One Time Password (OTP) scam is on the rise lately. More than 20 people in the country fell prey to the scam lately. The scammers lured them in transferring more than Nu 1.7 M. According to the bank, some got back their money while some are still waiting. Phishing is a fraudulent attempt to obtain sensitive information or data, such as usernames, password, credit card numbers or other sensitive details by impersonating oneself as a trustworthy entity in digital communication.
One of the victims is a 43-year old driver. Via a telephone interview, he shared that he first got a call from a person saying he works at the Bank of Bhutan and asked to send his account and CID number. He gave away his details thinking it was for a genuine reason. But soon after he shared his details, the money in his account kept deducting and lost more than Nu 500,000.
Another victim shared, “Last time, I got a friend request on my Facebook account. I accepted the request and he called asking for my contact number. Then he added and called me on WhatsApp. He said I have more than 400 friends on Facebook so I have won a lottery worth Nu 500,000. He asked for my account number and CID number to transfer that money. I believed him and did what he said. After sharing my OTP number, he took out all the money I had which was Nu 58,000.”
He said, the scammer was so convincing and it was his bad day he got scammed.
“When suddenly all my money got transferred, I got really worried. So I instantly called the same number and asked them about it. But they said they were checking whether the money was illegal and will send back all my money with extra Nu 500,000,” added another victim.
Meanwhile, Bharat Gurung, the Head of the Information Security Division at the Bank of Bhutan said when the scammers get hold of the OTP number, they will clean out the bank account.
“To log in to my MBOB from a different device, I need to download MBOB in the new device. I need to know three things, account number and MPIN. And I need to reset the International Mobile Equipment Identity (IMEI) of the mobile. I can get the user Id using my account number and CID. Once I get the user ID that has been authenticated by OTP, I can get the MPIN using my mobile number, CID, and account number. Once I get the OTP I can log in to the MBOB app. Prior to fully controlling the MBOB, I need to reset the IMEI of the device that is also done using OTP. All this OTP is sent to the registered mobile number so all the OTP is shared by the customer to the scammer including their CID and account number and mobile number. So that’s how it is being taken over by the scammer.”
The banks have now disabled resetting the password or MPIN to prevent scams. They have also disabled IMEI which is an international mobile equipment identity, available on MBOB.
People also need to call the banking officials or visit the bank and fill up the forms for better security. Prior to the scam, the customers could reset their password and IMEI while changing phones.
Kelzang Choden