A Woman Lost Most Of Her Money After Falling Prey To A "LHDN Tax Refund" Scam

Facebook user Michelle Lee Shi Ni shared about how she became a victim of phishing as she unknowingly she opened a fake site and gave all information about her bank account, causing her to lose almost all her money in that account within a few minutes.

It all started when she received an email from 'Encik Fadzli Bin Abdul Wahit', who used the email address [email protected], on a supposed tax refund from the Inland Revenue Board of Malaysia (IRB), which is also known as LHDN in its Malay abbreviation.

She clicked on the blue 'Proceed' link in the email, and she was directed to a page with logos of banks. At that particular webpage, she was instructed to select the bank and follow the instructions given.

"After I selected CIMB Bank, I was directed to CIMB Clicks. I keyed-in my username and password and was then asked to type in the TAC (Transaction Authorisation Code)," Lee said in her Facebook post.

Lee then called the CIMB customer service hotline and she learned that the transfer limit for her account was increased and the money in her account was subsequently transferred out.

"I was so shocked as both acts were not carried out by me! The only thing I saw on CIMB Clicks was just the page to type in the username and password. I didn't even click in to the transfer page nor the increase transfer limit page."

Following that call, CIMB had blocked her account and she was advised to lodge a police report on the matter. 

Unfortunately, she learned that her hard-earned money, which was lost to the cybercriminal(s) behind the phishing scam, cannot be recovered.

"Sadly, the inspector told me that there is no way that I can get the money back. I can only hope that they can find the culprit and lock him up in jail."

"Even though I have always read about Internet scams, but I have never thought that I would one day fall victim to it. So be careful everybody, as it can happen to anybody," Lee said.

In a statement on Monday, 6 November, LHDN said that a syndicate was using the name of its CEO, board members, and the official logos of the agency and banks to convince people into believing that they have overpaid taxes and that LHDN requires their bank account details to make a refund to them.

"It should be noted that IRB has never sent any e-mails asking for taxpayers to disclose their banking details. This is because the taxpayers' banking details would be obtained through a declaration by the taxpayer when they complete the Income Tax Return Form yearly.

"Also, overdue tax refunds that have been successfully processed would be credited by LHDN into the taxpayers' bank accounts using Electronic Fund Transfer (EFT), tax refund voucher, or crossed cheque, or telegraphic transfer (for those who are overseas)," the statement read.

One of the easiest ways to identify if an email is a fraud is to check the email address used by the sender, as official emails from LHDN would always use the domain @hasil.gov.my. Even then, the public should exercise caution as there have been cases in which cybercriminals spoof email addresses to make the emails look like they came from LHDN.

According to LHDN, some of the fake domains that are masquerading the government agency include @vanderbit.edu and @vumc.org.

When in doubt, the public can always call the LHDN hotline at 1-800-88-5436 or the nearest LHDN branch number listed on www.hasil.gov.my to verify the emails.

LHDN also urged those who have fallen victim to these scams to lodge a report with the authorities for further action.