On 28 October 2020, the Singapore Police Force shared an advisory to alert the public on a new variant of phishing scam involving fake advertisements and fake Grab websites. Unfortunately, some GrabPay users have fallen for these scams and suffered losses. Hence we wish to alert you, our GrabPay users, about this so that we can work together to safeguard your GrabPay accounts.
Q. How did GrabPay users fall for this new variant of scam?
Scammers created fake advertisements on social platforms offering ‘too good to be true’ deals like iPhone discounts and Grab coupons to phish for users’ personal information. When the users clicked on the advertisements, they were directed to a fake Grab website where they were asked to submit personal information such as their phone number and GrabPay one-time password (OTP) to enjoy the deals.
Once this information was mistakenly shared, the scammers used it to unlock the users’ GrabPay accounts to make fraudulent transactions. The scammers managed to trick the users because they dressed up the fake advertisements and phishing websites to look like a real Grab website, using the colour green, and our logo without permission.
Examples of fake sites:
(Left) Image of a fake advertisement offering a ‘too good to be true’ deal on social platforms to attract victims.
(Right) Image of phishing website that victims will be directed to after clicking on the fake advertisements.
Note that some users also fell for an older variant of typical scams, where scammers impersonating their friends message them on Facebook or WhatsApp asking for “help”, or claiming they won some contest – and then requesting OTPs to be sent to them.
Q. What is Grab doing to protect users from this new variant of scam?
The majority of the transactions that resulted from the new variant of scam were purchases of game credits on gaming websites. As an immediate action and with effect from 5 November, we removed GrabPay as a payment option on gaming websites to eliminate this avenue for the scammers.
We are also taking actions in addition to our regular security measures to better protect our users. These include:
- Taking down fake advertisements and phishing websites: We have dedicated teams monitoring various platforms to do so.
- Tightening GrabPay online transaction flows: This includes putting in place additional checks in the payment process and tightening validity duration of each payment session.
- Advisory to educate users: In addition to the regular advisories issued to ensure our users stay vigilant for scams, we have sent additional reminders to users that Grab does not ask for your personal information and OTP in any of our promotional campaigns or advertisements. If you come across any that ask for your information, it is a scam.
Additional advisories sent to caution users of this new variant of scam, and remind them not to share personal information with others.
Q. What is a one-time password (OTP)? What happens when I share it with someone else?
Whenever you make an online payment using your GrabPay wallet or GrabPay MasterCard, an OTP comprising a 6-digit number is generated for you to input into the payment fields. This 6-digit OTP is shared with you via an SMS sent to your registered mobile phone number with Grab. For GrabPay MasterCard users, the same OTP is also shared via a notification in the Grab app. The OTP is an important step to help us confirm that it is indeed you who is making the purchase and not someone else.
If you have shared your OTP with someone else, please contact us immediately via Grab’s help centre or drop us a private message on our social pages so that we can help you to re-secure your account. You may also wish to make a police report if any unauthorised transactions have been made.
Q. Does this mean GrabPay is not safe? What can I do to protect my account?
As a golden rule, DO NOT share your personal account information such as GrabPIN or OTPs with anyone. Scammers will not be able to unlock your GrabPay wallet, as long as you do not give away your personal account information.
Furthermore, your Grab account is guarded by GrabPIN. This is a 6-digit PIN which acts as a 2nd factor authentication (2FA) to further protect your account. If you have a GrabPIN setup, you will be requested to provide your GrabPIN whenever you make profile changes on your Grab account (such as phone number and email). We have also implemented artificial intelligence and machine learning on the system to detect unusual activities – for instance, you will also be asked to provide your GrabPIN when the system detects a change of mobile device or location (city).
If you have not set up your GrabPIN, we recommend you to do so to add an additional layer of security for your GrabPay account.
Q. Do I need to remove all my credit card information in GrabPay as a precaution?
No, you do not need to remove your credit cards. Your GrabPay wallet remains safe because:
- We do not store the full 16-digit credit card number and Card Verification Value (CVV) number on our platform
- Any credit card details are fully encrypted on our platform
This is aligned to the global payment security standards set by the Payment Card Industry (PCI) Security Standards Council.
Q. Are there alerts to inform me when scammers use my GrabPay wallet?
You will receive an in-app notification for every transaction made using your GrabPay wallet. You can view all transactions made under the “Recent transactions” section in the “Payment” tab of the Grab app.
Q. How do I know what is a legitimate Grab advertisement or promotion?
Respond only to promotions on the Grab app or official Grab communication channels (Facebook, Instagram, Twitter & Blog). Be sure to look out for the blue tick on these social pages – this means that this is a verified account and that you are on the Grab official channels.
If you see an advertisement or promotion that seems suspicious to you:
- Visit our Help Centre or drop us a private message on our social pages to have our support team verify its authenticity.
- For example, Grab will never ask for your OTP or personal account details in our promotional campaigns.
- If a promotion or discount seems too good to be true, such as ‘Free Grab Coupons’, you can assume it’s fake.
- Do NOT give away your personal account information, such as phone number, OTPs, GrabPIN or email, even on reputable platforms such as Facebook and Google. Scammers can misuse such platforms by creating fake accounts or sites.
Q. In some cases shared online, users saw more than one transaction go through on their GrabPay app at the same time. What has happened here?
The fight with bad actors is a continuous one. Scammers usually do not act alone and have been observed to use different technology to take advantage of transaction flows online. In this new variant of scam, they have been able to trigger more than one transaction quickly with the information shared with them.
We are taking additional measures to address this – including putting in place additional checks in the payment process and tightening the validity duration of each payment session to make it harder for these scammers to complete fraudulent transactions.
Grab has also implemented artificial intelligence and machine learning to detect and study new fraudulent activities, so that we can continue to enhance our system to keep our users safe.
Q. A few users claimed that they did not receive any OTPs and couldn’t have shared it with anyone. Is your system hacked?
Grab’s system remains secure. We treat every single fraud case seriously and have a team of fraud experts to investigate and look into each case. Based on completed investigations of reported cases to-date, all users received at least one OTP on their phone number registered with Grab, and which needed to be shared for the fraudulent transactions to be completed.