Many users of Facebook and Telegram accounts have reported numerous cases of fraud, whereby a stranger hacks an account and then attempts to request money for an emergency, or even borrow a loan, from the contacts of the account holder. 

Many different pretexts have been employed for such schemes, with scammers becoming more and more resourceful in their approaches.

Almost invariably, any money sent is transferred electronically, generally using a KHQR code, the standardised version of a QR code which is used for retail payments and transfers across banks and financial institutions within Cambodia. 

The Post looked into the complex process of recovering electronically transferred funds and discovered that it is surprisingly difficult to easily trace the perpetrators.

Brazen fraud attempts

One of the latest cases happened to Rachana, a resident of Phnom Penh. Someone obtained her Facebook login, presumably through a malware application disguised as a game or app, and then locked her out of her own account.

After assuming control, the technology thieves sent messages to several of her friends asking for a $300 loan, under the pretext that her bank account had been shut down after entering the wrong code several times.

Along with her immediate friends and relatives, Rachana rushed to notify as many of her contacts as possible that she had been hacked, to make sure that no money was sent.

The KHQR that the hacker sent used the name Seavling Oun. When the code is scanned, it does not show the specific bank linked to the account, but Bakong, a payment system established by the National Bank of Cambodia to transfer funds between different accounts at different financial institutions.

Fortunately, Rachana managed to log back into her account and regain control of it before the hacker convinced anyone to send them money.

Another Phnom Penh resident, Thea, lost control of his Telegram account. Following the hacking, his family received a barrage of messages asking for money. 

As soon as he became aware of the fraudulent requests, he went to the National Police’s Anti-Cyber Crime Department and notified them about the issue, ensuring he would not be held responsible for any potential crimes.

“My case was not serious yet; they just used my hacked Telegram account to chat to my friends. I only realised when they began asking my family members for money,” he told The Post.

“I went to the cyber-crimes department and filed a report. The officials instructed me to spread the word on social media,” he added.

Who is behind the codes?

In general, to register with a bank or microfinance institute for a QR payment service proof of address and an ID is required. So why can’t the perpetrators of these crimes be tracked down immediately through the names on the QR codes?

The Post submitted questions to the National Bank of Cambodia and Bakong, as well as the Financial Intelligence Unit of Cambodia on May 27, but had not received a response as of May 28.

One anonymous expert with insider knowledge of the banking system explained that it is extremely unlikely that hackers could break directly into any of the major banking systems. 

Instead, they hacked into a social media account and then relied on the victims of their scheme to not pay close attention when making money transfers.

He added that perpetrators often use KHQR of different banks or financial institutions to commit fraud.

He also called on the victims of all such cases to contact their bank immediately by phone or in person. They should then follow the measures that the bank has in place to resolve the issue. 

Kaing Tongngy, spokesman for the Cambodia Microfinance Association (CMA), told The Post that at present, just four microfinance institutions have KHQR codes, as they offer similar services to the major banks, which use the codes widely.

He noted that there are several other payment services which utilise the codes.

Tongngy said that across the finance sector, there is generally a need for customers to provide clear identification before they will be eligible to open an account or make use of any other services. This is designed to ensure that investigations into fraud or suspected money laundering, for example, are much easier.

He warned that unfortunately, some criminals appear to have stolen QR-capable accounts, or even bought them from people who are gullible or unaware of the possible danger. These codes are then used to commit fraud.

“I believe that some official accounts are bought by criminals, sometimes for as little as $20 or $30,” he said.

“This issue has been explained to us by the authorities. When their investigations have identified a person, the suspects often say their account has been hacked or sold to a third party,” he added.

Tongngy explained that after fraudsters took control of an account, the names and addresses would still be the ones registered by the people who opened it. The hackers would change the log-in details and immediately transfer any money that was deposited.

Room for human error

“If you stop using an account or your login is stolen, please go to the bank or microfinance institute where you opened it and close the account or retake control of it. You should not let a perpetrator use an account in your name to commit crimes – this will cause you problems and there may be legal consequences,” he said.

 “In addition, when using any financial services, you must verify where you are sending money. We need to look at the account name carefully and make sure the account holder is the right person before transferring any funds,” he added.

He noted that due to the rapid development of new technology, the general public need to make sure they are aware of online safety and of the need to take care when using bank accounts.

Tongngy acknowledged that while there have been a small number of problems, there are legal mechanisms in place to protect customers, provided they follow recommended procedures and employ common sense.

He said the Bakong system is highly secure, but the problems that had occurred were generally caused by users, perhaps due to a lack of attention while making payments or through a lack of understanding of how the system works

According to the CMA, there are about 16 million accounts in Cambodia which can use a KHQR code to accept deposits. With such a large number, some small issues are inevitable, warned Tongngy.

Cyber-crime squad procedure

Touch Sokhak, spokesman for the Ministry of Interior, requested that anyone whose social media accounts had been hacked file a complaint with the cyber-crime department.

He explained that after receiving the complaint, the police will search for the perpetrator who hacked the victim's account and attempt to find a way to freeze any account activity.

However, he acknowledged that the current capacity of the authorities to combat and prevent cyber-crimes remains limited, as the digitalisation of the government and of law enforcement agencies has only just begun.

“Many of the perpetrators are employing cutting-edge technology and have the ability to use it effectively,” he said.

“Many of these crimes are not being carried out by Cambodians, but by foreigners working in different countries. They work in organised teams and translate and modify the contents of their messages for each target country,” he warned.