Don’t keep all your money in one bank account. It’s like not putting all your eggs in one basket.
Have different bank accounts with various banks, and make sure your bank accounts are not connected.
Think about having a separate/standalone bank account with a low balance, especially for online buying or selling and making payments to others.
In a recent parliamentary session, there was a suggestion that if a person falls victim to a scam, the person should be responsible for up to S$100 of the loss, with banks and telcos covering the rest.
This could lead some dishonest people to team up in cahoot with scammers to cheat the system and share the stolen money from scams.
However, no bank or telco will support this idea blindly. They might recover the scam losses by increasing bank charges for everyone, causing problems of common misery for all.
It seems like this proposal was not well thought out or conceived.
Was it just to gain popularity or voters’ attention? Be cautious and watch out for dishonest people – there are many charlatans around in town both in and outside Parliament, some could act as hidden advisors/consultants to the MPs.
==========
.
Forum: People may lower guard if liability for scam losses is limited to $100.
UPDATED 9 HOURS AGO on 16th Jan 2024 in ST Forum.
I agree with Aljunied GRC Member of Parliament Gerald Giam that stronger actions are needed to protect Singaporeans from scams, failing which the efforts of the Smart Nation movement may come to nought.
Victims of scams come in all ages. If young and technology-savvy Singaporeans are being conned, the older generation may be sceptical about using technology and hence will not be receptive to empowering themselves digitally.
Some of my older family members and friends have opted out of transactions involving digitalisation platforms and would rather be inconvenienced than be at risk of being scammed.
But I do not agree with Sengkang GRC MP Jamus Lim’s suggestion that victims of scams should bear no more than $100 to $500 in losses, with banks and telcos bearing the rest of the costs instead (S’pore launches new app guidelines to secure online transactions, Jan 10).
While I empathise with scammed victims on their losses, taking this step may only embolden the scammers who may feel less guilty about scamming victims.
Once we know the maximum amount that we will bear in a scam can be a mere $100, we may feel we do not need to be fully alert when we do a digital transaction.
We read reports that some victims of scams have bought or invested in products whose prices or claims are often too good to be true.
The financial institutions and telcos have no moral responsibility or obligation to compensate victims fully in such scams.
Family members must play an active role in advising their elderly parents or relatives to be extra alert when doing an online or digital transaction.
I too, like many Singaporeans, worry about being a victim of a scam. While I hope that banks and telcos will compensate me as much as possible if I am scammed, I know that the ultimate responsibility still rests with me.
Foo Sing Kheng.
\===========
.
No bank can eliminate greed and carelessness of their customers from becoming scam victims.
Do not keep all your eggs in one basket.
Open an indépendant standalone account with another bank not linked to your other bank accounts. Keep the balance in this standalone bank account very low, and use it for buying or selling things online, and for making payment to others.
Have a standalone credit card with another bank, and do not link it to any of your bank accounts.
The weakest link is the sim card, if it can be remotely stolen for use in another mobile phone without stealing your mobile phone or sim card.
============
.
.
At least 180 victims lost $2.6m in December to social media job offer scams
Victims are given a link to a fake TikTok website to complete advanced tasks, and are shown fake contracts to agree to. PHOTO: SINGAPORE POLICE FORCE
Sherlyn Sim
UPDATED 8 JAN 2024, 9:50 PM in Straits Times.
SINGAPORE – At least 180 people lost about $2.6 million in just one month after taking up fake job offers from conmen who later convinced them to transfer large sums of money in return for easy profits.
The victims got the unsolicited job offers from the scammers in December 2023 after being added to chat groups on messaging platforms like WhatsApp and Telegram.
They were then asked to get on social media platforms and perform specific tasks to earn a commission, the police said on Jan 8.
The tasks included following the TikTok or Instagram accounts of social media influencers, subscribing to YouTube channels and videos, or “liking” songs on Spotify.
“In some cases, scammers may also claim to represent TikTok or online communications and marketing companies when they approached victims with job offers.”
After completing the tasks, victims got a small commission, and were persuaded to complete more tasks in return for more money.
These tasks included getting the victims to create accounts on fake websites, and making them transfer large sums of money to bank accounts or cryptocurrency accounts provided by the scammers, with the promise of better returns.
In some cases, the conmen even offered victims fake employment contracts.
“Victims would only realise that they had been scammed when their website account showed a negative account balance, and they were told to pay additional funds in order to upgrade their accounts or when they failed to withdraw their earnings,” the statement said.
Victims said the conmen sent unsolicited WhatsApp or Telegram messages telling them they had won a prize and would get a commission when they completed tasks such as “following” an account on Instagram.
Victims were then added to chat groups where they got instructions to get active on social media sites or transfer cash under the pretence of investment opportunities.
The ruse involves victims getting unsolicited job offers from scammers after being added into chat groups. PHOTO: SINGAPORE POLICE FORCE
The police said members of the public need to guard against such scams by using the ScamShield app, enabling security features such as setting transaction limits for Internet banking, and setting up two-factor authentication.
Two-factor authentication is an extra layer of security that users can put in place before logging in to an online account or making an online transaction. It is usually a random code sent to a mobile device or a token.
Users should check if the offer is a scam by referring to official sources like the Anti-Scam Helpline or the Scam Alert website.
MORE ON THIS TOPIC
Single mum who lost $89k to a job scam thought she could earn $18k in a week
Three arrested over suspected involvement in ‘buy now, pay later’ job scam
The police said: “Always verify the authenticity of job offers through official channels or sources, and do not accept dubious job offers that offer lucrative returns for minimal effort.
“Do not engage or believe claims made in any messaging app group chats that you are randomly added or invited into, and do not click on suspicious URL links or download apps from unknown sources.”
Anyone who gets such messages can lodge a report using tools available on the WhatsApp and Telegram applications.
Singaporeans with details on scams or have doubts about the veracity of messages can call the police hotline on 1800-255-0000 or go to http://www.police.gov.sg/iwitness.
If in need of urgent police assistance, they can call 999.
More information can be found on http://www.scamalert.sg. Individuals can also call the Anti-Scam telephone hotline on 1800-772-6688.
MORE ON THIS TOPIC
Can you spot a scam? Find out how well you know 6 common scams in S’pore
About $750,000 lost by at least 46 victims to job scams since March.
=============
.
Over 500 scam victims filed claims in bid to recover losses from banks
The scams were not new yet the victims still fell for them because many failed to take note of the regular and widely publicised police advisories. ST PHOTO: GIN TAY
Tan Ooi Boon
Invest Editor
PUBLISHED 7 JAN 2024, 5:00 AM SGT in Straits Times.
The scams that continually plague people in Singapore have resulted in a whopping increase in claims filed against banks as some victims seek to recover their losses.
The Financial Industry Disputes Resolution Centre (Fidrec) received 509 fraud-related claims that were mostly filed against banks from July 2022 to June 2023 alone – a 95 per cent jump from the 261 cases heard in the same period in its previous financial year.
=============
.
Scams are like cockroaches, they keep evolving; let’s do more to ensure digital safety: Tin Pei Ling.
A motion on building a safe digital society will be debated in Parliament on Jan 9. ST PHOTO: GIN TAY
Zhaki Abdullah and Jean Iau
UPDATED 7 HOURS AGO on 9th Jan 2024 in Straits Times.
SINGAPORE – After an elderly resident in MacPherson fell prey to an investment scheme supposedly endorsed by then Senior Minister Tharman Shanmugaratnam, he nearly lost several thousand dollars in fraudulent credit card charges.
But after approaching his MP Tin Pei Ling for help, the man managed to get the charges waived with his bank’s help.
The man had only a “few hundred dollars” in his savings account, almost half of which he had invested in the fake investment plan, the MacPherson MP said.
