A Malaysian guy recently took to Facebook to share how he was scammed of almost RM1,000 within minutes through GrabPay
In a Facebook post on 16 May, Muhammad Syahir revealed that one of his close friends "re-created a new Instagram account" and requested to follow him.
"He messaged me and asked for my phone number via Instagram message. Without any doubt, I gave him my phone number, knowing that he probably lost my phone number."
Muhammad explained that the scammer had posted several photos on Instagram to make it look like it was not a phishing account.
He received a message shortly after from his "friend" about a Grab Activation Code (GAC) that will be sent to his phone as part of GrabPay's 8th-year special campaign
In the message, the "friend" told him to let him know what the code was so that he could see what he won.
"A Grab Activation Code (GAC) was sent to my phone number. It was an activation code, not a TAC code. I gave the activation code to him without any doubt because I know that he is my friend," he wrote, adding that he thought it was just an activation code and that it had nothing to do with his bank account.
That is when it all started to go downhill
"I saw RM425 was debited to my GrabPay account and I did not know that it was from my bank account which was linked to the GrabPay account. After a few minutes, I received a new notification from GrabPay that RM425 was paid to UNIPIN (M) SDN BHD," Muhammad wrote.
"The scammer then messaged me again on Instagram, 'Another activation code was sent to your phone, please let me know the code.' Then, I received another notification from GrabPay that another RM425 was paid to UNIPIN (M) SDN BHD."
When Muhammad was about to message him, he realised that he was blocked and immediately knew something fishy had happened.
"When I checked my Maybank2u, I [had] lost a total amount of RM896.30 from my bank account. The scammer cleared all the money in my bank account and left RM60 balance to my GrabPay."
Based on his post, the scammer had conducted a total of five transactions
"As you can see from my GrabPay activity picture below, four transactions were made directly via a debit card which is linked to my GrabPay account, and one transaction was made via Maybank2u. The scammer even managed to access my Maybank2u from the GrabPay account."
He ended his post by saying that scammers just need the GACs to take out all the money from your linked bank accounts on the Grab app
"After you authorise your debit/credit cards and save them as your preference, Grab doesn't need any OTP/CVV verification from the banks for future/subsequent transactions. GAC will act as an authorisation code to proceed with any transactions."
Muhammad shared that another case happened last week to his friend Patrick Saw, who lost RM405 to a scammer who approached him in a similar way.
Grab has since notified users on how to protect themselves from fraud
"Please do NOT reveal your Grab account details including GAC, one-time password (OTP), GrabPIN, phone number, and any other login details," its statement read.
"[Scammers] create fake websites, emails, or instant messages that look authentic, in order to trick you into revealing your personal information (for e.g. your login details, SMS OTPs, Grab PIN, credit card details)."
According to its website, this is what it advises:
1. Avoid sharing sensitive information with others.
2. Look out for phishing attempts.
3. Don't install apps from unknown sources.
4. Follow best practices for your Grab PIN.
5. Contact your bank immediately.
Read more recent news on SAYS: