Singapore: authorities introduce measures to combat SMS-phishing scams

0

In short

Singaporean authorities are looking to tackle the recent wave of SMS phishing scams targeting digital bank users through various measures. The multi-stakeholder approach involves government entities responsible for the finance, telecommunications and home affairs sectors, as well as industry groups such as the Association of Banks of Singapore (ABS).

Some of the recent key developments are shown below.


  • The Monetary Authority of Singapore (MAS) and ABS are seeking to introduce more robust measures for banks in Singapore to put in place to enhance the security of digital banking services
  • The Info-Communications Media Development Authority (IMDA) may require telecommunications companies, banks and SMS aggregators in Singapore to register with the Singapore SMS SenderID Protection Registry
  • The ScamShield app, developed by the National Crime Prevention Council (NCPC) and the Government Technology Agency, is another way for consumers to protect themselves against scams.
  • MAS has not yet issued a notice or circular on the matter and there may be further updates in the future.

Recent SMS Phishing Scams

There has recently been a wave of SMS-phishing scams, particularly targeting bank customers.

In late 2020, malicious actors hijacked and used SMS one-time passwords (OTPs) to perform fraudulent credit card transactions worth SGD 500,000 and affecting 75 banking customers.1

Most recently, in December 2021, nearly 470 customers of a major financial institution in Singapore lost at least SGD 8.5 million to SMS phishing scams.

In these most recent cases, fake text messages appeared in the same thread as legitimate text messages previously sent by the bank for OTPs and transaction alerts. The scammers posed as the bank, setting their sender IDs to be the same as the bank’s and thus making them appear in the same chat thread on the customers’ mobile device. These fake messages claimed that there were problems with the customer’s bank accounts or credit cards and asked them to click on a link, which led them to fake websites or requests for bank details.

These SMS scams are successful, first, because bundling fake messages with old, legitimate messages immediately makes them appear authentic. Second, the phishing links in these fake text messages are often shortened to hide the real URLs, making it difficult for victims to verify their validity. Third, the links lead to fake banking sites that also appear genuine.

The problem is not limited to Singapore. In the Philippines, the National Privacy Commission has received reports of mobile users receiving unsolicited text messages, allegedly because of the contact information they provided in contact tracing and COVID-19 health statement. The Canadian government has also drawn attention to the issue, as scammers there have also taken advantage of the pandemic by claiming to be from aid programs like the Canada Emergency Response Benefit and the Canada Recovery Benefit to target Canadians. vulnerable. The messages involved included links that redirected recipients to seemingly legitimate sites that could then steal users’ personal data, introduce mobile malware or commit fraud.

Measures to strengthen digital banking security

In response, on January 19, 2022, MAS and ABS announced that a set of additional measures to strengthen the security of digital banking services were to be introduced in the coming weeks. Measures explored by banks in Singapore, in consultation with the MAS, include:

  1. Removal of clickable links in emails or text messages sent to retail customers;
  2. The threshold for remittance transaction notifications to customers should be set by default to S$100 or less;
  3. Delay of at least 12 hours before a new soft token is activated on a mobile device;
  4. Notification to the existing mobile phone number or email address registered with the bank whenever there is a request to change a customer’s mobile phone number or email address;
  5. Additional safeguards, such as a cooling-off period before implementing key account change requests, such as key customer contact information;
  6. Dedicated and well-resourced customer support teams to prioritize feedback on potential fraud cases; and
  7. Educational alerts on the most common scams.

These measures help to combat the trap of fake links in fraudulent SMS messages and increase the likelihood that customers will be immediately notified of any fraudulent transactions or attempts to take control of their bank account. MAS is also stepping up its review of large institutions’ fraud oversight mechanisms to ensure they are properly equipped to deal with the growing threat of online scams.

The Singapore SMS SenderID Protective Registry

The IMDA announced on January 20, 2022 that a national registry, called the Singapore SMS SenderID Protection Registry, will be rolled out. The IMDA has urged all telecom companies, banks and SMS aggregators in Singapore to register, and it looks like these companies and organizations may soon be required to do so.

Sender IDs identify the sender of an SMS message so that a word or phrase appears instead of a number. When scammers attempt to send messages using a saved sender ID, organizations can choose to prevent them from being sent. This prevents scammers from impersonating banks and other organizations, and specifically targets situations like the most recent incidents.

The Singapore SMS SenderID protection registry had been in its pilot phase since last August. OCBC Bank, Lazada and Singapore Post are said to be among the organizations that have registered.

However, experts argue that a better approach would be for banks to not use SMS at all and instead rely on notifications from bank apps, portals or websites to send messages to customers. This is all the more true since there is still room for manipulation: scammers can simply change the sender ID slightly, for example, “” instead of “Bank”.

In addition, the success of the register relies on the participation of the aforementioned companies and organizations. Registration is not yet compulsory, although more than 2,100 people have signed an online petition to make it compulsory.

Other IMDA initiatives include blocking numbers that are often spoofed and prefixing incoming international calls with “+” to alert the public to a potential fraudulent call.

ScamShield

Another protection option is the ScamShield application, which was jointly developed by CNPC and the Open Government Products team, a unit of the Government Technology Agency. The app filters fraudulent messages using artificial intelligence and can also block calls from numbers reported by users or those on a list maintained by the Singapore police. Between the app’s launch in November 2020 and August 2021, the app had blocked around 8,600 phone numbers and users had reported 1.4 million suspicious text messages through the app.

The model is trained to recognize words often used in fraudulent texts, including “loans”, “gambling” and “refunds”. It then examines how these words are used in combination with each other.

The app may not always be good at filtering out all fraudulent messages, as there are apparently ways around this problem. We advise caution in relying solely on the app as the only way to filter out scammers.

While the threat of scams cannot be eradicated, especially given the speed at which scammers are adapting, these measures can pose barriers to countering at least some vulnerabilities associated with online banking. Alongside these measures, as MAS argues, customer vigilance remains paramount.

See the Japanese version (日本語版)


1 https://www.mas.gov.sg/news/media-releases/2021/sms-one-time-passwords-diverted-to-perform-fraudulent-card-payments


© 2022 Baker & McKenzie.Wong & Leow. All rights reserved. Baker & McKenzie.Wong & Leow is a privately held company and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. Consistent with common terminology used in professional services organizations, reference to a “principal” means a person who is a partner, or equivalent, in such law firm. Similarly, reference to an “office” means an office of such law firm. This may qualify as “lawyer advertising” requiring notice in some jurisdictions. Previous results do not guarantee a similar result.

Share.

Comments are closed.