Macau fraud – a wake-up call to get serious in preventing vishing banking scam!

Hacker work front of his laptop computer with dark face.

By Afifah Suhaimi

Now more than ever, this is the best time for banking institutions and IT businesses to work together in addressing vishing banking scams by reinforcing bank’s current standard operating procedures and cybersecurity measures which are very critical in the age of cybersecurity.

In brief, a vishing banking scam is a vishing attack that involves a call from someone who says they are from the victim’s bank or some other financial organisation.

Well, in a world where consumers have infrequent physical contact with bank employees, “digital trust” has rapidly become an essential differentiator of customer service. 

Basically, banks that deliver a smooth, safe and fast digital interface would positively affect their sales. In contrast, those that prefer to stay the old way would potentially lose their business and value.

However, this revolution has made us (the consumer) more vulnerable to financial fraud and cyberthreat without us noticing it. What’s more, with Covid-19 turning the world upside down, fraudsters are leveraging the pandemic’s uncertainties to carry out their dirty schemes.

Thus, it is crucial for banking institutions to strike the right balance between controlling and preventing fraud while keeping their role as one of the most critical components of trust in the modern economic world.

Recently, Malaysians was shocked by the Macau fraud case or better known as Macau Scam, where five individuals were arrested by the Malaysian Anti-Corruption Commission (MACC) on suspicion of being involved in the Macau Scam and money laundering in Malaysia.

Since 40% of the victims of this scam are senior adults and pensioners, they are susceptible to easily  hand over the control of their finances due to cognitive disability, emotional fragility or merely a desperate need for a quick financial fix.

Or perhaps – just because they have money from their retirement savings or pensions, and more likely open to suggestions for handling these funds.

Indeed, by looking at the victims’ losses, related agencies, especially banking institutions, need to step up their game in combating this crime. This offence is profound – not only it makes the victims feel financially devastated, but also emotionally deceived.

So, what can be done?

First and foremost, the related agencies need to provide reliable and relevant information that is easy to understand for the public, especially the old generations, about potential threats and scams, including how to keep themselves safe.

Here’s one scenario that looks simple and easy to avoid compared to other financial scams, yet very perilous and becoming prevalent in Malaysia – what is known as the Transaction Authorisation Code (TAC) scam. Shockingly, in 2018 alone, this scam has fleeced Malaysians of almost RM15 million!

Usually, this scam works when the scammer gets a hold of the victim’s credit card details and attempts to perform a transaction using those stolen details.

To make the transaction successful, the scammer will call the victim and politely ask them to send the TAC number that the victim has received via SMS – claiming the respective businesses have sent the TAC number to the wrong phone number.

Technically, when the scammers obtain the TAC numbers, the transaction is considered “authorised” and successful.

Remember, while they may sound so genuine, do not fall into their pit no matter what they may suggest, as TAC numbers cannot be sent incorrectly!

Talking about TAC numbers, have you heard about Secure2u? Secure2u is a Maybank’s other payment authentication method that is believed to be more secure.

Technically, instead of sending the user a SMS to authorise transactions which could have been taken over (using SIM swap attacks) or stolen by mobile malware, the user will receive a six-digit TAC number or a Push Notification on the Maybank app.

In brief, this method allows the bank to implement additional protection on the communication, by leveraging end-to-end encryption. 

Thus, it is vital for the other banking institutions to leverage this technology too, by providing a software-based authenticator to their users – instead of relying on vulnerable channel such as SMS.

Second, as for law enforcement response, the government is responsible for providing a well-trained response team with sufficient skills and knowledge to resolve the crimes and ensure the perpetrators are brought to justice.

Perhaps, this response team must also be equipped with high-tech skills and utilising cutting-edge software – to deal with the growing numbers of scamming.

Next, as for banking institutions, transaction monitoring software should be implemented by integrating the systems with transaction screening tools.

This works by providing banks with the power to keep an eye on the recipient and sender of any financial transactions.

In brief, if the system catches a match (unusual/large amount of transaction) via the screening process, the software would raise alarms to alert bank officers for further actions.

But worry not, with modern technology, the scanning process takes place within seconds, so the customer process is not delayed. Therefore, banking institutions can still maintain their image to be as hasty and swift as possible.

Another way is by deploying intelligent prevention strategies via Artificial Intelligence (AI) to predict fraud activities before the damage is done.

To foresee when risks will arise, banks need to redesign consumer and internal transactions and processes based on a constant evaluation of current cases of fraud, financial crime, and cyber-threats.

For instance, from the past historical data of Macau Scam, AI can analyse and learn how the scamming process was done, at what time, the potential victims, the contents of the call and so on.

Then, with the right system and predictive tools, any answered fraud call would be quickly analysed and if the call is predicted as fraud, the system would immediately shut down the conversation.

According to tech experts, this strategy could significantly prevent the scam beforehand as well as boost the bank and its customers’ security.

Afifah Suhaimi is Research Assistant at EMIR Research, an independent think tank focused on strategic policy recommendations based on rigorous research.


Please enter your comment!
Please enter your name here