Shopee, Carousell most popular platforms used by phishing scammers

Taipei, March 12 (CNA) Shopee and Carousell, two online marketplaces based in Singapore, have been the two C2C platforms on which customers were most likely to fall victim to phishing scams in Taiwan over the past five weeks, the Criminal Investigation Bureau (CIB) said Sunday.

After analyzing information reported by the public on the 165 anti-fraud hotline, it was found that hackers have recently carried out phishing attacks on C2C ("consumer to consumer" or "customer to customer") online auction platforms such as Shopee and Carousell.

The attacks were aimed at stealing personal or business information used by customers to carry out online transactions, and the information was then used to conduct scams such as canceling installment payment setups, according to the CIB.

Since Shopee and Carousell are owned by companies in Singapore, they have only small staffs in Taiwan and have no professional information security team to assist people in protecting their accounts and passwords after being hacked.

The two online platforms have been referred to the Ministry of Digital Affairs (MODA) for investigation based on suspected violations of the Personal Data Protection Act.

Previously, the ministry had already conducted inspections of the two entities in December 2022 and asked the two platforms to make improvements, but no concrete actions were taken, according to the CIB.

In view of the high number of personal data breaches of major online shopping platforms in recent years, the CIB has regularly released the list of e-commerce platforms on which customers were at high risk of falling victim to fraud.

The CIB said fraud groups usually use hackers to steal people's transaction data (purchase time, product name, amount and payment method, etc.), and pose as customer service representatives of the companies concerned to trick shoppers into transferring money online or through an ATM to them.

The CIB said that from June 2022 to February 2023, it had sent notifications on up to 100 e-commerce companies suspected of leaking the personal data of customers to seven ministries, including the MODA, the Ministry of Health and Welfare, the Ministry of Education, the Ministry of Economic Affairs and the Ministry of Culture.

However, only about 10 percent of those e-commerce companies were subject to inspections and required to make improvements. In addition, there was no record of any punishments in the past year, according to the CIB.

On the other hand, the number of fraud cases related to cancelation of installment payment agreements caused by personal information leaks reached nearly 1,000 in just two months, and the financial losses have exceeded NT$100 million (US$3.25 million), the CIB said.