I got a WhatsApp message from a neighbourhood chat group yesterday, warning of a brochure that told people to scan a QR code for a “Free HighBlood Pressure Device For Every Household”.
Yes, if that sounded a little unreal and fake (it should be blood-pressure checking device), you’re not wrong.
There didn’t seem to be any phone number or name on the physical brochure, which depicted the free device in a photo along with another one that looked straight out of a stock photo library.
However, a logo at the bottom read “We Care for SG”, next to a large QR code calling the reader to “Scan Here To Redeem”.
If you have “scam” running in your head, you’re not alone. The WhatsApp warning was apparently forwarded many times, as I saw on the app. Similarly, a chat on a HardwareZone forum got people talking as well.
Curious, I checked with a friend who was into cybersecurity and we managed to track down who this We Care for SG was.
It turned out be a marketing company registered to a Ubi address, which was contracted by insurance firm AIA. The goal of the brochure? Get people to go to a talk, presumably about financial products, in exchange for the free gadget.
As for the QR code? Well, it led to an online form where you were supposed to fill in details like name, e-mail address, home address and more.
The Straits Times wrote a story about this today as well, with AIA coming out to say it’s not a scam. The promo is legit, it goes on to say.
What’s annoying is how AIA tries to tell people to be assured this wasn’t a scam and integrity was at the core of its business. It even said its representatives were held to highest professional standards.
Really? Perhaps start by not sending these brochures to find new customers. Or making them appear like the scam messages that people have been warned of repeatedly.
What about simply putting up AIA’s good name up front and giving contact details for people to check its authenticity instead of pasting a QR code to collect personal particulars?
In case it’s still not clear, you should never scan QR codes that are not known to you, which may link you to fake or malicious websites that steal your credentials or install malware on your phone.
Neither should you be giving your personal details after scanning a random QR code. Many websites are spoof versions of a bank or government site set up to steal your details.
If you need any more of a warning, consider that a woman recently lost S$20,000 after she had scanned a manipulated QR code at a bubble tea shop.
The freebie then was a free cup of milk tea after completing an online survey but the poor woman had unwittingly downloaded a piece of malware that enabled hackers to steal a chunk of her savings, reported The Straits Times.
So, it’s not enough for AIA to just say “it’s legit” and carry on with similar campaigns in future. It should discontinue these brochures that raise the alarm for an already worried populace facing repeated scam attempts.
When people are told not to scan QR codes for quick freebies, AIA and its marketing vendor need to rethink how they want to find new customers.
To be sure, AIA is certainly not alone. There are numerous examples of organisations that should know better with today’s security-conscious climate.
A few months back, a friend said Standard Chartered Bank had called him and asked him to verify himself by providing his personal details on the phone.
Without any way of knowing who had called, why should he be giving away his data like that, he wondered.
I was surprised this still happened because I had also raised this with my own credit card company – American Express – a few years ago. Similarly, an agent had called me and wanted me to verify myself to him on the line by providing my details.
No, I told him. Instead, I would make a call to a trusted American Express phone number and I would verify myself and pick up from there.
Thankfully, these days, some banks let you verify yourself by triggering a prompt on your phone’s app, which you can use to confirm details more securely.
In both episodes, the lesson is the same – companies should really know better than carry on with these practices that run counter to the heightened precautions consumers have been told to take.
Not only will these companies damage the trust that they have with their customer, they could make it even more difficult to separate the legitimate from the fake in future.
In this cat-and-mouse game, the bad guys will keep innovating to trick people into giving up their precious data or opening a backdoor into their personal devices.
As the damaging OCBC scam in late 2021 showed, criminals can take a long time to prepare for an attack and it takes just minutes for victims to lose so much.
Companies should up their game. Those that don’t update their practices to make interactions with their customers safer should not expect trust in return. Neither should they earn your business.