[This article is brought to our readers by BigPay, along with our own true experience.]
Last month, our colleague got a call from someone claiming to be from BigPay. Earlier that day, she received a text message saying that she had won a RM2,900 cashback. During the call, the scammer began by asking what seemed like standard questions so that she could claim that prize.
He also kept reassuring her that for security, he didn’t need the full details of what she was sharing; for example, when he asked for her IC, he said: “Just the last 4 numbers ok, no need to share the rest, to be safe”.
Throughout the call, he spoke very fast and didn’t give her much time to think, which made her feel like it was something urgent. When she was asked to share her one-time password (OTP), this prompted her to end the call and block the caller.
The More You Know: This is actually one of the common tactics used by scammers called the ‘urgency tactic’. The scammer would talk quickly so the listener would not have time to think and pass on info without second thought.
She’s not alone with this experience. Over the past few months, netizens have been actively sharing their experiences of an ongoing scam involving BigPay in a Facebook group.
The modus operandi seems fairly similar, with a few small variations. The scammer will call or message them using an unknown number through WhatsApp. The scammer then claims that the user won a competition and they’ll need some personal details.
To make the prize seem more legit, the scammer makes the calls through a WhatsApp Business Account with a BigPay logo. An account with WhatsApp for Business can be created by almost anyone and BigPay does not have an official WhatsApp for Business account.
The scammers will even go to the lengths of taking pictures of BigPay staff or founders to impersonate them, giving a sense of ‘credibility’ to the accounts they’ve created.
The Bigger Picture
Some netizens speculated that BigPay may have sold user data. But a representative we spoke to assured us that is not true.
“BigPay did not have a data leak, and we do not sell to, purchase from or exchange customer data with anyone.”
They then clarified that the only way users can be scammed on BigPay is if they gave out their OTP. The OTP then allows the scammers to change a user’s password or to perform a transaction.
As to how the scammers knew people’s names or if they even had a BigPay account, the representative said it was most likely bought through telemarketing companies.
Depending on the scammer’s willingness to spend initial money, they could purchase user information through websites which an average person can find by Google-ing ‘buy user data Malaysia’.
The scammers could also turn to tech and social media like LinkedIn or Facebook to scrape as much data as they can on a person, and that’s one of the few ways they have access to personal info.
Because BigPay wallets can hold more money compared to most e-wallets, BigPay believes scammers target their users because the potential return is bigger.
Similarly, banks have also reported phishing scams: this is an industry-wide problem affecting everyone, e-wallets and financial institutions alike.
Increased Security But More User Negligence
According to the representative, BigPay’s focus on security has not waned since the company started operating. In fact, they’ve constantly reminded users to not give out their OTP to anyone.
“No BigPay employee will ever ask for your OTP or PIN, under any circumstances.”
Here’re some of the steps that BigPay has taken thus far to tackle the ongoing scam issue and take preventative measures for vulnerable accounts:
- Reporting & removing accounts impersonating BigPay (social media and website).
- Report to WhatsApp the numbers used by the scammers.
- Training their machine learning system to flag and recognise fraudulent behaviour.
- Banning scammer’s BigPay accounts.
- Strengthening password reset requirements via two-factor authentication.
- Setting up multiple authentication levels to log into the account.
- Working closely with the police and all the involved authorities in their investigations to identify the culprits and recover the money.
- Working closely with the industry, such as banks and other e-wallets to develop coordinated responses and strategies.
In terms of actual numbers, BigPay shared that they’ve banned 500+ WhatsApp scammer accounts and took down over 150 websites impersonating them.
As for user awareness, BigPay said that they’ve sent over 10,000 push notifications via the BigPay app and sent over 2,000 SMS messages to people flagged as potential victims.
They’ve also displayed in-app pop-ups more than 5 million times and sent over 3 million emails to users on the topic in the last 4 months.
Users Need To Play Their Part Too
BigPay informed us that if users see anyone posing as a BigPay staff on social media or anywhere else that is not the official www.bigpayme.com is a scammer and they should be reported to BigPay.
Most importantly, not sharing your OTP will prevent you from being scammed as it is the most crucial part of your account security.
It still mostly boils down to user awareness and BigPay has been constantly informing their users that there are such scams and that they should be aware that usually, if it’s too good to be true, it probably is.
And as a rule of thumb, to emphasise it again, never share your OTP.