Scammers are using Facebook to gather personal information from gullible users and defraud them through popular mobile money services.
By YE MON | FRONTIER
The post went viral almost immediately after it appeared on Facebook in May. “Wave Money will transfer K140,000 to everyone who shares this post. Share the post now; this offer is genuine,” it said, referring to the mobile money service.
The offer, posted from an account with a fake profile, said Microsoft co-founder Mr Bill Gates, one of the world’s richest people, had donated US$300 million for poor people throughout the world and everyone who posted their phone number in the comment box and shared the message would receive $100.
A few days later, the post was deleted and the fake account profile disappeared from Facebook. Similar posts from fake accounts have appeared on many Facebook groups and pages. All of them ask users to share the posts and insist they post their mobile phone numbers in the comments section.
Frontier has found at least three groups posting about donations: “Sa Yin Pay Kya Thu Myar”, (“Subscribers”), “Myanmar Naing Ngan Mha Ahlu Shin Myar Su Si Yar” (“Myanmar Charity Donors”), and “Myanmar Naing Ngan Ballone Athin Myar Ahpwe Chote” (Myanmar Football Clubs Organisation).
Although such posts are not new, they appear to be increasing in frequency, and some of them use COVID-19 themes to trick Facebook users into giving up personal information.
One post in the Myanmar Charity Donors group claims that the actor Wai Lu Kyaw and “Win Ko Ko Latt Foundation” have donated K500 million, and will provide K100,000 each to 5,000 people. The post, which has since been removed, features a photo of Wai Lu Kyaw, as well as photos of unidentified people counting and distributing money.
It is not known how many users eager to receive a payout have responded to the posts by sharing them and providing their mobile phone numbers, but some of the most popular posts have been shared more than 10,000 times.
What is certain though is that most of them have no idea the messages are fake. The messages are designed to elicit mobile phone numbers so that scammers can later try and trick the owners into transferring them money.
Among those who have been duped by the fake messages are Daw Theingi Soe from Mingaladon Township in Yangon Region, Ma Hay Man Oo from Ayeyarwady Region’s Kyonpyaw Township, and Ko Ye Min Htet from Ayadaw Township in Sagaing Region.
Theingi Soe told Frontier on July 4 that she had noticed that many users were sharing one of the posts and providing their phone number in the comment box. She said she believed that all the people sharing the post must have received money from whoever created the page or account.
“I haven’t received anything yet because they haven’t transferred the money to my number through Wave Money. I did not realise that the post was a money scam and I don’t understand why I so readily provided my phone number,” she said.
Theingi Soe said a nephew had seen her comments on the Facebook page and had warned that scammers might use her phone number to try and defraud her. “I decided to never again share or comment on that kind of post and I deleted my phone number from the posts,” she said.
Theingi Soe is far from alone in being deceived by the Facebook posts.
Hay Man Oo from Ayeyarwady Region said she was still waiting for a payout after responding to one of the fake pages despite having been sent a screen shot purporting to show a Wave Money transfer. She no longer trusted any pages promising a payout.
“When you asked me about this, I felt fearful and I really want to know why the scammers are asking for phone numbers,” Hay Man Oo told Frontier on July 7.
Ko Han Min Oo, a digital security associate at Phandeeyar, a community tech hub in Yangon, said scammers want the phone numbers because they intend to cheat Facebook users.
He said the low level of understanding about digital security in Myanmar could be exploited by scammers.
“The government needs to educate the people about digital literacy,” Han Min Oo told Frontier on July 3.
After Ye Min Htet provided his phone number in a response to the fake offer of a payout from Bill Gates, he was contacted by a person who claimed to be vice chairman of the Central Bank of Myanmar and told he was due to receive K17.5 million from the government’s COVID-19 Economic Relief Plan.
In the call on July 3, Ye Min Htet was told he would first need to deposit K350,000 in a Wave Money account and then would receive a seven-digit code that he could show at Myanmar Economic Bank to claim a payment of K17.5 million.
“The scammer said the payment was ordered by President U Win Myint and State Counsellor Daw Aung San Suu Kyi. People trust the scammers easily when they use the names of the heads of state,” he told Frontier on July 3.
Ye Min Htet said he did not transfer the K350,000 because he had seen warnings on Facebook that a scammer was masquerading as the vice chairman of the central bank.
“The scammer did not get money from me, but he will prey on someone else,” he said.
The use of fake Facebook accounts for scams seems to be emerging as a serious problem, with many targeting users of mobile money applications such as Wave Money, which is the country’s largest platform with 58,000 agents, and KBZ Pay, which is linked to the country’s largest private bank.
In June, the rector of Meiktila Computer University reportedly lost around K1 million after she gave her KBZ Pay password to someone who claimed to be from the company and said they needed it for system maintenance purposes.
U Aung Bhone Myint, a captain in the Myanmar Police Force, said he was contacted on July 8 by a person pretending to be from KBZ Pay, who told him he’d won first prize in a lucky draw. They said he could withdraw the money himself, or they would transfer it through KBZ Pay. They said a six-digit code would be sent to his phone, and he should send it back to them.
The scammers were apparently trying to get him to provide a six-digit one-time password, or OTP, that would enable them to reset the login password to his KBZ Pay account. With that they could login from another device and access his funds.
Aung Bhone Myint said he knew immediately that they were trying to trick him, and gave them a fake six-digit number, after which they hung up.
He said online scam posts and phone calls were becoming more common and the Myanmar Police Force should form a special team in order to speed up the investigation process.
“At the moment when a victim opens the case at a police station, we have to send a permission letter to the Ministry of Transport and Communications to trace the phone number. It takes at least a week,” he said.
The other victims include Ma Yu Nandar Hmine, from Mandalay Region’s Chan Mya Tharzi Township, who said she was defrauded after posting a comment on Wave Money’s official Facebook page on March 20 about upgrading her account from a maximum limit of K50,000.
Yu Nandar Hmine said the next day she was contacted by a Facebook personal account named “Wave Momey” that used the Wave Money logo.
The account asked her for her phone number, Citizenship Scrutiny Card number, a six-digit one-time password and the four-digit PIN she uses to log in to her account.
“After I sent them, I received a notification that K50,000 had been withdrawn from my account on March 21,” she said, adding that another K10,000 was withdrawn the following day.
Yu Nandar Hmine said she complained to the Wave Money call centre and was initially advised to file a report to the police. After her husband posted an account of her experience on Facebook, Wave Money asked her to delete the post and paid her the K60,000 she had been scammed, she said.
Yu Nandar Hmine also wrote to the Consumer Protection Association but she said it responded that it could not take up her complaint because she had not been communicating with Wave Money’s official Facebook page, which has a blue mark.
“I never checked the auto reply message and did not notice that the fake account has no blue mark,” she said. “Now, the fake account has blocked me. I will not be seeking legal action through the police but I will never use Wave Money again.”
A Wave Money spokesperson told Frontier that the company is “constantly educating mobile money users not to share their personal information”.
“Yu Nandar Hmine shared both her one-time-password and PIN, which she should not share in any circumstance,” they said.
The allegations in her husband’s Facebook post had “hurt the integrity of our service and our brand”, the spokesperson said, and been posted even after she had found out she had been defrauded and been advised to complain to police.
“We offered to pay the K60,000 in good faith so as to help resolve the situation and minimise the damage it is causing as well,” they said.
The spokesperson said that Wave Money receives a very low level of complaints relative to overall transactions; in the first half of this year, just 0.001 percent of all transactions resulting in a “dispute”.
Regarding scams specifically, Wave Money said they were successful “due to lack of digital literacy” rather than any specific weaknesses with the Wave Money platform.
The spokesperson said the company was aware that scammers were contacting customers directly in “disguise” and getting them to divulge personal information, and it was taking every step possible to stop its customers from being cheated.
After receiving the complaint from Yu Nandar Hmine, Wave Money informed Facebook so that the “Wave Momey” account could be removed, the spokesperson said.
“A major factor we found in most fraud cases occur when users are not conforming to secure usage guidelines. Usually, this is due to leak of personal information that should not be revealed publicly,” the spokesperson said.
“We are continuously educating our customers regarding the mobile money security to protect them against external threats.”
Phandeeyar’s Han Min Oo said that while low digital literacy was partly to blame, Wave Money’s “security system has many weaknesses” because agents and customers are not following the recommended procedures.
For what’s known as a Wave Shop Transfer – when two people without Wave Money accounts transfer money between Wave Shop agents – the sender is supposed to give their mobile number and a photo of their ID, along with the mobile number and ID of the recipient.
They then enter a secret 6-digit code, which they are supposed to give to the recipient only to withdraw the money. The Wave Shop agent at the other end of the transaction is supposed to only release the money if the recipient can provide photo ID and the 6-digit code.
In practice, some agents do not ask for ID, and ask the sender to choose a code, which the agent then enters. When handing out money, some agents do not ask for ID to confirm the identity of the recipient.
Wave Money said the failure of customers to follow its security guidelines did not constitute a weakness with its security system, and that security “is a top priority both inside and outside of the company”.
“We have trained our agents to improve their knowledge and capacity on security awareness and customer servicing as well as to always be on alert for risks and to handle potential threats. We also do regular checks on agents to ensure they are asking to see NRC cards and we have a penalty matrix that is applied for non-compliance, including suspension of services,” it said.
Like Yu Nandar Hmine, few scam victims file a complaint to police. Some seek redress through the Department of Consumer Affairs at the Ministry of Commerce, however.
The department’s director, U Swe Tint Kyu, said it had received 83 complaints about money transfers this year to the end of June, of which 60 had been resolved.
There were often faults on both sides, Swe Tint Kyu told Frontier on July 8, adding that the department had found that the security systems of mobile money transfer companies did not always provide enough protection for customers.
“[The department] has instructed them to upgrade their systems and find solutions that enable customers to avoid scams,” he said. Educating customers about scams was part of the solution.
The Consumer Protection Law provides for victims to open cases at police stations if they are dissatisfied with the outcome of the department’s handling of a complaint.
Swe Tint Kyu said a complaint could involve up to three steps, depending at what level it was resolved. The first step was for the department to arrange negotiations between the consumer and the business owner at the township level, and if they were unsuccessful either side could appeal to state or regional consumer protection committees. If either party was dissatisfied with a committee’s decision it could appeal to the Consumer Protection Commission.
Swe Tint Kyu said the commission’s rulings were final but consumers or business owners who are dissatisfied could open cases at police stations under section 79 of the 2019 Consumer Protection Law.
They can also bypass the department altogether by filing a complaint directly to police under section 66(c) of the Telecommunications Law.
But Daw Khine Shwe Wah, a deputy director-general at the Central Bank of Myanmar, said while action could be taken against scammers under the Telecommunications Law, it was not easy to open cases because of the number of documents required.
But stronger legal protections are on the way, she told Frontier on July 8.
“The first draft of the National Payment System Law has been finished and it includes provisions aimed at preventing money scams,” Khine Shwe Wah said. “Consumers will be able to use this law to sue mobile money companies if they are victims of money scams because of weak security systems.”