Jakarta, CNBC Indonesia – Online fraud modes continue to grow. In carrying out their actions, the perpetrators often used applications that are widely used by the public, such as WhatsApp and email.
For the fraud method through these two means, the perpetrators carried out social engineering. They manipulate victims into downloading an apk file that is actually a virus that can siphon sensitive data, such as bank accounts.
Throughout 2023, fraudulent actions using this apk file will be carried out in various ways. Starting from displaying package photos, tax bills, to wedding invitations. During the 2024 General Election (Pemilu), fraudulent acts using this apk file were even carried out using the polling station (TPS) notification mode.
Director General of Applications and Informatics, Kominfo, Semuel Abrijani Pangerapan, said that basically the way to prevent becoming a victim is not to pay attention to sending apk files.
“Don't download the APK. The APK is like a program. When you open it, the software will definitely download,” he said on the sidelines of the 2022 Public Digital Literacy Launch event, citing CNN Indonesia.
This is because the file becomes a bridge for malware or malicious programs that can allow perpetrators to access the victim's cellphone and get all the information needed to drain an account or digital wallet.
The following are various methods used by fraudsters to ensnare their victims in downloading apk files.
Tax Warning Letter
The Directorate General of Taxes (DJP) of the Ministry of Finance reminds taxpayers to be careful when receiving electronic letters containing tax warnings. DJP asked the public to ensure that the letter really came from their institution.
“I want to give a reminder to taxpayers, I ask for help to be careful. Many e-mails are phishing,” said Director General of Taxes Suryo Utomo.
One sign that an e-mail is suspicious is the sender. The official notification letter from the DJP will definitely use an official e-mail address, not an individual's.
“So if you don't use @pajak.go.id, that means it's not from DJP. This is a reminder to be careful when opening emails that may not be from us,” he said.
If you are still in doubt, taxpayers can contact the official DJP contact. Either via e-mail, tax ring or social media.
It is known that fraud uses phishing links that can take personal data. This makes your balance in your e-wallet unsafe.
Photo: Fraud under the guise of wedding invitations on WhatsApp
Fraud under the guise of wedding invitations on WhatsApp |
Courier Mode Fraud
Fraud using the package courier mode went viral at the end of 2022. This case was revealed from a post on the Instagram account @evan_neri.tftt which showed a screenshot of a Telegram chat with a fraudster who claimed to be a courier from J&T Express.
In the chat, the fraudster sends an attachment with the file name 'VIEW Package Photo' to the victim, but in apk form.
The victim who is not observant clicks on the file and downloads it. His mobile banking balance was also sold out. He explained that the victim had never run or opened any application or filled in a user ID or password on another site.
This account said that the application sent by the fraudster might run in the background and take the victim's data, thereby allowing the fraudster to access the victim's banking account.
On its Instagram account, J&T Express as the courier service provider whose name was cited in this fraud case said that it never asked customers to download the application via chat.
Wedding Invitation File
The Twitter account (now X) @txtfrombrand shared a screenshot containing a conversation between the fraudster and the potential victim.
In his post, the fraudster sent an apk or application file with the title 'Digital Wedding Invitation Letter' with a size of 6.6 MB. Followed by a message that said “We hope for his presence.”
“After proof of receipt, now fraud is using the guise of a wedding invitation,” wrote the account @txtfrombrand.
Unmitigated, fraudsters also invite potential victims to open the apk file that is sent, under the pretext that the victim checks whether the contents of the file are really addressed to the victim.
Fake Traffic Ticket
The online fraud method of sending apk files has changed its face again by sending a ticket on WhatsApp. This case went viral in March 2023.
Several netizens uploaded chats from contacts claiming to be the police, stating that the recipient of the message had violated traffic.
The sender also asked to open the data entitled 'Surat Tilang-1.0.apk' which was also uploaded in the WhatsApp message.
“WARNING! Be careful of fraud using this method of sending a ticket via WhatsApp. Never click/download files with the extension “.apk” from unknown people on your gadget,” tweeted the account @MurtadhaOne1.
Check out MyTelkomsel
Cybercriminals are switching gears in the name of MyTelkomsel, an application owned by the mobile operator Telkomsel, to get customers to click on apk files.
The method is that potential victims are asked to access and then download the apk file sent via short message.
After the installation process is complete, potential victims will be asked to provide access permission to several applications including photos, videos, SMS, and access to digital banking or fintech service accounts.
If access has been given to the perpetrator, it is very possible for the criminal to have control over the victim's device and know all confidential information such as PINs, passwords and OTP codes.
“Don't immediately believe it if there is a direct offer of a prize, and does not provide confidential personal data or data on financial services such as banking,” said Saki Hamsat Bramono, Vice President of Corporate Communications at Telkomsel in a written statement.
Telkomsel ensures that it never asks for verification codes in any form, including sending requests to customers to download apk files.
Announcement from Bank
Another mode of fraud is bank announcements. The victim sent a pdf in the name of a certain bank. Often the information that appears is about unreasonable changes in transaction and transfer rates.
The psychology of the victim is played by being given two choices, namely agreeing or not agreeing. If the victim does not agree, the perpetrator asks the victim to fill out the form in the link or links included in the fake announcement.
When the victim accesses the link, data theft will take place.
VCS Invite
The video call sex (VCS) mode from an unknown number went viral on social media and has the potential to become material for blackmail.
One of those who experienced this was the Twitter account @a.dewiangriani. He repeatedly received video calls from unknown numbers.
After ignoring the call three times, the account owner got curious and picked up the fourth call. Apparently, what appeared was a woman without clothes.
Cyber security expert Alfons Tanujaya said that VCS from an unknown number is a mode of threatening someone by taking advantage of someone's ignorance about technology.
“This is in principle blackmail that takes advantage of someone's ignorance or security about technology,” he said.
“If you are in doubt and are being blackmailed, contact a friend who understands and ask for help to deal with threats that we don't understand, don't just follow the threats,” he explained.
[Gambas:Video CNBC]
(rsa/wur)