Following this and other reports of residents continuing to fall for scams despite attempts to raise awareness about common scam tactics, Ms Tin told The Straits Times more needs to be done.
Ms Tin – who chairs the Government Parliamentary Committee (GPC) for Communications and Information – has, together with four other MPs, filed a motion on building a safe digital society. It will be debated in Parliament on Jan 9.
“We may not be able to totally stamp out such risk or threats because they’re like cockroaches; they somehow just keep evolving. But if we can do more, and everyone (is) willing to take on a larger share of the responsibility, we probably can protect more people, and reduce the harms or the damage to the ordinary citizen,” said Ms Tin in a phone interview with ST on Jan 8.
The other MPs who filed the motion are Ms Jessica Tan (East Coast GRC), Mr Sharael Taha (Pasir Ris-Punggol GRC) and Mr Alex Yam and Ms Hany Soh (Marsiling-Yew Tee GRC). They are also part of the GPC.
Ms Tin noted that while Singapore continues its journey to digitalise, she and her fellow MPs have observed challenges, including scams, that undermine the public’s confidence and trust towards digital transactions.
Aside from the resident who fell victim to the fake endorsement using Mr Tharman’s name, Ms Tin recounted how she was notified about a man pretending to be her brother on Telegram to get people to invest in a fraudulent scheme. She filed a police report, and the account and group were shut down.
In recent years, the authorities have introduced several measures to counter such scams. On Jan 5, it was announced that mobile phone users can approach their telcos to block all international calls, the first of a number of anti-scam measures to come in 2024.
Ms Tin said the MPs have made 13 calls to action, which she will reveal during the debate.
Shedding some light on what this entails, she said: “We are trying to push the Government to do more… to lead in some of the areas, in terms of getting corporations and private entities to share more information, for example, to be more transparent with their products and offerings, so that we can be more prepared for some of the risks of scams (or) malware.”
Ms Tin added that these corporations should also pull their weight and take on a more equitable share of the responsibility in terms of detection, deterrence and protection.
Finally, she urged members of the public to work together to promote greater awareness, and educate and empower vulnerable segments of the population, so that they will not be disadvantaged as Singapore progresses digitally.
“It’s also about what kind of desired environment we want to see in the digital world,” said Ms Tin, noting that in the real world, Singapore is relatively safe.
She added: “We talk about being inclusive, we say we should be kind and respectful to one another, (but) can we also do the same online?”
MORE ON THIS TOPIC
Can you spot a scam? Find out how well you know 6 common scams in S’pore
PM Lee warns against responding to deepfake videos of him promoting investment scams
================
.
Over $200m recovered by Anti-Scam Centre; new command targets scammers before victims make report
The ASC has frozen more than 27,300 bank accounts and recovered more than $200 million since its inception in June 2019.ST PHOTO: ALPHONSUS CHERN
SINGAPORE – More than $200 million has been recovered by the Anti-Scam Centre (ASC), with the police now targeting scammers even before people realise they have fallen prey and make a report.
At the Police Workplan Seminar on Tuesday (April 26), it was revealed that as of last month, the ASC has frozen more than 27,300 bank accounts and recovered more than $200 million since its inception in June 2019.
But while fund recovery remains a key function, anti-scam operations will now focus on upstream interventions, dismantling scam operations before victims even realise they have fallen for a scam.
Each of the seven police land divisions across Singapore now has its own Scam Strike Team comprising hand-picked officers who are experienced and specialise in fighting scams. This was revealed at Tuesday’s seminar.
The teams are dedicated units that target money mules and runners here, working closely with their colleagues and overseas counterparts to tackle and solve syndicated and transnational scam cases.
The Anti-Scam Centre was set up as a specialised unit under the Commercial Affairs Department (CAD) in 2019.
Last year, the Anti-Scam Division was formed, reorganising and consolidating all scam-fighting units under the CAD.
The division was expanded last month to become the Anti-Scam Command, which brings together all scam-fighting units across the entire Singapore Police Force.
The new command sees coordinated anti-scam operations boosted by technology that can detect and automatically alert potential scam victims even before they become prey to scammers.
When victims make a police report, it will be scanned for online monikers, websites and advertisements linked to scam activities.
These will then be taken down with the help of online marketplace platforms and telecommunication companies.
In his speech at the Police Workplan Seminar, Minister for Home Affairs and Law K. Shanmugam said scams remain a key concern, with cases rising 52 per cent over the past year.
“The police force is reorganising its resources to tackle new crime trends,” he said.
“The Anti-Scam Command consolidates investigation of all types of scams into one unit, and oversees the newly formed Scam Strike Teams in the land divisions. That will help in better sense-making, more effective crime prevention, and a faster response against scams.”
Speaking to the media, the director of CAD, Mr David Chew, said the new command partners with over 60 institutions, including local and foreign banks, non-bank financial institutions, cryptocurrency houses and remittance service providers.
Mr Chew introduced representatives from four such partners during a media session on the seminar.
They were from Standard Chartered Bank, Singtel, cryptocurrency platform Coinhako and gaming firm Razer.
Mr Chew said building close working relationships with such institutions was critical for the Anti-Scam Command to swiftly freeze accounts, recover funds and reduce losses suffered by victims.
He said the command will continue to work with banks and fintech companies to develop systems that use artificial intelligence to identify and block suspicious transactions.
Currently, only DBS Bank has a staff member co-located at the Anti-Scam Centre in the Police Cantonment Complex.
It was previously reported that both OCBC and UOB banks have plans to soon also have staff members working from the centre.
Mr Yap Jee Hoe, head of client diligence and fraud risk management at Standard Chartered Bank, said it is committed to fighting scams and it too will send a staff member to the centre.
“We remain strongly committed to protecting our customers, and to do so we have to be part of this anti-scam ecosystem,” he said.
“I do hear a lot of stories from scam victims, and it’s quite painful. I feel for them.”
He added that the partnership with the new command has proven fruitful.
Mr Yap said that just last month, the partnership enabled them to help a bank customer recover close to $300,000 which was almost lost to scammers.
“The victim was of course, very grateful,” he said.
“We hope other players will come on board to also partner the Anti-Scam Command and to further raise awareness of scams so that everyone is protected.”
.
==============
.
Can one activate it when the bank account has been taken over by the scam criminals, who have replaced the phone number, the email address, etc, to those of their own?
.
==========
.
Forum: Effective bank account kill switch must not be difficult or tedious to activate
PUBLISHED 6 HOURS AGO on 24th Feb 2022 in ST Forum.
We thank Mr Lam Jer Wei for his letter (Current phone activation process for OCBC ‘kill switch’ requires too little information, Feb 21).
We would like to clarify the intent and the process of activating the kill switch by calling the bank.
The kill switch is for use only in an emergency, such as a fraud or scam.
An effective kill switch must not be difficult or tedious to activate, and must halt an operation as quickly as possible.
In an emergency, when a customer’s bank account has been compromised, time is of the essence to quickly block the account from fraudulent transactions.
Customers are very anxious at that moment. The information needed to activate the kill switch upon calling the bank’s official contact number would therefore need to be easy to retrieve or remember.
Adding verification layers by having staff ask questions about the customer’s name, date of birth and banking relationships would slow the process tremendously.
Personal bank account log-in information such as passwords, PINs or credit card CVV security numbers are never asked for over the phone.
Once the emergency kill switch is activated, a follow-up call will be made soon after by a bank customer service executive to ensure that it was activated by the actual bank account holder and was not an act of mischief.
The customer service executive will help the account holder to remove any compromised bank account access or cards, issue new ones, deactivate the kill switch and restore accounts.
