SINGAPORE, Sept 6 — At least 27 people have fallen victim to a new scam variant involving the sale of mooncakes through social media platforms since August this year, which amounted to total losses of some S$325,000 (RM1.1 million).

In a media statement yesterday, the police said that the victims would come across advertisements on Facebook and Instagram for the sale of mooncakes, where buyers would contact the “sellers” via the social messaging platforms to place their orders.

The scammers would then communicate with the victims via WhatsApp and direct them to malicious links to purchase the items and/or make payment.

These links will then lead the victims to download an Android Package Kit (APK) file — an application created for Android’s operating system — that contains malware.

“In some cases, the victims were first instructed to make payment for their mooncake purchase through PayNow or bank transfer.

“Subsequently, the scammers would inform the victims that their orders had to be cancelled due to production or manpower issues,” the police said.

In order to get their refunds, the victims would then be directed to the malicious links to download the APK file.

After downloading and installing the APK file, the scammers would be able to access the victim’s device remotely to steal passwords, and the malware with keylogging capabilities would retrieve the victim’s banking credentials.

The victims would later discover unauthorised transactions from their bank accounts.

The police said that the public should be reminded of the dangers of downloading apps from third-party or dubious sites.

They are advised to adopt the following precautionary measures:

• Enable security features such as a two-factor authentication for their bank accounts

• Ensure that devices are installed with updated anti-virus/anti-malware applications and devices’ operating systems and applications are updated regularly with the latest security patches

• Disable “Install Unknown App” or “Unknown Sources” in the phone’s settings page and do not grant permission to persistent pop-ups that request for access to the device’s hardware or data

• Only download and install apps from official app stores. Be wary if asked to download unknown apps in order to purchase items or services on social media platforms

• Warn others about such scams and report the number to WhatsApp to initiate in-app blocking and report any fraudulent transactions to the bank immediately

They also advised the public to take the following steps if the malicious app have already been installed:

• Switch the phone to “flight mode”. Switch off the phone’s Wi-Fi network

• Run an anti-virus scan on the phone

• Check for any unauthorised transactions in the bank, Singpass and Central Provident Fund accounts using another device. If any unauthorised transaction is detected, report to the bank and relevant authorities, as well as lodge a police report

• As a further precaution, consider doing a “factory reset” of the phone and changing important passwords

Members of the public may visit www.scamalert.sg or call the anti-scam helpline at 1800-722-6688 for more information on scams.

Anyone with information about such scams may contact the police at 1800-255-0000 or submit information online to www.police.gov.sg/iwitness. — TODAY