SMS phishing with over 20 victims, damages exceed 2M.

This is a warning to all online banking users as a phishing SMS has left many with empty bank accounts in Thailand. It is estimated that thousands were sent the same SMS, those who clicked into the link and provided personal information giving direct access to the criminals into their account linked to the bank application. Thanawat Sangpetch 23-year-old and at least 20 victims went to file a complaint with Police Major General Panta Nuchnat from the Technology Crime Suppression Division after they fell victim to an SMS phishing scam. The SMS provided a link that gained access to personal information required to access funds in the bank accounts. The official damages are currently at over 2 Million THB but the number is believed to be much higher.


Credit: INN News


The reason so many fell for the phishing SMS is that the scammers were able to send a message that appeared to be sent from the bank number. The SMS also falls inside the same inbox where official messages are sent in from the bank when money is withdrawn or deposited into the account. Thanawat stated on 6 December 2020 he called the SCB call center to notify a change in address. The female operator confirmed the change and an SMS was sent to his phone. The SMS notified the change along with a link and because it was right after the call he entered the website. Inside he typed in the full name along with his ID number. Shortly after a Line notification stated 20,000 THB had been withdrawn. Thanawat went to file a report and provided evidence to the bank.


Credit: INN News


The police stated they have accepted the complaint and the investigation is collecting all evidence connected to the case. Officials believe there is a big phishing group responsible for these random phishing SMS. The SMS was probably sent to random phone numbers using the phishing link. Once a user enters the link and provides personal information these scammers gain full access to the bank account. The final step is when the user types in the OTP number to confirm the owner of the account. One important fact to remember is the bank will never ask for personal information to be provided via a website.



FB Caption: The SMS appeared to be sent from the official bank phone number right after the victim called the call center.


Source: INN News