If a customer prefers to speak to a bank staff member about a compromised bank account, there is an option to do so after calling the bank’s official contact number.
This option would take longer as the staff member will first have to validate the customer though the usual authentication process.
There are other ways to activate the kill switch – via OCBC Bank ATMs or by visiting any OCBC branch.
Dennis Lee
Head of Risk and Prevention
Consumer Financial Services Singapore
OCBC Bank
.
=============
.
=
.
Hope the SPF’s anti-scam centre will set up an email address for the public to give immediate feedback to alert/inform the police of an ongoing crime in progress by criminals using phishing [fishing] scam methods.
Speed and time are the essence.
===——-
Internet scams…phishing [fishing] scams.
Banks should also set up an Internet email address for victims to reach them fast.
Phone lines will be jammed.
.
=================
.
Nearly $1 billion lost by scam victims in Singapore since 2016
Cheow Sue-Ann runs through the latest scourge: job scams
Wong Shiying
UPDATED 9 MINS AGO on 29th Jan 2022 in Straits Times.
SINGAPORE – The recent phishing saga involving customers of OCBC Bank has highlighted the epidemic of scams in Singapore, where victims have lost more than $965 million in just over 5½ years, checks by The Straits Times showed.
Scammers pocketed a record high $268.4 million in total in 2020, a figure Home Affairs and Law Minister K. Shanmugam revealed last year in a written response to a parliamentary question on scams.
It was nearly triple the $89.7 million stolen in 2016.
The authorities have acknowledged the difficulties in tackling the problem – many of the perpetrators are based overseas, and when the monies have been transferred, recovery has been hard.
But the police have had some success.
Their Anti-Scam Centre said that of the 7,400 scam reports it received in the first half of last year involving losses of more than $201.7 million, the authorities were able to recover $66 million.
Internet love scams have remained one of the most lucrative scams in Singapore since 2011.
The amount duped from victims has grown from $2.3 million in 2011 to $8.8 million in 2014 and $33.1 million in 2020.
Police said 90 per cent of the scams in Singapore had originated from overseas.
They added that they have worked closely with foreign law enforcement agencies to monitor and share information on emerging scams and conduct joint operations to cripple syndicates.
The police said that last year, the Anti-Scam Division (ASD) of the Commercial Affairs Department worked with the Royal Malaysia Police, Hong Kong Police Force and the police force in Taiwan.
MORE ON THIS TOPIC
Internet love scams in Singapore cost victims $33.1 million in 2020
Woman lost $17k she had saved for her wedding to a job scam.
“Sixteen transnational syndicates perpetrating job scams, Internet love scams and impersonation scams were busted,” the police said.
ASD oversees the Anti-Scam Centre.
Speaking to the media on Thursday (Jan 27), Deputy Assistant Commissioner (DAC) of Police Aileen Yap said the joint operations led to the arrest of 230 suspected syndicate members. DAC Yap is the assistant director of the Commercial Affairs Department’s ASD.
SPH Brightcove Video
In Singapore, police also arrested and investigated more than 7,000 scammers and money mules last year.
Some are believed to have rented out their bank accounts to scammers or assisted them by carrying out bank transfers and withdrawals.
The Covid-19 pandemic has not slowed down the syndicates, with more victims falling for job scams, the Anti-Scam Centre said.
Some victims refuse to believe they have been scammed, think cops are the bad guys.
In the first six months of last year, there were 658 cases of job scams – a 16-fold increase from just 40 in the same period in 2020.
“Scammers are quick to adapt their tactics and scripts to keep up with the current climate.
“During the pandemic, scammers have impersonated government officials to phish for personal particulars from victims,” police said.
Criminologist Olivia Choy, from Nanyang Technological University’s psychology department, said financial and emotional stress triggered by the pandemic could have made people more vulnerable to scams.
“Such stressors can lead to poorer decision-making, and with more people going online for work and leisure, there is an influx of potential victims for opportunistic scammers,” she added.
Additional reporting by David Sun
Correction note: This article has been edited for clarity.
MORE ON THIS TOPIC
Scam scourge: How can we fight it?
Stop scams: Counting the cost of love, sex and money scams.
Six anti-scam principles to follow
The Home Team Behavioural Sciences Centre developed a 6S Anti-Scam Self-Protection Principles to help Singaporeans defend themselves against scams. They are:
Spot the signs – Recognise the tactics that scammers use.
Stop and think – Ask yourself or others if a statement, message or job offer could be true.
Slow down, don’t rush – Do not rush into providing your personal or banking details.
Speak to others – Check with others to verify the authenticity of a claim before doing anything.
Safeguard personal details and passwords – Never disclose personal information, even if the request appears to be legitimate.
Seek help – Talk to friends or family members for advice or support if you have been impacted by a scam.
MORE ON THIS TOPIC
4 common types of scams and how to recognise them
Is contactless payment safe? 5 tips to protect yourself in the wake of OCBC SMS scams.
Helplines
Anti-Scam Hotline: 1800-722-6688 (9am – 5pm)
National Care Hotline: 1800-202-6868 (8am – 12am)
Mental well-being
Institute of Mental Health’s Mental Health Helpline: 6389-2222 (24 hours)
Samaritans of Singapore: 1800-221-4444 (24 hours) /1-767 (24 hours)
Singapore Association for Mental Health: 1800-283-7019
Silver Ribbon Singapore: 6386-1928
Tinkle Friend: 1800-274-4788
Community Health Assessment Team 6493-6500/1
Counselling
TOUCHline (Counselling): 1800-377-2252
TOUCH Care Line (for seniors, caregivers): 6804-6555
Scam alert: From OCBC SMS scam to fake Iras e-mails, here’s what you need to know
Interactive: How a love scammer’s 3-month ruse to swindle $165k got exposed.
.
======
Be fast….speed and unobstructed feedback is very important..
=======
Forum: Police will review spam reporting under I-Witness
PUBLISHED FEB 24, 2022, 2:00 AM SGT in ST Forum.
Mr Cheong Tuck Kuan suggested making it easier for members of the public to report spam messages, such as through a single number (Make it easier to report spam SMSes, Feb 18).
As unsolicited spam messages may be sent by a range of entities, and for different purposes, there are different platforms for members of the public to report them so that the appropriate follow-up actions may be taken.
For spam marketing messages that are not crime-related, members of the public should directly contact the company concerned to ask to be removed from their marketing list.
Those who do not wish to receive telemarketing messages can also register their Singapore telephone numbers with the Personal Data Protection Commission’s Do Not Call Registry, and turn on the anti-spam features on their mobile devices.
Suspected scam calls and messages can be reported via the in-app reporting function of ScamShield, a mobile app which filters out scam messages and blocks unsolicited calls from scam-tainted phone numbers.
The information will then be forwarded by the National Crime Prevention Council to the Anti-Scam Centre for follow-up actions.
Information on spam messages related to criminal activity such as scams or unlicensed moneylending messages can also be shared via the I-Witness online portal (http://www.police.gov.sg/iwitness).
We will review how we can simplify the reporting under I-Witness.
Brenda Ong (Superintendent)
Assistant Director, Public Communications Division
Public Affairs Department
Singapore Police Force
=
Your credit card number is everywhere when you use it to make a purchase…
Best is not to use it if one is paranoid.
=======
.
Forum: Not safe to let credit cards out of sight at restaurants
PUBLISHED 5 HOURS AGO on 25th Feb 2022 in ST Forum.
I refer to the article, “Time to ban asking for credit card details over the phone” (Feb 1), which describes the card verification value (CVV) as “to a credit or debit card what a security gate is to protected premises”.
I would like to highlight another practice that could also compromise the CVV – handing your credit card to the waiter for bill payment at a restaurant. Isn’t there a risk of the credit card details being copied?
