A friend was victim to a phishing scam yesterday in which their Citibank credit card was illegally used to make NT$90,000 in fraudulent purchases. This scam highlights the disastrous merger between Citibank and DBS Bank Taiwan. The merger has resulted in many issues, with this scam being one of the most egregious. This news article provides more information. This forum has some discussion among other victims of this scam.
The scam worked as follows: Citibank credit card holders were targeted with a text message stating their scooter license had expired and they needed to pay NT$600 to renew it. The message provided a link to a fake website impersonating the motor vehicles department, which prompted users to enter their credit card information to pay the NT$600 fee. The only difference between the official website was the domain name didn’t have .gov which my friend unfortunately ignored. After entering their information, victims were even sent a one-time password (OTP) and asked to provide this as well. This allowed the criminals to not only steal personal information, but also make fraudulent purchases verified by the OTP.
Apart from reporting the incident to the bank and canceling the affected card, is there anything else that could be done? Would going to the police be helpful?
It shouldn’t be a problem, the bank should reverse the charges. That is the advantage of using a credit card instead of a debit card. I also got scammed recently by clicking on an email from the Post Office. Citibank reversed the charges no questions asked.
I have lived in Taiwan since 1988 and never had any text message or email from any government agency asking me to pay up. Even when I let my scooter license expire no text message was sent. Mail was sent.
Also when banks send a text sms password the first thing they tell you is not to share it with anyone including the bank.
Well, you have to enter the password from the bank to make certain online purchases. I’ve been prompted for the same from PCHome, Shopee etc. and even movie theaters such as Miramar.
The issue here was that the website was a clone with a slightly different domain name so it looked quite legitimate. The sad bit is that Taiwanese websites look like they were designed in 2005 by a ten year old in a basement so anyone can set up a clone in a day.
Personally, I’ve gotten messages reminding me to make payments before. I’m a techie so I wouldn’t fall for these scams, but my friend did. Apparently Citibank customers were targeted because of a chaotic merger with DBS. It’s likely that my friend’s info got leaked.
TL your ignorance is showing again. You re on the hook and you make a dispute claim, the institution will assess the claim. If it goes in your favour yes the charge will be cancelled. Not all claims are accepted.
You are “on the hook” until you dispute it and… “you are STILL on the hook” until the dispute is resolved in your favour…
The problem I see (as a former banker) is that he likely authorised the transaction with an OTP code. If that’s the case then… the bank has some wiggle room to get out of paying.
If the bank manages to do a chargeback in time and recoup the money then happy days… If not…
Although they were informed within 15mins of the scam, they are asking to “wait till September 3rd” until the transaction is complete and then they can “start the investigation”.
I’m not even sure what it means but it sounds scammy from the bank (Citibank which is now DBS). Any clues what can be done?
How was it possible for the scammers to use the one-time password approving a NT$600 transaction to make multiple purchases totaling tens of thousands?
So I played around with the scam website, after you enter your card details they lead you to a verification screen where an OTP is required. At this point they’re probably making another expensive purchase on some legitimate website with your card details, and then that purchase triggers an OTP to your phone, which they receive when you enter it on the fake website.
To answer this. I did notice that when I use a website more than once they don’t require an OTP after the first purchase.
However such a large amount does sound really strange to me…
Also from what @DunderMifflin is saying. The bank is doing a “retrieval request” which is the first part of a dispute where they may freeze the funds in transfer and gather more information before making the next move.
Sounds to me that the bank aren’t yet convinced…