News about Malaysians falling victim to scams is quite common these days. A few days ago, a 90-year-old woman in Petaling Jaya had lost nearly RM4 million to individuals pretending to be the police. Now appears that syndicates are also getting aggressive in targeting BigPay users and several people have reportedly lost their money.
As spotted by Says, several users have reported BigPay related scams and even a woman claims to lose money after revealing her date of birth. According to her tweet, she lost RM900 from her RHB account that was linked to BigPay.
[ UPDATE 13/07/2020 22:20 ] According to BigPay, they have confirmed that @anna_mzm which claimed to have lost RM900 had given more than just her date of birth. They added that she has also provided her One Time Password (OTP) which unfortunately allowed the scammers to perform unauthorised transactions. They emphasised that no BigPay account can be compromised if a scammer just knows the date of birth and the OTP was developed was a strong protective layer for financial transactions.
Scammers want your OTP
If you look at the complaints, there’s a common pattern. The scammers would try to fool users into thinking that they have won a contest and they would try to get you to pass them your One Time Password (OTP) that you receive via SMS. There are also cases of scammers pretending to be BigPay customer support and they would require your OTP to “check on your account”.
For clarity, OTP is a random code that is sent to your registered mobile number via SMS. This is a similar system used by banks and it is used to verify that you are the rightful owner of the account.
The scammers will contact their victims in various forms. It can be a phone call, SMS, WhatsApp or even a random link that’s shared by email or websites.
Whatever you do, do not ever share your OTP with anyone. To login to your BigPay account, they would need three things – your mobile number, OTP and your 6 digit passcode. Since they have contacted you, they already know your mobile number and all that is left is the OTP and the 6 digit passcode which only you should know. These two are the last line of defence that protects your account from unauthorised users.
If the scammer has both details, they would be able to enter your account. It’s like passing your house keys to a total stranger. Once they are in, they can transfer money to another account and they can also change the registered mobile number.
Is BigPay safe?
From the way we see it, the BigPay app is actually quite secure and there are several safety measures in place when someone tries to access the account from a different device. Instead of using username and passwords that could be easily compromised if there’s a leak, BigPay uses your mobile number and an OTP to login. The OTP is randomly generated and it is sent to you only.
Once your OTP is verified, you’ll still need to enter your passcode which only you should know. When you log in, BigPay even pushes a pop-up to warn you that “If anyone asks for your OTP, it is a SCAM!”.
In the event your phone is stolen, the BigPay app is still protected as it requires a passcode to log in. If you don’t like entering your passcode in public, BigPay also gives you the option to use Face ID or fingerprint authentication to secure your account.
Can scammers top up with saved cards and bank account?
It was alleged that a victim had lost money from their bank accounts when their BigPay account was compromised. From our findings, this isn’t possible unless the user provides additional details to the scammer. For credit card top-ups, you will have to enter your card’s CVV code followed by another OTP that’s sent from the bank. Similarly for online banking, the scammers will need to manually login to your bank and key-in another OTP from the bank to confirm the transaction.
What can you do to stay safe?
The golden rule is to NEVER share your One Time Passwords (OTP) with anyone. This is applicable across all financial platforms including credit card, online banking and eWallets.
BigPay has repeatedly issued reminders about not sharing your OTP passwords to strangers on their app as well as their social channels. Following the recent incidents, they even updated their OTP SMS to say “DON’T SHARE IT WITH ANYONE, even to BigPay”.
Similar to banks and other financial providers, BigPay has emphasised that they will never ask its users to provide personal information such as your OTP, date of birth, phone number or PIN. Outside its app, they would also not request for your card’s 16-digit number and the 3 digit CVV number on the back of your card.
If someone calls up demanding for your personal details, it is definitely a scam and you should hang up immediately. If you feel that your card details have been compromised, you can always freeze it immediately through the BigPay app and contact customer support.
Besides avoiding scams, you should also never allow strangers access to your accounts and ATM cards in exchange for profit and rewards. Most syndicates use mule accounts from unsuspecting victims to perform criminal activities. If your account is found to be used for scams and fraud, you can be prosecuted by law for aiding criminals.
For further reading, you can learn more about staying safe on BigPay’s official blog.