Can restaurants be made to implement a system where the payment device is brought to the dining table? This is widely practised in Europe. If that cannot be done, then let us queue at the counter for payment. It is much safer than letting our credit cards out of sight.
Jacqueline Lim
.======
What else is missing….Solutions?
Do we know that once you give your OTP, etc, to the criminals, your account is completely in their hands, under their control, and that you will not be able to give further instruction to deactivate your account or take back control of your account?
Do we know that once your account is out of your control, your phone number will be changed, and any warning messages will go to the criminals’ phone number, not yours any more?
You are completely cut off, and will be in the dark at the mercy of the criminals to cream off your money immediately?
.
=======
.
Forum: Current phone activation process for OCBC ‘kill switch’ requires too little information
PUBLISHED 4 HOURS AGO on 21st Feb 2022 in ST Forum.
To protect its customers, OCBC Bank recently implemented a “kill switch” which allows customers to freeze their accounts over the phone or at an ATM (OCBC customers can freeze accounts with ‘kill switch’, Feb 17).
While I commend the bank’s intentions, the process by which the kill switch can be activated over the phone seems flawed.
It currently requires either a 16-digit credit/debit card number or 10-digit ATM card number, and the customer’s NRIC number.
These are pieces of information that are collected by organisations such as telcos and insurance companies for bill payment purposes.
Given the number of data breaches that have occurred, it would be naive to think that this information is not readily available on the Dark Web.
Furthermore, unlike a password, a customer’s credit card number usually is not changed and his NRIC number remains constant.
The implication is that bad actors can essentially cause a nuisance by locking out account holders.
The freezing of accounts should be done only after securely authenticating a customer’s identity. If not, I hope OCBC will let customers opt out of phone activation of the kill switch.
Lam Jer Wei.
.
======
.
I refer to “OCBC introduces ‘kill switch’ to allow customers who have been scammed to freeze their own accounts’ [Today, 16th Feb 2022].
Criminals of scams will try to open their own bank account/s with fake or stolen passport or i/c to avoid detection, and will use the account for one-hit only, and after that, they will disappear into the crowd untraceable.
Bank officers are not well-versed to detect a fake passport easily.
I would like to suggest the following extra protective measures:
a] use of passport to open a bank account must be supported by a work pass issued by the Govt. The Govt shall provide an App site for the banks to submit the details of the passport and work pass within two working days to detect fraud, if any;
b] use of i/c card to open the bank account, the banks must submit the details of the i/c within two working days to a Govt’s App site to detect i/c fraud or stolen i/c.
I hope these additional measures will help banks and the SPF to fight against scams.
.
=======
.
Fake bank accounts by criminals for one-hit only and disappear into the crowd.
They use stolen/fake passport or i/c to open bank account.
Solutions to stop this? How?
.
=========
.
$2m from OCBC scams recovered, 121 local bank accounts frozen: Desmond Tan
Overall, there were 23,931 cases of scams reported last year, of which 5,020 were phishing scam cases.PHOTO: ST FILE
SINGAPORE – The police have frozen 121 local bank accounts and recovered about $2 million lost by victims in phishing scams targeting OCBC Bank customers as at Sunday (Feb 13), said Minister of State for Home Affairs Desmond Tan.
Providing an update on the ongoing investigations into the OCBC phishing scams which took place last December, Mr Tan also said that about $2.2 million of victims’ funds have been traced to 89 overseas bank accounts.
“Many of the scam websites used in the phishing scams were hosted by web hosting companies based overseas,” said Mr Tan, who chairs the Inter-Ministry Committee on Scams (IMCS) set up in April 2020.
Specifically, at least 107 local and 171 overseas Internet protocol (IP) addresses were linked to the unauthorised access of the victims’ internet banking accounts.
He was replying MPs Tan Wu Meng (Jurong GRC), Sitoh Yih Pin (Potong Pasir SMC) and Dennis Tan (Hougang SMC), who asked for an update in Parliament on the ongoing investigations into the OCBC phishing scams.
The police have commenced investigations into the local IP addresses linked to the scams and the owners of the local money mule accounts.
The police are also working with Interpol and foreign law enforcement agencies to investigate the beneficiaries of the funds transferred overseas and the hosts of the scam websites.
Mr Tan was not able to divulge more information as investigations were still ongoing.
But he noted that OCBC customers fell prey amid a sharp increase in the number of scams reported in Singapore.
Phishing scams involving SMSes that impersonated banks in Singapore have increased significantly, from 149 cases in 2020 to 1,021 last year. The OCBC scams were the largest case involving such fraudulent schemes.
Overall, there were 23,931 cases of scams reported last year, of which 5,020 were phishing scam cases.
MPs Ang Wei Neng (West Coast GRC) and Cheng Li Hui (Tampines GRC) asked for the number of similar scams reported over the past five years and if the police were well-resourced to tackle scam-related crime.
Mr Tan said: “The use of a combination of highly orchestrated tactics, involving spoofed SMSes appearing in the same thread as genuine messages from the bank and links directing victims to a scam website, as well as the large number of customers targeted in the OCBC scams, show that the threat is now significantly heightened.”
He also said that people aged between 20 and 39 formed the largest group of victims of phishing scams and those related to jobs, e-commerce, investments, loans, China official impersonation and fake gambling platforms.
The largest group of victims of social media impersonation scams and those involving Internet love and fake friend calls were those aged between 40 and 59.
Responding to a question by Associate Professor Jamus Lim (Sengkang GRC) about unauthorised transactions made on credit cards in the past year, Mr Tan said card fraud cases reported by major credit card issuers here to the Monetary Authority of Singapore made up less than 0.1 per cent of total credit card transactions.
Mr Tan noted that the police are extremely stretched, with officers trying to cope with increasing workload and expectations without a proportionate increase in manpower.
But the Anti-Scam Centre has frozen around 24,000 bank accounts suspected of being involved in scam activities and recovered about $160 million in scam proceeds since it was set up by the police in 2019.
The amount recovered included part of $17 million lost since 2020 to about 1,300 cases of phishing scams involving spoofed SMSes that impersonated banks here, added Mr Tan.
He emphasised that recovery of money lost to scams is difficult, adding that where such sums have been recovered by the police, it involved the help of financial institutions.
Mr Tan noted that the police will be forming an Anti-Scam Command this year to consolidate expertise in scams across all police units, thereby improving coordination of anti-scam enforcement and investigations.
The police uses technology to automate manual work processes in its fight against scams, including the generation of electronic production orders to banks for the freezing of bank accounts associated with scams.
“This allows police resources to focus on critical investigations and enforcement work,” Mr Tan said.
The police is also using other technology, such as the ScamShield app, to crowdsource information on scam calls and SMSes.
Mr Tan said ScamShield – developed by the National Crime Prevention Council in collaboration with Open Government Products, a division of the Government Technology Agency, and the police – has been downloaded about 257,000 times to date.
About 3.7million SMSes and calls have been identified as potential scams by the in-app algorithm and by user reports through the app, while about 15,500 phone numbers have been blocked.
“ScamShield picked up and filtered about 2,000 scam messages used in the OCBC phishing scams,” said Mr Tan. “Unfortunately, a lot more scam messages managed to reach the SMS inboxes of ScamShield users, mainly because they appeared in the same thread as legitimate messages.”
He said this gap will be plugged to counter spoofed SMSes.
While ScamShield is currently only available for iOS devices, Mr Tan said an Android version is planned to be released in the next few months.
The IMCS will step up public education efforts on scams. For example, it has started working with the Agency for Integrated Care, the Ministry of Education, the Ministry of Manpower and MoneySense to educate seniors, students, migrant workers and professionals on scams.
