She clicked an SMS that she thought was from her bank. It brought her to a link that looked like the bank’s internet banking login page.
After the bank user keyed in her authentication code, hackers hijacked her bank account and drained it of her entire life savings. That was it – within minutes, hard-earned years of savings were wiped clean and “disappeared”.
For another bank scam victim who was willing to be named, John Paul Tan said that his and his wife’s life savings were wiped out, in not one – but five fraudulent overseas bank transfers. The bank managed to retrieve two out of five transactions within days.
This was one of the most rampant cases of bank-related fraud in 2021. At least 469 customers from one of Singapore’s largest banks OCBC were scammed of their money amounting to a total of S$8.5 million.
Phishing attacks through emails and text messages have been intensifying in recent times. Often, the ones that fall prey to such scams are those who are less tech-savvy, like the elderly, or those who aren’t in the know of such scams happening.
Meanwhile, other customers fall into the deception because the scams are just too realistic. For OCBC’s case, the SMS messages were spoofed and appeared in the bank’s official thread.
As early as Dec last year, scammers were impersonating OCBC and sending out SMS phishing messages with links to fake websites. The bank tried to reduce the number of attacks – like alerting domain hosts to take down phishing websites – but that was not enough.
According to the Singapore Police Force (SPF), victims received unsolicited messages claiming that there were issues with their banking accounts. In the SMSes, customers were asked to click on a link to resolve the problem.
Victims were then redirected to fake bank websites and asked to key in their iBanking account login details. Once the scammers logged into their accounts, they would proceed to transfer out the money into other accounts, often to overseas accounts.
More and more victims fell to the crime and the scammers grew in audacity.
By the end of December, scammers cleaned out the savings of hundreds of customers. The relentless behaviour intensified during the Christmas weekend of Dec 24 to Dec 26 and 186 customers lost US$2.7 million in total.
OCBC said it had worked closely with the SPF on the incidents, and had warned customers about the phishing SMSes via its online banking platforms, social media page, and media advisory. But the scammers still managed to channel out large amounts and emptied customers’ funds without the bank’s risk detection systems.
It was a “fast and furious” and a “well strategised” move, OCBC’s CEO Helen Wong had said to the media when commenting on the mass phishing scam.
OCBC had deployed more than 100 people working on fighting the scams. The bank said that its staff tried to shut down mule accounts but the fraudsters kept finding new mule accounts to pay the money into. The funds were automatically remitted overseas when overseas payees were added.
Unfortunately, it’s not easy to recover the funds once they have been transferred out of the victim’s bank account. OCBC said that the success of scammers hinged on them being able to obtain personal banking details from customers.
On Jan 19, OCBC made arrangements to fully reimburse customers who were victims of the recent scam. It said that it would fully reimburse the monies a week from its goodwill pledge. According to the bank, the goodwill payment started from Jan 8.
As of Jan 21, more than 200 OCBC customers have received their full payouts from the bank.
Risks of digital banking
When digital banking first came about, the idea of how individuals can make transactions with a simple click on the button from their smartphone or any other digital device was such a convenient experience that many threw their physical bank books into the storeroom without much consideration.
Nowadays, the ease of being able to check one’s account balance and make transfers digitally on a daily basis has become second nature to many.
Banking has indeed become seamless and easy without the need for physical tokens and the chore of heading down physically to transact at bank branches. But then we can’t help but feel that this fast progress and growth seen by digital banking over the past few years has become a double-edged sword.
We, the consumers, have let our guard down when it comes to internet alerts – be it in the form of emails or SMSes.
On top of the latest SMS phishing scam incident, online services have opened us up to cybersecurity risks and identity theft.
The replacement of relationship managers with automation – voice call or a bot to reply to your queries – has also led to another flaw: a lack of a personal banker relationship and no one you can turn to if a scam is happening to you.
How to stay safe
To guard against SMS phishing, OCBC provided some mobile banking tips to customers on its website.
It asked customers to observe the following to stay safe:
- Do not disclose personal banking details to unverified sites
- Mobile access to bank accounts should always be done using the official banking or payment app
- Key in the bank’s website address directly into the phone browser, instead of using a link
- Check that the website address is legitimate before submitting any sensitive account information
- Update your mobile phone with the latest security patches
- Use strong passwords for different websites and avoid reusing passwords
- Keep up-to-date with the latest tactics by scammers
Other banks sound their warning horns
Since the incident, other banks and financial institutions (FIs) have also been on full alert to warn users of SMS phishing scams.
On Jan 19, DBS Bank issued a warning to customers saying that scammers are “actively targeting” them via suspicious login alert messages. The largest bank in Singapore said in an alert on its website that those targeted will receive a fraudulent SMS claiming their account has been suspended.
Victims will be directed to verify their details by logging into a phishing website. People who click on the link will be redirected to phishing sites and they will be asked to fill in their username, password, and one-time PIN. The SMS is sent from a generic account, with SenderIDs including INFO, INFOSMS, Notice, and other variants.
DBS warned: “These phishing sites make use of various web addresses such as dbs-login6.com, online.webdbslistonline.com, etc. The scammer will exploit the stolen banking credentials to take over the victim’s Internet Banking account.”
“Go directly to https://www.dbs.com to ensure that you are on our website,” it said.
Singapore’s United Overseas Bank (UOB) also issued a similar warning on Jan 19 to customers. It added that it’s also collaborating with the police to stop the fraudulent use of the bank’s name and images.
