Singapore smishing scams are a wakeup call for the financial sector  

Consumers in Singapore recently found themselves in a sea of scams after several customers realized their funds are missing from their accounts. While SMS and phishing email scams remain high in Southeast Asia, this time scammers were able to make off with a high amount of funds from numerous account holders.

The OCBC smishing scam, which is phishing via SMSs had rocked the island nation in late 2021 and early 2022. Towards the end of 2021, the bank had already seen a sharp rise in the number of smishing scams impersonating them. Despite multiple pieces of advice and warnings made to the public, many still fell victim to it.

Cybercriminals trick victims by sending SMSes purportedly from the bank claiming there are issues with their bank accounts or credit cards. The SMSes contain a link to a fraudulent website disguised as a legitimate bank website requesting banking information and passwords.

The total number of victims who had fallen prey to the scam is 790 with total loss amount of SGD$ 13.7 million. About 80% of the amount lost occurred during the year-end festive period of 23 December 2021 to 30 December 2021. Over the Christmas weekend, there were 186 customers affected, with about SGD$ 2.7 million lost on these three days alone. While the bank is working with the Singapore Police Force’s Anti-Scam Centre to try to help customers recover funds lost through these fraudulent transactions, once the money has left the customer’s account, the possibility of recovery is very low.

Since the smishing campaigns started making headlines in Singapore, the Monetary Authority of Singapore (MAS) has also stepped in and has now released a set of new measures to bolster the security of digital banking. Both MAS and the Association of Banks in Singapore expect all financial institutions to have in place robust measures to prevent and detect scams as well as effective incident handling and customer service in the event of a scam.

Among the stringent measures in place that are coming into effect include:

• Removal of clickable links in emails or SMSes sent to retail customers
• The threshold for funds transfer transaction notifications to customers to be set by default at $100 or lower
• Delay of at least 12 hours before activation of a new soft token on a mobile device
• Notification to an existing mobile number or email registered with the bank whenever there is a request to change a customer’s mobile number or email address
• Additional safeguards, such as a cooling-off period before implementation of requests for key account changes such as in a customer’s key contact details
• Dedicated and well-resourced customer assistance teams to deal with feedback on potential fraud cases on a priority basis
• More frequent scam education alerts.

Banks will also implement more permanent solutions to combat SMS spoofing, including the adoption of the SMS Sender ID registry by all relevant stakeholders.  MAS is also intensifying its scrutiny of major financial institutions’ fraud surveillance mechanisms to ensure they are adequately equipped to deal with the growing threat of online scams.

While the smishing campaign is mainly focused on Singapore, banks around Southeast Asia have also experienced similar situations. In Malaysia, banks continue to send reminders to users to be vigilant when clicking on links received via SMSes. But SMSes are not the only problem.

Just like the smishing scams in Singapore, phishing email scams are reportedly one of the highest cybercrime activities in the region with both consumers and SMEs falling victim to such activities. In fact, business e-mail compromise(BEC), malicious emails, and smishing scams continue to wreak havoc on business in Southeast Asia.

Dealing with smishing scams in Singapore

Tech Wire Asia reached out to Kevin Reed, Acronis CISO, and Mark Goudie, APJ Services Director, CrowdStrike to get their views on smishing and phishing campaigns in Singapore and if the MAS’s new guidelines might be able to reduce such problems.

According to Reed, for Windows and macOS computers, local malware infections are often monitored for online banking sessions – and then try to inject their own transaction in the browser or swap the beneficiary account before the transaction is sent to the banking server. As for mobile devices, Reed pointed out that banks are fighting against fake apps pretending to be the bank’s mobile app, in order to get passwords and token access.

“Banks should stop relying on SMS completely as there are better authentication mechanisms, like mobile application pushes, and, of course, hardware tokens. SMS is not a secure channel for authentication. There have been many cases of SIM swap, where attackers manage to clone a phone SIM card, for example, by calling the telco provider and making up some social engineering story.

Even beyond this, the underlying protocols, such as SS7, have some weaknesses that have been exploited by attackers to reroute SMS. Hence, a better alternative – mobile apps or hardware tokens,” explained Reed.

Meanwhile, Goudie pointed out that while some phishing attempts are often easy to spot and can be readily reported, others are less obvious as adversaries become more sophisticated in their methods. While the latest measures from MAS are expected to provide an additional layer of protection for consumers, Goundie commented that the onus is still on financial institutions to ensure that their operational processes and security measures are robust enough to prevent, detect and respond to cyberattacks in the first place.  

Highlighting CrowdStrike’s Global Security Attitudes Survey, Goudie said that 51% of organizations in Singapore have cited lack of resources, disparate solutions (49%), legacy infrastructure (46%) and poorly performing existing solutions (41%) as the reasons behind not managing cybersecurity incursions and incidents faster. He added that it also takes organizations in Singapore nearly double the time of their regional counterparts to contain and remediate a security incident (30 hours vs 19 hours).

“With adversaries rapidly advancing their tradecraft to bypass legacy security solutions; the combination of world-class technology, combined with expert threat hunters, is absolutely mandatory to detect and stop the most sophisticated threats, including phishing. We would advise companies to always remain proactive and adopt a robust cybersecurity posture at the backend to ensure existing frameworks remain secure.”

With the Lunar New Year holidays approaching, there are now concerns that cybercriminals will be using similar methods to target victims as well. The Lunar New Year often experiences a high amount of transactions as many users will be accessing their bank accounts or even e-Wallets to so send “Angpow” online.

While MAS’s measures will be in place, cybercriminals still always manage to find a way to be one step ahead. For now, scams in Singapore may still happen and educating the public on how to deal with such messages or emails is probably the only way they can control the situation.

---

---

---