Using stolen or fake passport or i/c card to open bank account by criminals for a one-strike hit and then disappear into the crowd. Solution to stop this ruse? How?=
.
============
.
Police freeze 121 local bank accounts linked to OCBC scam; about S$2 million recovered
15 Feb 2022 03:17PM(Updated: 15 Feb 2022 10:41PM) in channelnewsasia.com
SINGAPORE: Singapore police have frozen 121 local bank accounts as of Feb 13 (Sunday) amid ongoing investigations into a recent SMS phishing scam targeting OCBC bank customers, while recovering about S$2 million of victims’ money.
In addition, about S$2.2 million has been traced to 89 overseas bank accounts, said Minister of State for Home Affairs Desmond Tan on Tuesday.
=======
.
‘I’ve been scammed’: PM Lee on how he himself was victim of an online scam
PM Lee Hsien Loong said he was the victim of a fake website, where an item he ordered never arrived.PHOTO: ST FILE
About $660 million is lost in scams annually, with Singaporeans losing nearly $2 million a day to such crimes, he said during an interview with the Chinese media at the Istana on April 28.
“It is earth-shaking to be robbed of that amount daily, but it is happening on the internet every day,” PM Lee said. “This is the hard-earned money of the people and could even be an elderly person’s life savings meant for his last 20 to 30 years. His money is wiped out overnight.”
“We’ve done what we can, but it is still heartbreaking, and we are still thinking what more can be done to help the victims,” he added. “Maybe it is also about how we can prevent ourselves from being scammed.”
PM Lee shared that he himself had been the victim of a fake website, where an item he ordered never arrived.
“I’ve been scammed,” he said. “I thought it was real, but it didn’t come for a long time.”
“The online world is a colourful one, but it is also a big headache,” he added.
More than 90 per cent of Singaporeans have internet access. While it is important to have online connectivity to maintain a normal relationship with people, fake news and deepfakes have made it difficult to decipher truth from falsehood, he said.
Children should be taught to ask questions when they see a piece of news, such as whether it is credible, who sent it, what is the motive of the sender and if there is a need to verify the truth with reliable news sources, he added.
“If you see a piece of news stating that Lee Hsien Loong is selling Bitcoin, you better go check, because it is bogus unless there is something wrong with me.”
PM Lee’s identity has been used by scammers in various schemes. Some people have alerted him to such scams by sending him screenshots and expressing their anger.
“It has happened so often to me that I don’t react to such scams any more,” he said. “I told them: ‘Don’t be angry, calm down, this is a recurring issue, and we will take action.’”
While he occasionally takes to his Facebook page to remind everyone to be careful of scammers, he cannot keep up with the fake news.
“My Facebook cannot be like your bank app, dispatching security advisories to everyone daily.”
Falling victim to scams does not mean one is stupid, and even intelligent people can be scammed, he said.
“Sometimes, the bank staff may step in to help you from losing your life savings to scams. You may be scolding them, asking: ‘Why are you stopping me? I know what I’m doing, do you think I have Alzheimer’s disease?’” said PM Lee.
“You may not have Alzheimer’s, but you have fallen for a scam unknowingly. This is a very serious problem.”
The media also needs to guard itself from reporting fake news unwittingly, he said.
“It is very likely to happen, because even with your vigilance, it may slip through the cracks one day.”
The scammers are always coming up with new and better tricks, he said.
“This is an ever-evolving problem, and we don’t have a strategy to deal with it every time. It is something we have to keep tackling, and other countries are facing the same challenge.”
The problem is widespread elsewhere, including in China and probably in the neighbouring countries too. Their numbers may seem lower because many scams go unreported, PM Lee added.
“In Singapore, scams are reported to the police, so there is hope that we can manage this problem.”
On May 21, she was handed one new charge of forgery, two charges of using forged documents and four charges of possessing benefits of criminal conduct.
According to court documents, Lin allegedly engaged in a conspiracy with one Liu Kai and one Li Hongmin to commit forgery to cheat Bank Julius Baer & Co on or before Nov 24, 2020.
Separately, Lin allegedly submitted a forged document – purportedly an agreement for the sale of a property in Macau – to UOB Kay Hian, to justify a deposit of HK$7.5 million (S$1.2 million) into her account.
She also allegedly submitted a forged document, which she claimed was a loan agreement, to OCBC Bank to justify a deposit of HK$5 million into her account.
Aside from her seven new charges, the two forgery charges handed to her in August 2023 were amended to using a forged document as a genuine one. PHOTO: COURT DOCUMENTS
The other four new charges stated that Lin allegedly possessed HK$209 million, which represented benefits of criminal conduct.
She has had over $215 million in assets seized or frozen by the authorities.
This money laundering case has seen the seizure of assets, including luxury homes, cars, watches and bags, worth over $3 billion.
It was revealed in earlier court proceedings that Lin and one of those arrested in the raid, Zhang Ruijin, 45, were lovers and that they have known each other for more than a decade.
They were arrested in a bungalow on Pearl Island in Sentosa Cove.
Before her arrest, Lin lived on Sentosa with Zhang while her 15-year-old daughter lived with a maid in Beach Road.
Lin calls Zhang her husband, though they are not officially married.
On April 30, he was sentenced to 15 months’ jail, the highest jail term meted out in the case so far. He pleaded guilty to one money laundering charge and two forgery charges.
Five others have been convicted.
Su Wenqiang, Wang Baosen, Vang Shuiming, Su Haijin and Su Baolin were each jailed between 13 and 14 months.
The six men who were dealt with have each agreed to forfeit between $5.9 million and $180 million in assets to the state.
So far, over $541.9 million in assets has been forfeited by them.
Responding to questions from Members of Parliament, he noted that the police have found at least 107 local and 171 overseas IP addresses linked to the unauthorised access of victims’ Internet banking accounts.
Many of the scam websites used in the phishing scam were hosted by companies based overseas, he added.
Police are investigating the local IP addresses linked to the scam and the owners of the local money mule accounts.
They are also working with Interpol and foreign law enforcement agencies to investigate the beneficiaries of the funds transferred overseas, as well as the hosts of these scam websites, said Mr Tan.
The SMS phishing scam involving OCBC came amid a rise in the number of scams reported in Singapore.
Last year, 23,931 scam cases were reported, including 5,020 phishing scams.
These figures mark a four-fold increase from 2017 – when there were 5,147 cases of scams reported, with 16 being phishing scams, said Mr Tan, who also chairs the Inter-Ministry Committee on Scams.
Specifically on phishing scams involving SMSes impersonating banks, there were no such cases reported in 2017.
They started emerging in 2018 with 91 cases, followed by 57 cases in 2019 and 149 cases in 2020. This surged further to 1,021 last year.
Responding to another parliamentary question, Mr Tan noted that card fraud cases reported by major credit card issuers in Singapore formed less than 0.1 per cent of total credit card transactions last year.
The Monetary Authority of Singapore (MAS) and the Singapore Police Force (SPF) do not track the percentage of funds recovered for these unauthorised credit card transactions, he added.
NEW ANTI-SCAM COMMAND AND USING TECH
To better combat scams, the police will form an Anti-Scam Command this year to consolidate expertise in scams across all SPF land units, thereby improving its coordination of anti-scam enforcement and investigations.
The new command, said Mr Tan, will also oversee the newly formed Scam Strike Teams in the seven police land divisions.
Last year, the ASC conducted 26 islandwide anti-scam operations and arrested about 7,500 money mules and scammers.
The unit has also frozen about 24,000 bank accounts suspected of being involved in scam activities since 2019, while recovering nearly S$160 million in scam proceeds.
Mr Tan pointed out that the recovery of money lost to scams is “very difficult”.
