Banking-Related Phishing Scams on the Rise Again in Singapore; Police Flag at Least 28 Cases Since May

BANKING-related phishing scams are on the rise again, with bank staff impersonation calls or unsolicited SMSes claiming at least 28 victims who collectively lost S$114,000 since the start of May, the Singapore Police Force (SPF) said in a statement on Sunday (Jun 5).

The update came just as the Monetary Authority of Singapore (MAS) and Association of Banks in Singapore (ABS) last Thursday announced more measures for banks to safeguard their customers from digital banking scams, on top of those relayed on Jan 19.

The latest measures, which are slated to take full effect by Oct 31, would require banks to roll out additional customer confirmations to process significant changes to customer accounts and other high-risk transactions identified through fraud surveillance. Default transaction limit for online funds transfers would also have to be set at S$5,000 or lower.

Banks are also expected to provide an emergency self-service “kill switch” for customers to suspend their accounts quickly if they suspect their bank accounts have been compromised.

They should also facilitate rapid account freezing and fund recovery operations by co-locating bank staff at the SPF Anti-Scam Centre.

The January round of measures had banks removing clickable links in emails or SMSes sent to retail customers, and were implemented after at least 469 OCBC customers fell prey to such scams and lost a total of at least S$8.5 million in the month prior.

On Sunday, the police noted 2 variants to the latest trend of phishing scams.

In the first variant, callers would impersonate bank employees to ask for victims’ personal details such as Internet banking username and password.

This would be done under the pretext that the bank required their personal information to verify transactions performed in the victims’ account, or that the victim was under investigation for transferring large sums of money to another bank.

The callers would succeed after asking the victims to convey the one-time passwords (OTPs) that would be sent to the victims’ mobile phones upon login.

In the second variant, the victims would receive unsolicited text messages claiming that their debit or credit card had been blocked due to unusual activities, or that their bank account had been frozen because the “bank account was unusual”.

The police said the SMSes would direct victims to sign in via an embedded link to verify their identity. After clicking through, the victim would be sent to a spoofed Internet banking log-in page, where the victim would key in his online banking username and password.

Later, the victim would be redirected to another webpage requesting them to key in the OTPs that they would have received on their mobile phones.

Victims of both variants will only discover that they have been scammed when they were notified of unauthorised transactions made on their bank accounts, the police said.