Banks and financial institutions in Singapore will have to implement new security measures that have been mandated following a series of phishing SMS scams that wiped out several victims of their savings. These measures include the removal of hyperlinks from emails or text messages sent to consumers and a 12-hour time limit for the activation of mobile software tokens.
The Monetary Authority of Singapore (MAS) and the Association of Banks of Singapore (ABS) said in a statement on Wednesday that the additional measures are aimed at enhancing the security of digital banking, in light of recent scams targeting customers of banks.
SMS phishing scams involving at least 469 OCBC Bank customers resulted in losses of over S$8.5 million, including S$2.7 million during the recent Christmas weekend of three days. Several of the victims are said to have lost their life savings, including a 43-year-old man whose account was wiped of S$500,000, a 38-year-old software engineer who lost S$250,000 and a 33-year-old financial manager who wiped it out. had. account emptied of S$68,000.
In these cases, the scammers manipulated the SMS sender ID details to send messages that appeared to be from OCBC. These SMS messages tricked victims into fixing problems with their accounts, redirecting them to phishing websites and asking them to enter their banking login details, including username, PIN and password. disposable (OTP).
Since OCBC’s legitimate sender ID was successfully cloned and spoofed, these messages appeared in the same thread as previous alerts or notifications from the bank, leading victims to believe that they were legitimate.
Affected OCBC customers also expressed frustration at how they were put on hold in their efforts to contact the bank’s hotline and have their accounts locked, after receiving payment transfer notifications and requests for increasing their transaction limits, which they never did.
“MAS expects all financial institutions to have robust measures in place to prevent and detect scams as well as effective incident handling and customer service in the event of a scam,” the regulator said in its statement. communicated. “The growing threat of online phishing scams requires immediate action to tighten controls, while longer-term preventative measures are being evaluated for implementation in the coming months.”
Local banks, in consultation with the MAS, would work to implement tougher measures within the next two weeks. This would include setting the default threshold for remittance transaction notifications to S$100 or less and triggering a notification to the existing mobile number or email address registered with the bank, whenever a request is made to change a customer’s mobile phone number or email address.
Banks should also set up dedicated and “well staffed” customer support teams to handle customer feedback on potential fraud cases, MAS said. The regulator added that additional safeguards, such as applying a cooling-off period before key account change requests, including a customer’s contact details, should be implemented.
In addition, the banks are reportedly working closely with MAS, local law enforcement and the Infocomm Media Development Authority (IMDA) to deal with the current “scam scourge”. This would include working on more permanent measures to combat SMS spoofing, including the adoption of an SMS sender identification registry by all relevant stakeholders, MAS said.
“MAS is also stepping up its review of the fraud oversight mechanisms of major financial institutions to ensure they are properly equipped to deal with the growing threat of online scams,” he added.
MAS Managing Director Ravi Menon said: “The threat of scams will not go away, but we can reduce our vulnerabilities. This requires a multi-pronged response across the ecosystem. MAS, together with the police, IMDA and other relevant government agencies, works closely with the financial sector, telecommunications industry, consumer groups and other stakeholders to build our collective resilience against fraudulent attacks. We will ensure that digital banking services remain secure, efficient and reliable. »
OCBC said Wednesday that all customers affected by the SMS phishing scam would receive “full goodwill payments” including the amount they lost. This follows its previous statement on Monday that it had started making “goodwill payments” since January 8, but did not say whether these covered the full amount lost by customers.
The bank acknowledged that its customer service and response “falls short” of customer expectations.