Many phishers impersonate government institutions, data shows

A 59-year-old woman surnamed Kim in August received a text from her youngest daughter, asking for a photo of her mother's ID to buy an insurance plan for her phone.

Kim knew her daughter to be reckless with her phone, so without a second thought, she responded to the text with front and back photos of her ID.

The next morning, Kim received a strange phone call from the bank asking for confirmation whether she withdrew 80 million won ($68,000) from her bank account the previous day.

Astounded, Kim put the call on hold and logged into her mobile bank account.

She found a total of 160 million won missing from two of her bank accounts.

Kim fell victim to messenger phishing.

Messenger phishers work by hacking into people’s mobile devices or social media accounts and impersonating government institutions or the person’s family and friends to obtain their personal information.

When Kim received the text message asking for her ID, it was actually from a phisher, not her daughter, though the phone number was the same.

According to a JoongAng Ilbo survey conducted from Oct. 28 to Nov. 28, phishers were mostly found to impersonate government institutions such as the prosecution or Financial Supervisory Service, with 34.9 percent, followed by impersonations of banks with 30.2 percent.

Kim has still been unable to retrieve her money because the phishers’ bank account to which Kim’s money was transferred has been emptied out.

The phishers appear to have bought cryptocurrency with the cash so as to make it more difficult for the police to trace the money back to them.

The police have been investigating the case for months, but have yet to track down the culprits.

But apart from catching the phishers and getting her money back, what Kim really wants to know is how the scammers logged into her bank account in the first place.

“I can’t believe that they were able to enter into my account with just the information on my ID,” said Kim. “I never leaked any other information like my passcode or a mobile OTP [one-time passcode]. I don’t think I can trust banks anymore to keep large amounts of money.”

With the onset of the age of smartphones, money transfers and other banking services have become as easy as just a few touches on a screen.

But the rapid development in remote banking services, especially amid Covid-19, has left holes in the system’s security which phishers have come to use to their advantage.

Banks have taken a backseat to the issue, saying that security gaps come as an inevitable cost of easy remote services.

In July, a 53-year-old surnamed Park became victim to a similar scam when a phisher disguised as her daughter asked for a picture of her ID and the four-digit passcode to her account via text message, then took out money from her account.

Like Kim, Park was astonished by the fact that scammers could enter into her account and transfer money with little more than just a picture of her ID.

She phoned the bank to ask how this was possible, and the answer they gave her was “technology.”

“Cameras on mobile phones have become so advanced that they now seem to be able to recognize pictures of IDs as actual IDs. So please be careful of leaking personal information,” said a bank employee.

However, Park’s brother told the JoongAng Ilbo that he still thinks banks should strengthen their security settings instead of simply telling their customers to be more careful.

“If banks are going to create remote services, they should come up with processes to check the validity of IDs as well,” Park’s brother said.

Park is getting ready to file for a damages suit against her bank for violating the Electronic Financial Transaction Act and the real-name financial transaction system.

“Banks are profit-driven private institutions, so it is difficult for the state to legally require them to take preventative measures on something that does not affect their money-making affairs,” said Kwak Won-sub, financial fraud response team leader of the Financial Supervisory Service.

Most banks have adopted phishing scam manuals which direct employees to report to the police if they see more than 5 million won withdrawn from an account at once.

But these manuals do not have any legal bindings to ensure it is being properly implemented.

“The role of the police is to catch the culprit after the crime has occurred, but banks can actually prevent the crimes from happening in the first place,” said a police officer based in Seoul.

“This is the reason why the bank industry needs to be more aware [of phishing crimes].”

BY SPECIAL REPORTING TEAM [lee.jian@joongang.co.kr]