News

S'porean man, 40, gets billed S$1,880 in overseas transactions after linking card to Koufu app

His card was unknowingly linked to a third-party Google Pay account.

clock

February 04, 2025, 12:37 PM

Telegram

Whatsapp

After cycling to Punggol, a Singaporean man linked his credit card to a Koufu payment app so he could order dinner at an outlet there.

Unbeknownst to him, his card was also linked to a third-party Google Pay account, which was used to make S$1,880 worth of overseas transactions.

He is one of the few customers who reported unauthorised payments made through the Koufu Eat app since last October.

Had trouble linking credit card to Koufu app

The 40-year-old customer, surnamed Teh, told Mothership that on the evening of Dec. 7, 2024, he cycled to Punggol with his girlfriend.

After finding seats at the Koufu Gourmet Paradise outlet in the Oasis Terraces mall, they decided to order via the Koufu Eat app.

Teh said he had used the app for many years to order food with colleagues, but he had not used it for at least a year, so his previous card linked to the app had expired.

At around 7:30pm, Teh decided to link a new POSB credit card to the app, as he would get a 10 per cent discount on his order.

On Teh's first attempt to add his card, he received an SMS notification with a One-Time Password (OTP), informing him that his card was being added to a Google Pay account.

Image courtesy of Teh.

On hindsight, Teh said that this was suspicious.

He admitted that he was expecting to receive an OTP to link his card to the Koufu app, so when he got the OTP, he did not read the rest of the message closely.

After keying in the OTP to authenticate his card, Teh tried to place an order but failed.

He recalled that this was "weird" as he thought he had already added his card.

Teh then tried to link his card again, and received another set of SMS notifications.

This time, it worked, and he was able to order, so he gave the matter no further thought.

S$1,880 charged to his card

About two weeks later, on Dec. 20, Teh was notified by DBS that two overseas transactions amounting to S$1,530 were made on his card.

He also discovered that two other overseas transactions amounting to S$350 had been made two days before.

Image courtesy of Teh.

Teh immediately called the bank to cancel his card and his online banking account.

He made a police report the same night and subsequently contacted Google Pay and Koufu on the matter.

Later, when Teh came across Google Play Store reviews complaining of unauthorised payments linked to the Koufu Eat app, and the matter was reported in the media, he put two and two together.

"I was shocked that it has been going on for so long," Teh said, noting that one such review was dated Oct. 26, 2024.

Screenshot from Google Play Store page for Koufu Eat.

Teh shared that he is typically quite cautious of scams, and habitually checks his bank statement for unauthorised transactions.

"I feel quite stupid that I'm one of those who got scammed in this case," he said.

Another matter that Teh faces is the S$1,880 charge, which he has contested with the bank.

However, on Jan. 14, he found that the full amount had been added to his bank statement.

The next day, he was notified by email that DBS was "unable to waive or withhold payment pending the outcome of the investigation".

Image courtesy of Teh.

"This transaction is classified as secured and remains the liability of the cardholder," the email read.

Teh disagreed that victims should be held liable for the unauthorised transactions.

"If I clicked on a phishing link or an online shopping scam, then yes, it would be my fault. But all I did was link my card to the Koufu app, and something happened," said Teh.

He also opined that Koufu should have suspended card payments on the app once users started reporting such issues.

Teh has since raised his concerns to his Member of Parliament (MP), who wrote a letter to the police on his behalf.

As of Feb. 3, Teh was notified by police that investigations are ongoing.

No security or data breach detected so far: Koufu

Koufu told Mothership that it was notified of such fraudulent incidents in December 2024 and has been in talks with the police regarding the security of its Koufu Eat app.

"Our initial investigations with the SPF have not detected any security and data breach. Our app payment gateway is built to the security standards and in accordance with industry guidelines."

Koufu explained that their app does not store customers' credit card details as their payment gateway is via ENETS.

In addition, the app is not linked to any e-wallets, such as Google Pay, Grab Pay or Apple Pay, Koufu said.

Since Jan. 20, Mothership has observed that the credit card payment function is unavailable on the Koufu Eat app.

Screenshot via Koufu Eat app, taken by Daniel Seow.

Koufu clarified with Mothership that the credit card payment option on its app has been deactivated while police investigations are ongoing.

A Google spokesperson told Mothership that Google Pay is not integrated with the Koufu Eat app, and payment information is not passed between Koufu and Google Pay.

“Cards added to a third-party digital wallet are authorised by the issuing bank, not by the wallet itself. We are working with the other parties involved to investigate this issue,” the spokesperson said.

Card payments made via mobile wallet can't be disputed: DBS

DBS told Mothership that the bank has been working closely with Koufu and the police to investigate the matter thoroughly, and it has been in touch with affected customers to provide support and assistance.

"Investigations indicate that there has been no compromise to our payment and card platforms, which remain secure. Instead, affected customers had authorised the addition of their card to an unknown third-party Google Pay wallet," DBS said.

On why such transactions remain the liability of the cardholder, DBS explained,

"When a card is added to a mobile wallet, it is akin to having the card on hand. For this reason, subsequent card payments made via the mobile wallet cannot be disputed."

The bank also encouraged its customers to activate transaction notification alerts for card activity and regularly monitor payments for suspicious transactions.

Customers who notice such transactions can report them via DBS' 24-hour Fraud Reporting hotline at 1800 339 6963 or (+65) 6339 6963 (from overseas).

Top image via Teh, Google Play Store page & Von Karman Tsien/Google 

Follow us on Facebook, Instagram, Twitter and Telegram to get the latest updates.

  • image
  • image
  • image
  • image

MORE STORIES

Events