Banking scams are wreaking havoc in Singapore and Malaysia, why?
For both businesses and consumers that are banking in the Singaporean and Malaysian markets, it is pretty hard to miss the upsurge in financial scams in the last couple of years. The rise in financial data breaches has been very noticeable throughout the Asia Pacific (APAC) region since 2020, when pandemic-caused stay-at-home orders saw a wide swatch of cybercriminals and fraud perpetrators emerging out of the woodwork and carrying out phishing scams, malware and ransomware attacks to name a few.
New data from Check Point Research points to rising incidents of scams targeting the banking sector globally, with banks “attacked on average 700 times every week during the past year, a 53% year-on-year increase in comparison to previous year”, according to Arthur Ng, the Country Manager, Malaysia, of Check Point Software Technologies.
The Check Point Threat Intelligence Report goes on to point out that all industries and businesses face the specter of cyber risk, but some sectors are more susceptible than others, owing to the fact that they are much more frequently targeted – putting those spaces at much higher risk as more frequent attacks means a much higher likelihood of successful intrusions.
Of all industries, the financial and banking industry “stands out” for its broad attack surface for scams, not to mention the pull for bad actors because of how lucrative a successful scam or breach in this tightly regulated sector could be.
In the bigger Southeast Asian economies like Singapore and Malaysia, malicious actors are getting ever more creative and resourceful to dupe unsuspecting consumers or workers from commercial entities, such as email phishing campaigns that cleverly use social engineering tactics to mimic legitimate users and demand what might seem like genuine money transfer requests and requests for sensitive personal information.
Scams targeting OCBC banking accounts in Singapore rocked the island nation in late 2021 and early 2022, with a sharp rise in ‘smishing’ scams, which are phishing attempts carried out via SMS. Cybercriminals trick victims by sending SMSes purportedly from the bank claiming there are issues with their bank accounts or credit cards.
The SMSes would contain a link to a fraudulent website, disguised as a legitimate bank website requesting banking information and passwords, leading to at least 790 individuals being scammed into parting with funds and causing losses of at least SGD$ 13.7 million. And this was even with OCBC’s use of a Fraud Surveillance System (FSS), the first Singaporean bank to tap artificial intelligence and machine learning to combat financial fraud, which managed to recover SG$8 million (US$5.95 million) worth of fraudulent transactions last year.
Meanwhile, major Malaysian bank Maybank has issued warnings to its customers of the new ‘SMSSpy’ campaign explicitly targeting Android users in Malaysia. The SMSSpy malware can view any SMS sent to the mobile phone, including obtaining TAC numbers to perform internet banking transactions.
These cross-Causeway SMS-based campaigns show how scams are very mobile-focused, with majority of internet banking users in the region accessing from their smartphones. And as can be seen, there is an array of mobile device attacks, and it can happen across all levels: malicious apps, network attacks, and exploiting vulnerabilities between the mobile hardware and the operating system.
The threat surface affecting organizations is also very broad in the region, with the Check Point Threat Intelligence Report pointing out that an organisation is being attacked 1,286 times per week on average in Malaysia over the past 6 months.
The study indicates that 87% of the malicious files delivered in Malaysia in the last 30 days were via email, underscoring how popular invasive email scams were, alongside other popular banking threats such as the disruptive Denial-of-Service (DDoS) attacks that can swarm a system of sensitive financial data and are often the base for a ransomware attack, as well as sophisticated attacks orchestrated by nation-state sponsored operators.
According to Check Point’s Malaysia Country Manager, getting a handle on such an expansive threat surface means a country like Malaysia needs to restructure its legislation. “The government, telecommunication providers and banks all have an active role to play in protecting the consumers. However, it does take a lot of time, planning and resources for these plans to come to fruition,” Ng admitted. “A long-term plan will require a multi-layered calibrated management. The good news is the banks and government have already started taking steps in the right direction to help with the situation.”
Already, Malaysian online banking is lessening exposure to scams by encrypting transactions with multi-factor authentication (MFA) and other layers of security, so that they will be less reliant on notifying customers via less secure platforms like SMSes. Rather than exposing sensitive services and data to a third-party service provider like SMS systems, fortifying their own protection perimeter so that the control is back in the financial institutions’ hands.
To secure their networks and internal systems, it is vital for banks in the region prevent future attacks by leveraging on additional security solutions that are accessed via secured transaction gateways called application programming interfaces (APIs), which can help to further optimize security at the endpoints, sealing off both users’ devices and system software.
It is critical for banks to seize upon the available security measures sooner rather than later, as both transaction data and users’ personal, sensitive data are being exposed at an exponential rate in this part of the world.