unaware of government processes. And while the IRBM and law enforcement have social media presence and do inform their followers of scams, it’s not enough.

“[T]he general populace must be properly informed about the government’s procedures and standards,” Mustaffa said. “And in order to do this, it is vital to enhance the accessibility, clarity, and transparency of information that is already widely available.”

Getting familiar with the scam is also a big way to prevent it.

A scam is a scam, regardless of origin. If it proves lucrative, many will copy it. It’s only time before online criminals adopt this tactic and begin their social engineering campaign against unwary citizens.