There has been a rising number of local reports involving cybercriminals leveraging Telegram to trick users into sending their one-time password (OTP) or other confidential information, or transferring money to the cybercriminals’ accounts. Users are advised to stay vigilant and adopt good cyber hygiene measures to protect themselves from falling prey to such incidents.
Common Attacks on Telegram
These are some of the common attacks conducted by cybercriminals:
Telegram Scams
Telegram scams are often conducted by cybercriminals to extract monetary benefits from victims. Cybercriminals may impersonate trusted organisations or persons to gain the trust of victims and trick them into providing confidential information by enticing them with attractive offers and returns. Job offers, love scams and investment scams are some of the common Telegram scams observed.
Examples of modus operandi of such Telegram scams include, but are not limited to:
- Impersonating as a hiring agent of legitimate organisations and offering the victim a job position with high commission. The job usually requires the victim to pay for the products before they are qualified to receive commissions.
- Initiating a fraudulent relationship with the victim, where the victim's trust is gained by sending sensitive pictures of themselves. Subsequently, cybercriminals may request for money on the pretext of meeting the victim but these meetups usually do not happen.
- Providing attractive investment opportunities and testimonies to gain the victim's trust. When the victim expresses interest, the victim will be instructed to transfer money to the cybercriminal's account.
Telegram Hijacking
When users log in to an existing Telegram account, Telegram will send a OTP via SMS to verify the phone number. Cybercriminals may impersonate your friend or Telegram's Support Team to request for the OTP sent to the victim's phone. Subsequently, cybercriminals may use the hijacked Telegram account to approach the persons on the victim's contacts list to request for money to be transferred to their bank accounts or for other confidential information.
Good Cyber Hygiene Practices for Telegram
Telegram users may wish to adopt the following precautionary measures to protect their accounts:
- Protect your Telegram account by enabling Two-Step Verification and Passcode Lock. You may enable Two-Step Verification under Settings > Privacy and Security > Two-Step Verification > Set Additional Password and Passcode Lock under Settings > Privacy and Security > Passcode & Face ID > Turn Passcode On.
- Always be cautious of suspicious message(s) and verify any requests with the organisation directly before clicking on any link(s), especially if the message(s) come from an unfamiliar sender. If the message(s) is/are not associated with the organisation, block the sender and report to Telegram.
- Do not share your Telegram account verification codes or any OTP with anyone. If you receive suspicious message(s) from a contact or stranger via Telegram, do not respond to the message(s), especially if the sender requests for an OTP or code to be sent to him/her. Do not click on any links or provide any other personal information.
- Configure call permissions to prevent being called by people outside of your contact list. You may change your call permissions under Settings > Privacy and Security > Calls > Change 'Everybody' to 'My Contacts'.
- Enable group permissions to prevent being added to random groups with numerous users. You may change your group permissions under Settings > Privacy and Security > Groups > Change 'Everybody' to 'My Contacts'.
- Do not share your phone number on your Telegram account. You may change the visibility of your phone number under Settings > Privacy and Security > Phone Number > Nobody.
- Do not share your payment and shipping information on your Telegram account. If you have previously shared them, delete them immediately. You may delete the information under Settings > Privacy and Security > Data Settings > Clear Payment and Shipping Info.
- Monitor and disable active Telegram sessions that are no longer in use. You may disable them under Settings > Devices > Select the session not in use > Terminate Session.
- Enable end-to-end encryption on your Telegram chats by using the secret chat option. To start a new secret chat, you may enable them under Create a New Message > Tap New Secret Chat > Select a contact to start a secret chat.
Do Not Make It Easy For Cybercriminals
Taking steps to protect your Telegram account will prevent you from becoming an easy target for cybercriminals. If you suspect that you have fallen victim to such incidents, you are advised to block the sender and report the incident to Telegram at abuse@telegram.org with the link of the profile or @username that posted the content you are reporting. If you suffered monetary losses due to scams, please also lodge a report with the Singapore Police Force at https://eservices.police.gov.sg.
For more information on Telegram, you may visit: https://telegram.org/faq.
For more information on good cyber hygiene practices when using messaging applications, you may refer to section A.3 "Instant Messaging" on the Go Safe Online website: https://www.csa.gov.sg/gosafeonline/go-safe-for-me/for-students/a-word-to-the-wise-internet-safety-for-all
References
https://www.csb.gov.bn/public-advisory-telegram-hijacking
https://www.scamalert.sg/stories-details/Story-10Jan2022130223PM
https://www.androidpolice.com/top-tips-using-telegram-safely-securely/