“Where we have been able to, it involved close partnerships with financial institutions, particularly by having a DBS staff co-located with SPF at the ASC to provide swifter and real-time coordination and intervention.”
As such, the ASC and MAS are working with more banks to co-locate their staff at the ASC so as to enhance the centre’s capabilities to freeze accounts and trace the flow of funds, he told the House.
The ASC also taps on technology, for instance, in automating manual work processes so that police resources can be focused on critical investigations and enforcement work.
RAMPING UP PUBLIC EDUCATION
But enforcement by itself is not sufficient, said Mr Tan, adding that the “best defence” against scammers is “a discerning public”.
The Government has been working on this, such as by rolling out an anti-scam public education campaign “Spot the Signs. Stop the Crimes”.
“As part of this campaign, we have disseminated materials advising the public on scam prevention tips, such as never to share one-time-passwords or your OTPs, with unverified parties and to be aware of requests for gift cards or online credits,” he said.
Authorities have also rolled out prevention initiatives targeted at specific segments of the population.
While scam victims are of a wide range of ages, Mr Tan noted that different profiles of victim fall prey to different types of scams.
For instance, young adults between 20 and 39 years old have formed the largest group of victims when it comes to phishing scams, job scams, e-commerce scams, investment scams, loan scams, China official impersonation scams and fake gambling platform scams.
For social media impersonation scams, Internet love scams and fake-friend call scams, adults between 40 and 59 years old were the most vulnerable.
In his speech, Mr Tan also urged more people to download the ScamShield app developed by the National Crime Prevention Council and the Government Technology Agency.
The app identifies and filters out scam messages using artificial intelligence, sending them to the phone’s junk folder. It also blocks scam calls from phone numbers used in other scam cases or reported by ScamShield users.
Since its launch in November 2020, the app, which is currently only available for iOS devices, has been downloaded about 257,000 times, Mr Tan said.
About 3.7 million SMSes and calls have been picked up as potential scams by the in-app algorithm and reports from users. Nearly 15,500 phone numbers have also been blocked.
Specifically on the OCBC scam, ScamShield picked up and filtered about 2,000 scam messages.
“Unfortunately, a lot more scam messages managed to reach the SMS inboxes of ScamShield users mainly because they appeared in the same thread as legitimate messages,” said Mr Tan.
To address this gap, Communications and Information Minister Josephine Teo said in her ministerial statement that authorities are considering requiring all users of alphanumeric IDs to be registered in a pilot SMS sender ID protection registry, among others.
Authorities are also working towards developing and releasing the Android version of ScamShield in the “next few months”, Mr Tan said.
Editor’s note: Following an update by MHA, this article has been updated to correct the number of SMSes and calls that have been picked up as potential scams by the in-app algorithm and reports from users.
Source: CNA/sk(cy)
.
=========================
.
OCBC introduces ‘kill switch’ to allow customers who have been scammed to freeze their own accounts
Aaron Low/TODAYOnce the kill switch is activated, no transactions – whether done digitally, via an ATM or at branches – can be made, said OCBC.
A kill switch feature has been rolled out by OCBC bank
It will allow bank customers to freeze their own accounts if they suspect they are victims of fraud
Once the kill switch is activated, no transactions can be made, whether they are done digitally, via an ATM or at bank branches
It can only be deactivated by an OCBC bank employee
SINGAPORE — Customers of OCBC bank will now be able to freeze their own accounts by activating a “kill switch” if they believe that they have fallen victim to a scam.
The bank said in a press release on Wednesday (Feb 16) that the kill switch will “immediately freeze” all of the following:
ADVERTISEMENT
Cash withdrawals and deposits, including salary credit
Incoming and outgoing funds transfers done in here or overseas
Bill payments
Incoming and outgoing general interbank recurring order (Giro) transactions
Network for electronic transfers (Nets) transactions
Visa and MasterCard transactions using automated teller machine (ATM) credit or debit cards physically and digitally
Digital banking transactions, including on the OCBC Pay Anyone mobile application
A similar feature will be made available at all OCBC ATM machines by March.
“Once the kill switch is activated, no transactions — whether done digitally, via an ATM or at branches — can be made. Even recurring or pre-arranged fund transfers will be disabled,” OCBC said.
The announcement by the bank comes in the aftermath of a recent phishing scam that hit 790 OCBC customers who lost a total of S$13.7 million to the scammers.
The Singapore-based bank completed arrangements to reimburse all the victims with “goodwill payments” late last month.
The scam prompted Finance Minister Lawrence Wong to issue a ministerial statement on Tuesday that touched on the measures banks and authorities were mulling over to tackle the problem.
ADVERTISEMENT
Among the measures that Mr Wong raised was the possibility of allowing bank customers to freeze their accounts without having to contact the banks.
HOW TO ACTIVATE THE KILL SWITCH
In its press release, OCBC outlined two ways customers can activate the kill switch in the event that they suspect they are a victim of a scam, or if they believe key account-related details have been otherwise compromised.
The first will require the customer to call OCBC’s official contact number at 1800 363 3333 or +65 6363 3333, if they are calling from overseas.
Enter their 7-digit National Registration Identity Card (NRIC) number followed by the hash key
Press 1 to confirm their NRIC number
Enter 16-digit credit or debit card number, or 10-digit ATM card number
Press 1 to confirm card number
Press 1 to confirm account and cards suspension
Press 0 at any time to speak with a customer service executive
The second method will require them to visit an OCBC ATM machine. Next, they will need to:
Login with an ATM/debit/credit card and personal identification number
Select “More Services”
Select “Suspend your accounts and cards”
Select “Confirm”
OCBC said that a customer service executive will contact the customer after the kill switch is activated to remove compromised bank account access or cards, and issue new ones.
“Only a bank branch employee or customer service executive can deactivate the switch — and would only do so after receiving duly verified instructions from the customer,” OCBC said.
Once the kill switch is deactivated, the customer’s account will return to normal and all settings before the account suspension — including Giro arrangements and future-dated funds transfers — will be reinstated.
Aside from the upcoming kill switch, OCBC said that it had already introduced on Jan 18 a dedicated fraud hotline for customers to seek assistance for incidents of suspected fraud through the bank’s official contact number.
Delaying by at least 12 hours before a new soft token can be activated on a mobile device
Lowering to S$100 or below the default threshold for sending transaction notifications to customers
In response to TODAY’s queries, United Overseas Bank (UOB) said that it is looking into rolling out a similar measure at its ATMs that will allow customers to freeze their accounts as well.
UOB did not give details on whether it will have a similar kill switch for customers, but said that customers can, at present, call a dedicated hotline to have their accounts frozen if they suspect they have fallen victim to a scam.
Other banks such DBS and Maybank similarly said that customers may call their respective 24-hour hotline to block access to their accounts.
DBS said that its debit and credit cardholders can already personally manage security access on their card accounts via the payment control features on its digital banking app.
These include:
Initiating an instant lock of their cards
Enabling or disabling online e-commerce transactions
Switching off or on the ability to make contactless and mobile wallet payments
“We are currently evaluating self-managed options that allow customers to block access to their bank accounts in the event that they may have been compromised,” DBS said.
“These options must be simple to use, and more importantly, minimise any disruptions to our customers’ scheduled payment arrangements (such as tax and Giro payments).”
Maybank said that it is exploring self-service options so that customers may react quickly in cases of suspected fraud.
.
=========
.
