Social engineer bank robber arrested weeks after successful $142,000 heist

A Malaysian bank robber who used social engineering as his primary weapon in a string of thefts was recently arrested at his home in Batu Berendam, Malacca, three weeks after successfully walking away with $142,000 (RM600,000) by pretending to be a fire extinguisher maintenance man.

The suspect, whose name has not been released, walked into a bank in Damansara Heights (a suburb located in western Kuala Lumpur) on September 8 posing as a fire extinguisher maintenance technician.

Carrying a backpack, dressed casually in a T-shirt, shorts, and slippers, he walked into the bank with a single document that was supposedly a floor plan for the building.

According to local reports and CCTV footage, the suspect displayed the paper to a bank manager and requested permission to do an inspection. When he failed to produce any sort of identification, the manager refused him access and went to lunch.

While the manager was away, the suspected remained behind and pretended to check extinguishers while staff assisted customers completely unaware of his presence. Eventually, he managed to get close to the safe room, and waited for the head cashier access the area.

Using a magnet on the door’s lock, which prevented it from shutting fully, he waited until the coast was clear before entering. Once inside the secure area, he filled his backpack with cash and walked away. He approached a security guard an explained that he was leaving to fetch additional staff to assist with the inspection.

All told, he was inside the bank for less than 20-minutes and walked away with RM600,000, or $142,000 USD. When the bank manager returned about 90-minutes later, he questioned staff about the whereabouts of the alleged extinguisher technician. With his suspicions raised after being informed that the technician had left the property, the manager checked the safe room and discovered the theft.

During their investigation, police learned the same suspect attempted a similar robbery by posing as an air conditioning technician who was called out for repair work. That attempt failed.

Additional investigation by local media uncovered another theft, albeit minor in comparison (a set of headphones), after the suspect posed as a plumber conducting pipework repairs.

Once police went public with details surrounding the case, they were flooded with reports of similar scams and thefts.

According to police, the suspect in their case had approached a number of retail stores and offices around the area, posing as a computer repair technician, plumber, HVAC repair technician, or building maintenance. While the bank robbery was his largest heist, he had previously stolen cellphones, case, and laptop computers.

Some of the tips led law enforcement to his location, where he was later identified and arrested. He was taken back to Kuala Lumpur earlier this month and awaits trial.

This particular case is one of the rare times when such crimes are mentioned in the media.

However, pretext itself is more common than you’d imagine. In 2015, CSO interviewed Jayson Street, a well-known hacker who uses Social Engineering in all of his physical assessments.

At the time, we profiled Street’s engagement at a bank where he simply walked around and plugged-in USB drives on various systems (he posed as a technician who was there to check USB ports).

If he were an actual criminal, the bank would have been fully compromised in less than 120 seconds. When asked why he was able to do what he did, Street said that humans don’t want to think about negative things happening to them, as it goes against human nature to do so.

“If I can give them a reasonable explanation, besides the negative thing that sounds bad, they will believe the positive. They will go out of their way to believe the positive aspect, because otherwise they would have to think something bad was happening to them, and that’s not something that humans like to acknowledge,” Street remarked at the time.

The lesson from Street’s engagement (for anyone, not just bank employees) is to question anything that looks or feels out of place.

“Stranger danger isn’t just for kids. We should never lose that. Stranger danger in your secured area is just as relevant if you’re a child on a playground, or an employee in your workspace. If you don’t know who this person is, find out who they are,” he added.