Lessons for banks and consumers to learn from this episode
Who was wrong, who was at fault – we need to understand that such finger-pointing behaviour will not solve any problems, as all parties have to remain vigilant.
We have to be practical and note that OCBC’s gesture of goodwill to reimburse the money lost to victims may not continue in future if similar scams happen again.
There’s also no guarantee that other banks will reimburse consumers if they are scammed in related situations, as customers gave up their login details and OTP on their own.
Some industry observers have said that customers should take responsibility for the scams so that they will remain vigilant and cautious on fraudulent transactions. The observers think bank guarantees that cover customers’ scams and frauds will end up causing more fraud cases.
But as scammers get more sophisticated in conning people of their money – how can we say that consumers have to be the ones responsible if they are fooled into believing that the SMS alerts are genuinely sent via the bank’s channels?
We take a look at a few methods that can help improve the ongoing scam situation.
1) SMS spoofing remedies
One way we can put a stop to these SMS scams is to change the medium banks rely on to deliver alerts. Banks can consider stopping the use of SMS as a channel to authenticate actions.
The fact is that many free SMS spoofing tools are available on the market and that development is difficult to clamp down – even real and legitimate firms rely on them for their marketing campaigns. Scammers tap on simple Application Programming Interface tools to spoof customers and make use of the Sender ID function to mask their actual phone numbers.
Banks can come up with other ways to deliver the alerts so that these risks can be eradicated. Telcos can also do their part, by looking at whether they can offer any verification checks on operations on the SMS system.
In an attempt to fight the situation, banks now have to remove clickable links in SMSes or emails sent to customers.
This is a way to tackle the situation so customers will know not to click on links. However, this remedy only works for informed and savvy customers. It does not tackle the problem of bad actors continuing to send links to spoof the less educated or less vigilant customers.
2) New measures to boost digital banking security
In view of this pressing issue, Singapore’s central bank had stepped in to provide safeguards on Jan 19.
“The growing threat of online phishing scams calls for immediate steps to strengthen controls, while longer-term preventive measures are being evaluated for implementation in the coming months,” the Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) said.
MAS asked the banks and FIs to continue to work on more permanent solutions to combat SMS spoofing, including the adoption of the SMS sender ID registry by all relevant stakeholders. “MAS expects all FIs to have in place robust measures to prevent and detect scams as well as effective incident handling and customer service in the event of a scam.”
Other measures include having to set a default threshold of S$100 or lower for funds transfer transaction notifications and having a delay of at least 12 hours before the activation of a new soft token on a mobile device.
When there’s a request to change certain details, banks will also have to send a notification to the customer’s existing mobile number or email registered with the bank. A cooling-off period before implementation of key account changes like key contact details, as well as ramping up of frequent scam education alerts are the other strategies.
In addition, banks and FIs will be required to have dedicated and well-resourced customer assistance teams to deal with feedback on potential fraud cases on a priority basis. “Banks will continue to work closely with MAS, the SPF, and the Infocomm Media Development Authority (IMDA) to deal with this scourge of scams,” MAS and ABS said.
3) Snuffing out scams
At least for now, there’s one software solution that can block out scammers. A report on May 29, 2021 revealed that the ScamShield app has blocked more than 5,537 phone numbers and a total of 722,865 SMSes have been reported.
ScamShield is a government mobile app developed by the National Crime Prevention Council and the Government Technology Agency. It uses artificial intelligence technology to identify and filter out scam messages and send them to the phone’s junk filter. It also blocks scam calls from reported numbers.
Loan scams are the most common message scams reported on the app – accounting for 30 to 40 per cent of the total message scams. Illegal gambling and online casino betting are also notable common scam types scammers sent via SMS to trick users.
The government can consider deploying resources to create spin-offs from this deterrent tool to solve the latest SMS bank phishing problem.
This can be in the form of developing a platform that complements the existing ScamShield app, so that institutions can share phone numbers and malicious URLs. Urging more to come on board the ScamShield app is another way to keep the internet clean.
Another idea is to potentially phase out SMS service as a tool for 2FA. Companies can consider porting to in-app notifications and verification tools that are built on mobile apps or revert to physical token issued by the banks for large transactions.
In a decision to boost its banking security, OCBC reversed its plan to phase out physical tokens for e-banking. It had originally planned to phase out the physical tokens on its online banking platform by Mar 31 to transition to a fully digital authentication process.
Some banks have already phased out physical tokens – like Standard Chartered, DBS, and UOB. But customers can ask for a physical token at DBS and UOB if they want to.
Raising industry standards
In the UK, the reimbursement process is reviewed on a case-by-case basis. A bank can refuse to refund customers if it finds that you acted fraudulently or were “grossly negligent” – for example, if you shared your pin or password with someone else.
Even such a sophisticated banking system with centuries of banking experience has missed out on the crux of the matter – which is that scammers can impersonate the identities of victims and con them into their pins and passwords.
How can one whose identity is stolen be fully accountable for his or her actions?
Having said that, we must own up to the fact that reimbursing lost monies to victims of scam crimes is not the cure too.
When local banks continue to reimburse scam victims, it might lead to more foreign scammers targeting us. For some anti-establishment criminals, it is easier to target a company and not individuals and such behaviour justifies their cause.
Perhaps the words of a scam victim who has been through it sums it up. As OCBC scam victim John Paul Tan said: “We hope the bank can wrap up their investigations and we can then consider if any action is required.”
“Hopefully laws can also change to make sure banks are better equipped.”
Featured Image Credit: Vulcan Post, Reuters