Flávia never imagined she would become the victim of a scam. Back in September, the Macao resident – whose name has been changed in this article to protect her privacy – received a text message purportedly from local telecommunication giant CTM. It informed her that it was her last chance to redeem 9,000 points as part of its rewards scheme. All Flávia had to do was click on the link and pay two patacas using her credit card.
Having been given a free IPad by the real CTM only a week earlier for being a loyal customer, Flávia was riding on a high and didn’t think twice about the message. Before the young mother knew it, she had already keyed her credit card details onto a fake website that looked every bit as good as the genuine CTM one.
[See more: Crime in the first three quarters rises by more than 12 percent]
It was, however, Flávia’s daughter who helped to seal the deal. While Flávia was momentarily out of the room, the 6-year-old began toying with her mother’s phone and approved the transaction using a one-time-password autofill function.
Within minutes, Flávia was receiving multiple notifications of various offshore transactions. “The first time it was 10,000 UAE dirhams [21,882 patacas],” she says. “Then it was 3,400 euros in the Hotel du Louvre in Paris, and again in Dubai for 9,900 dirhams [21,663 patacas].”
All in all, Flávia was swindled out of 22,000 patacas and could have potentially lost more if her card had not had a transactional limit.
What is smishing and how bad is it in Macao?
Flávia is just one of the many local victims of smishing, a form of online scam in which criminals send SMS or Whatsapp messages under the guise of a trusted organisation with the aim of defrauding targets. A portmanteau of “SMS” and “phishing,” smishing is by no means new to Macao, as similar online scams using the CTM name can be traced as far back as 2017.
According to official data, the number of reported online scams has been skyrocketing over the years, ballooning from just 156 in 2017 to 622 in 2022. The losses suffered are similarly staggering, with residents collectively losing 310 million patacas last year.
The rise in such crimes is not without reason, says Kathy Sundstrom, the manager of outreach and engagement at IDCARE, an Australian and New Zealand-based non-profit that provides cybersecurity support services.
“Smishing is common because it is effective,” she explains. “If we receive a text message and it appears to come from an organisation we know, we are more likely to click on the link or contact the number included in it.”
[See more: Crypto giant Binance teams up with Macao police for scam prevention]
The Covid-19 pandemic has also greatly enhanced the success rate of smishing by providing scammers with a much bigger number of potential targets. “Shopping and access to services that may have previously been conducted in-person have changed to online,” Sundstrom says. “Many services communicate updates via text, which is why smishing is so successful.”
As well, the ease of access to scamming tools on the dark web has made it easier than ever before for cybercriminals to conduct their operations at a low cost. “These [scamming tools] are sold en-masse, with tips on how to make the messaging more effective,” Sundstrom points out. “They can sell phishing as a service in much the same way legitimate organisations sell software as a service.”
While online scammers can be found from all corners of the globe, the World Cybercrime Index published earlier this year ranks Russia as a major base for cybercriminals, followed by Ukraine – and China in third place.
How can you stay safe from phone scams in Macao?
Unfortunately, Flávia never managed to recover the money that she lost to the scammers, despite reporting her case to her bank and the police. As Sundstrom points out, “in many cases, criminals are quick to transfer funds offshore or into cryptocurrency where it is very hard to get the money back.”
If there is a silver lining in Flávia’s ordeal, it may be that she, along with other victims, helped local law enforcement officials blacklist the false CTM website. “I was in shock because the police told me on that day, there were already like 50 or 60 people with the same message,” Flávia says.
Her advice to others is to disable the autofill setting on their phones, as it will buy time for them to rationally consider the transaction before it’s late. Fortunately, many banks around the world have also implemented anti-smishing measures in which they no longer send links via SMS, which makes it easier for customers to identify fraudulent messages.
[See more: Macao police have launched a new anti-fraud programme]
Likewise, Sundstrom points out that in Australia, “an SMS sender ID registry [has been introduced] to protect brands and government agencies from SMS impersonation.” While the cybersecurity expert says the measure has been “very effective,” she also admits that “criminals are also quick to find ways around it by creating tags that appear the same, but are slightly different.”
For its part, the SAR government enacted a cyber security law in 2019. It also educates the public through advertisements and public events, and has launched a 24-hour anti-fraud hotline and mobile app.
In the meantime, Sundstrom suggests not clicking on text message links, and accessing official websites by typing their URLs and contacting organisations via official numbers rather than through ones from text messages. “Be suspicious of incoming text messages,” she warns, “even if it says it is from an organisation you know.”