Police rescue suicidal victims, work with telcos and foreign counterparts to stop scams
(From left) Wise Asia-Pacific’s head of compliance for Asia-Pacific Genevieve Noakes, senior investigation officer Quek Kee Boon, Deputy Assistant Commissioner Aileen Yap and Assistant Superintendent of Police Teng Chin Hock.ST PHOTO: LIM YAOHUI
SINGAPORE – Concerned that a scam victim in her 50s was not taking his calls, senior investigation officer (SIO) Quek Kee Boon visited her home last month and noticed the distinct smell of gas coming from her apartment.
SIO Quek, who is from the police’s Anti-Scam Division (ASD), said the woman was so weak from inhaling the gas that she was lying on the floor when she opened the door.
She said she wanted to end her life because she was distraught over losing her life savings of $100,000 to scammers.
SIO Quek was relating the incident at a police media briefing on Monday (Feb 14) to explain how the police are tackling scams.
The ASD, which comes under the Commercial Affairs Department, coordinates the police’s anti-scam investigations and enforcement.
The woman was duped in a China officials impersonation scam.
SIO Quek said the woman had transferred the money while under stress as the scammers had claimed she was being investigated by the police in China over money laundering offences.
To prove her innocence, she was told she had to transfer all her savings into one of her accounts for investigation purposes. She was also instructed by the scammers to take a bank loan of $72,500.
It was a significant sum to the unemployed mother of two.
After instructing the victim to relinquish her one-time password, the scammer seized control of her bank account.
Recounting his visit to the woman’s home, SIO Quek recalled knocking persistently on her door until she finally opened it.
“She was lying on the ground, using a wooden pole to open the door. When I asked her what happened, she said she had turned on the gas (stove) to try to commit suicide,” he said.
The police contacted her family members about the incident and also offered her care support when she was discharged from hospital.
Since then, the police have recovered at least $70,000 and returned the money to her. Her condition has also stabilised.
SIO Quek said: “In extreme cases, scam victims can resort to ending their lives. I’m glad I could save her at that point in time.”
In 2021, there were 23,931 scams reported, a 52.9 per cent increase from the 15,651 cases in 2020.
Speaking to reporters on Monday, Deputy Assistant Commissioner (DAC) Aileen Yap said: “This is a life we saved but we are not sure how many we did not save.”
Between September 2021 and November 2021, the police conducted three islandwide anti-scam operations targeting money mules linked to job scams, which last year were the most reported scam type.
The operations led to the arrests of 135 individuals.
Another 141 were investigated for selling their bank accounts or relinquishing their Singpass credentials so syndicates could open bank accounts to siphon monies stolen in scams.
Last year, the police froze more than 12,600 bank accounts, recovering more than $102 million stolen in scams.
As part of enforcement efforts, the police also worked with telecommunication companies and online marketplaces to terminate more than 3,300 mobile lines and reported more than 17,300 WhatsApp lines involved in suspected scams.
The police also used technology to fight scams, launching Project Awakenings last December to identify and warn potential victims of investment scams by sending them targeted SMS advisories.
They also worked with foreign law enforcement agencies and raise awareness of scams among the public.
Police said scams last year constituted 51.8 per cent of overall crime, up from 42 per cent in 2020.
DAC Yap said the ease of online payment methods has made it more convenient for scammers to transfer money quickly.
She said: “Singapore has really become more vulnerable (to scams) with digital payments and enhanced communication channels such as Telegram and WhatsApp.
“It is extremely important for us to work together with various key stakeholders to halt the flow of money, whether it’s from a bank account, e-wallet or cryptocurrency account.
“We cannot emphasise enough that fighting scams is a community effort.”
One can activate [unlock] or deactivate [lock] the YouTrip mobile wallet debit card [card issued by Master Card] via one’s mobile phone.
I hope this feature will be made available for credit card, debit card, ATM card and manual token to be easily locked or unlocked via one’s mobile phone or computer.
.
============
.
Forum: Banking products need emergency stop feature
PUBLISHED 11 HOURS AGO on 11th Feb 2022 in ST Forum.
I have a YouTrip mobile wallet debit card which is managed by the provider’s app.
Besides being able to top up the card and check my balance, I can also pause use of the card immediately. If I lose my card or there is any unusual transaction, I can freeze the card in a matter of seconds.
In the light of the spate of phishing scams, I wonder why this has not been implemented for all vulnerable banking products, starting with bank accounts and credit cards. All major retail banks in Singapore already have established websites and apps through which this could be implemented.
Such an “emergency stop” button is common for safety purposes in places of higher risk such as at petrol stations and near heavy machinery, for example.
In the financial space, such a function lets the user temporarily pause all transactions to prevent or minimise losses in fraudulent transactions while he tries to contact the financial institutions.
Daniel Tan Yong Nam
.
.
=========
.
I have gone back to using the manual token.
I also have separate ATM cards and use only one account for making payments or drawing cash at ATM. I keep the balance in this account low, very low.
Why?
The criminals have to steal my token, my mobile phone, ATM cards, and Mac Book computer first. Can they? Unless they break into my house.
The digital token…they do not have to visit my house.
.
=======
.
Forum: Don’t assume customers need every digital banking feature
Banks should not assume that everyone wants or needs to use all of a bank’s many digital transaction features. This is especially so for features that allow for quick and easy payment or transfer of money out of the bank accounts.
In view of the recent scamming and phishing cases, banks should consider an opt-in feature in which account holders have to actively choose to opt in to a particular payment feature, instead of being accorded the feature by default.
One example is PayNow, which is fast and convenient. I tried to deactivate PayNow but it does not seem possible for account holders to do so.
Deregistering one’s mobile number from PayNow only makes it impossible for others to send money to you.
Scammers who have gained access to an account can still add a phone number, to receive money.
The convenience of digital banking transactions should be weighed against the risk involved, as no system is foolproof. Account holders should have the right to decide which features to enable.
Ng Seng Kiat.
.
==========
.
All about money.
Why some lose their money easily and others do not? Casual factors?
Greed, ego and fear, but where do all these three stem from?
.
=======
.
Forum: Police take multi-pronged approach to combat scams
PUBLISHED 5 HOURS AGO on 28th Jan 2022 in ST Forum.
We refer to Ms Yap Yong Xian’s letter, “No way to recall funds after job scam” (Jan 24).
On Nov 26, the police received a report from Ms Yap that she was scammed after responding to a job advertisement via Telegram. Upon receiving the report, the police froze the bank accounts suspected to be involved in the scam.
Investigations into Ms Yap’s case and related cases are ongoing.
Ms Yap asked about the role of the police in scam cases and the recovery of funds for victims.
The police adopt a multi-pronged approach to combat scams.
First, we have strengthened enforcement. The Anti-Scam Centre (ASC) was set up in June 2019 to disrupt scammers’ operations and mitigate victims’ losses.
Upon receipt of reports, the ASC works with local banks to freeze accounts suspected to be involved in the scams. However, it is difficult to recover money that has already been transferred to scammers, and even more so if it has been moved overseas.
Since 2019, the police have investigated more than 10,000 scammers, and bank account holders who relinquished their bank accounts to scammers or assisted scammers in conducting bank transfers.
The police also stepped up collaboration with foreign law enforcement agencies. Last year, nine transnational job scams were busted through joint operations with the Royal Malaysia Police and Hong Kong Police Force.
Second, the police partner various stakeholders to prevent scams. For example, we worked with the National Crime Prevention Council (NCPC) and GovTech to develop and launch the ScamShield app in November 2020.
Third, the police actively promote public awareness of scams. We have issued numerous advisories to warn the public against scams, and worked with NCPC on campaigns.
The majority of scams are perpetrated by overseas scammers. Such cases are difficult to investigate and prosecute as these scammers typically run sophisticated transnational operations and hide behind the anonymity provided by the Internet.
Solving these cases also depends on the level of cooperation from overseas law enforcement agencies, and their ability to track down the scammers in their jurisdiction.
