Hey @bigpaymeapp, I just got a call from you (/s)!

Here's my first hand experience on getting a scam call. The recording is in Bahasa (please pardon my Bahasa ).

A thread.

The man (let's assume) did the call from Whatsapp. Not sure why, but maybe to make it looks more legit since they can put the display picture. They'd also know my name from Whatsapp.

Beside, it's good for them. They don't need to spend any phone credit (just need internet).

I knew it was a scam call because no way bigpay would call me via Whatsapp. Off office hour.

But I wanted to play along to see how they works.

Please note that, before the call, I got this random transfer to my Bigpay by "Jessy Koo" and "Chadwick33".

I didn't know why would someone send me RM 0.01. Now that I got the call, I think I know why.

They sent me RM 0.01 to verify that my number is actually registered with Bigpay. In Bigpay, you can transfer money just from knowing the phone number.

Now that the RM 0.01 "bait" transfer is successfully sent, they are sure that my number is a bigpay number. And they proceed to call me.

Note to @bigpaymeapp: maybe you can check the owner of above account? It could be good pointer to who they are. And who the other victims are.

Back to the call. Somewhere in minute 3:00 (not in the recording), i was quite amused because I get a bigpay TAC (the one you use to login to bigpay) as soon as the man in call said to send me a verification code.

It was smoothly deceiving. Social engineering

Let's recap. So far, what he did was:
1. Send bait transfer to verify that my phone is a bigpay number
2. Call me to inform about the "reward"
3. Login to bigpay app using my phone so that bigpay will send the OTP to me

The next step would be for that man to get the OTP from me.

Obviously I won't spill my OTP. Minute 3:00 onward is just me messing with him, giving him wrong OTP code.

Got the call again from the same Whatsapp number while I write this thread but I just ignored it.

Anyway, it was quite a smooth flow. I might be deceived. It's not necessarily bigpay leaking our phone since they might just do a random number (and verify using bait transfer).

Please don't use the steps here to scam others. It's here for us to know that such thing is possible.

Special request for @bigpaymeapp, I hope you can do something about this. Maybe put additional check before you actually sent OTP?

eg. user login using phone → bigpay notice unusual login → bigpay send email to prompt user for unusual login.

if user ack'd the login, send OTP.

Or you can also check the whatsapp number if there's any relation with "Jessy Koo" or "Chadwick33".

I believe the scammer is not as sophisticated as bigpay team (and brand). Get the scammer, make big news about it, show them that you're not taking this lightly.

Peace