Association of Banks in Singapore (ABS) are working closely with The Monetary Authority of Singapore (MAS) to introduce a new set of rules to combat SMS Phishing scams. This initiative was started due to a large-scale phishing campaign targeting banking users in Singapore back in December 2021. According to Singapore Police Force, the OCBC phishing scam involved more than 450 victims and the total loss was estimated to be more than 8 million SGD.
It was identified that a social engineering technique (impersonation) was used to lure victims into thinking that the SMS was from a legitimate sender. A typical SMS scam usually contains some form of information that will create a sense of urgency and would require the victim to take immediate actions to resolve it by clicking on a hyperlink which is typically supplied in a phishing SMS. To an unsuspecting victim, the link contains a phishing site which looks identical to the real website and its goal is to steal their banking login credentials along with a one-time-passcode token. Figure 1 shows a real example of the phishing SMS incident that took place. Note that the OCBC SMS Sender ID was successfully spoofed, causing these phishing SMS messages to pop up on the same thread as the legitimate SMS messages from the bank. Many victims were misled into falling for the scam because of how realistic the text messages were, especially to those who are less tech-savvy such as the elderly or people who are unaware that such frauds exist.
Figure 1: OCBC SMS Phishing Scams
The victim would receive an SMS stating there were some issues with their account, this would cause a sense of urgency and would influence the victim to act by clicking on the provided link in order to resolve the issue as soon as possible. Once clicked, the link would redirect them to a phishing site that looked like a legitimate banking website. They will then request the login credentials for "authentication" purposes. However, what the victims is unaware of, is that when they submit their credentials, it is not actually being submitted for authentication, but instead, it was being sent to the criminals. What happens next is that the criminals can then use these login credentials to gain unauthorised access to the victims’ actual bank account. This inevitably results with the criminals being in complete control of the victim’s bank account, with the ability to transfer funds to destinations of the criminals choosing.
After the initial wave of attacks, banks in Singapore will collaborate with the Monetary Authority of Singapore (MAS) to introduce additional restrictive procedures for the next two weeks, including:
- Clickable links in emails or SMS messages delivered to retail customers would be removed.
- The default threshold for fund transfer notifications would be set to 100 SGD or lower.
- A cool off period of 12 hours would be set before a fresh soft token be activated on a mobile device.
- When a customer's mobile number or email address is requested to be changed, the bank will notify the customer through their existing mobile number or email address.
- Implement a cooling-off period before executing the requested changes for important data such as changing mobile number or email address.
- Set up a dedicated customer assistance task force that will deal with input on potential scam cases.
- Scam education alerts will be sent out more frequently.
Banks in Singapore are also teaming up with Infocomm Media Development Authority (IMDA), the Monetary Authority of Singapore (MAS), as well as Singapore’s local law enforcement to combat the growing threat of online scams. This involves developing more permanent solutions to prevent SMS spoofing, including the adoption of SMS Sender ID registry by all relevant parties such as government agencies as well as financial institutions. Furthermore, the Monetary Authority of Singapore (MAS) is also scrutinising major financial institutions to ensure they are well prepared against the rising threat of online frauds.
It is also recommended to install the ScamShield app that will filter unsolicited messages and calls. ScamShield compares incoming calls against the database of the Singapore Police Force to check whether the number has been used for illicit purposes before deciding whether to block it. The app also uses Machine Learning algorithm to filter scam SMS messages and group them in a junk folder that will be sent to the Singapore Police Force to keep their database updated. (Note that the ScamShield app is only available for iOS devices at the time of writing).
Bear in mind that scam tactics are always evolving, and cyber criminals will continually come up with new ways to avoid detection. Therefore, as a good rule of thumb, you should never open a link in an SMS or an email without verifying the authenticity of the information. If you have any doubt, please do not open the link. Instead, you should contact the bank (or service) directly to verify the authenticity of the message you have received.
https://www.channelnewsasia.com/singapore/sms-clickable-links-reviewing-use-smart-nation-scams-phishing-government-agencies-2450941 https://www.mas.gov.sg/news/media-releases/2022/mas-and-abs-announce-measures-to-bolster-the-security-of-digital-banking https://www.ocbc.com/group/media/release/2021/ocbc-sms-phishing-scams https://www.police.gov.sg/media-room/news/20211230_police_advisory_on_phishing_text_messages_targeting_ocbc_bank_customers https://www.straitstimes.com/tech/tech-news/all-government-agencies-to-be-on-anti-sms-spoofing-registry https://www.zdnet.com/article/singapore-pushed-to-introduce-security-measures-amidst-online-banking-scams/