A discerning public is the first line of defence against scams. We urge the public to always verify the authenticity of requests received.
Brenda Ong (Superintendent)
Assistant Director (Public Communications Division)
Public Affairs Department
Singapore Police Force
.
===========
.
OCBC phishing scam: Police say they rushed to take down fake bank websites, trace lost cash
Anti-Scam Division senior investigation officers (from left) ASP Lim Min Siang, ASP Felicia Seow and INSP Eric Low have worked on a variety of scam cases. (Photo: CNA/Calvin Oh)
28 Jan 2022 08:00PM(Updated: 28 Jan 2022 08:13PM) in channelnewsasia.com
SINGAPORE: Deputy Assistant Commissioner of Police (DAC) Aileen Yap remembers how in early December last year, reports on the OCBC SMS phishing scam started trickling in.
In that period, there were about one or two cases a day, said DAC Yap, assistant director of the Anti-Scam Division. Then in the days leading up to Christmas and beyond, the reports suddenly spiked.
“When all these reports came in, obviously there’ll be corresponding bank accounts (of victims),” Assistant Superintendent of Police (ASP) Lim Min Siang, a senior investigation officer in the division, told reporters during a briefing at the Anti-Scam Centre on Thursday (Jan 27).
“That’s where the sense-making deep dive has to be done. Considering that the reports just kept coming in, it’s basically a race against time.”
The police said on Dec 30 that at least S$8.5 million was lost in phishing scams involving SMSes impersonating OCBC that month, with at least 469 victims since Dec 1.
Between Dec 8 and Dec 17, 26 customers reported they had lost about S$140,000 to phishing scams, OCBC said. The attacks grew “aggressive” during the Christmas weekend, the bank said, with 186 customers losing about US$2.7 million from Dec 24 to Dec 26.
Victims received unsolicited SMSes purportedly from OCBC claiming that their accounts had issues, and that these issues needed to be resolved by clicking on a link.
They were redirected to fake bank websites that requested they key in their iBanking account log-in details. They then received actual notifications on unauthorised transactions in their accounts – which is when they found out they had been scammed.
ASP Lim Min Siang wants the public to know that once victims’ money goes out of Singapore, it is likely gone. (Photo: CNA/Calvin Oh)
ASP Lim said on Thursday that the priority for officers was to take down the phishing websites. The ongoing investigation into the OCBC scam is being handled by officers from the Criminal Investigation Department (CID).
“Basically for the scammer, it’s very easy, they cast the net (wide),” he said. “So the idea (for us) is to take down the link as fast as possible, and prevent such links from being activated again.”
The other urgent task was to trace the lost cash, he said, pointing out that the money will be routed through several accounts to evade detection.
“Once the funds go to X account, it will definitely go to Y and Z, so there’s also this race to trace it down and try to recover as much as possible,” he added. “Because once the money goes out (of Singapore), it’s usually very challenging to get it back.”
The police have successfully recovered cash that was transferred overseas, but this is not a guarantee, especially as some jurisdictions could require victims to go through complicated and expensive legal processes.
Assistant director of SPF’s Anti-Scam Division DAC Aileen Yap speaking to the media. (Photo: CNA/Calvin Oh)
Even if the money stays in Singapore, DAC Yap said tracing it is “not a very easy job”. She highlighted that scammers would break down the funds into smaller tranches, and distribute these across multiple bank accounts.
This is why a key strategy for the police is to freeze the bank accounts of suspected money mules as quickly as possible.
On Dec 26 last year, which was a Sunday, the police worked with the banks to trace the money lost in the OCBC scam, DAC Yap said, although she acknowledged that bank employees were not legally obliged to come into the office that day.
“You know, it’s Boxing Day after Christmas, so there are post-Christmas sales,” she said. “At the end of the day, everything (the banks did) was out of goodwill.”
An OCBC branch in Singapore. (File photo: iStock)
ASP Lim said the banks could also have their own challenges, and these could affect police investigations.
“Because if we want to have some information and they’re unable to give, or they take time to give, then that will also prolong the analysis and the investigation,” he said.
While DAC Yap said the local banks were committed in providing information and gave “a lot of support”, some of the money had gone elsewhere.
“So, that is when the lead sort of died. The information on where the money went to subsequently came in much later. By then, all the money would either be withdrawn already or went to other countries,” she said.
“Our role at that point of time is really on fund recovery, up till now also. But the entire investigation is still ongoing. (We are) not giving up yet, because we can see our CID colleagues working very hard on this.”
The Anti-Scam Centre in the Police Cantonment Complex is the police’s nerve centre for investigating scam-related crimes.. (Photo: CNA/Calvin Oh)
ASP Lim said officers definitely felt “overwhelmed” when the OCBC scam reports came flooding in, but stressed that they remained “professional”.
“We are away from our family, friends and what not. But we have a job to do, so we just do it to the best of our abilities and try to at least prevent more victims from suffering from scams, or the victims from suffering even more losses.”
Source: CNA/ic
.
===========
.
I have gone back to activating and using my manual token. It has been replaced two days ago at the bank branch.
However, I have noticed that the digital token system is still showing up in the accounts even though I have a new manual token.
.
======
.
Forum: Limit digital transactions to just one bank account
PUBLISHED 5 HOURS AGO on 26th Jan 2022 in ST Forum.
In their efforts to go digital, banks have used carrot-and-stick tactics to get their clients to convert to digital banking.
But the digital banking platform is often a one-size-fits-all system.
For example, on one local bank’s digital banking platform, I have no choice but to link all my bank accounts in that bank, including all joint accounts with my name on them. I can perform any digital banking transaction on any of my bank accounts using my smartphone with the same login information. This is dangerous.
The recent phishing scams targeting OCBC Bank customers show that scammers can empty out victims’ accounts in no time. Other settings can also be changed by scammers who have access to the online banking accounts.
Many people do not need to have digital access to their entire savings.
To prevent massive loss of money through digital fraud, the Monetary Authority of Singapore should make it a requirement for banks to have account holders designate only one bank account from which they can make digital payments.
Account holders should also be encouraged to keep only a small amount of money sufficient for short-term expenditure in this account.
They should be encouraged to place the rest of their savings in a separate bank account which does not allow any digital transactions.
Should an account holder need to move funds between a savings account and a digital payment account, he should be required to do it in person at an ATM or bank branch.
This would limit the amount of money lost should the account holder fall victim to a scam. Wealthier depositors could opt to open multiple bank accounts from which they could make digital payments.
Lim Chong Teck.
.
=======
.
‘It was like fighting a war’: OCBC group CEO on dealing with recent phishing scams
OCBC group chief executive Helen Wong said the decision to pay all customers their losses as a gesture of goodwill was made in early January and the bank has been doing so since Jan 8.ST PHOTO: JASON QUAH
“It was like fighting a war,” said OCBC group chief executive Helen Wong of the massive phishing scam that hit the bank.
The war escalated quickly as deposits drained from compromised bank accounts, even as bank staff scrambled to shut down transfers to mule accounts. “As we blocked the mule accounts, the fraudsters somehow managed to find new mule accounts for the money to be paid into,” said Ms Wong, in an exclusive interview with The Straits Times.
Describing the attacks which took place as “fast and furious” and well-strategised, she said some funds were immediately remitted overseas as the scammers had fraudulently added new payees abroad.
When the first phishing scams surfaced in early December at OCBC, there were only a few cases, but a team in the bank was already investigating this, said Ms Wong on Friday.
On Dec 3, the bank posted a security advisory on its website, warning customers of the phishing attacks. As more phishing websites were detected, the bank’s anti-fraud team alerted domain providers to take them down.
Further warnings were issued to customers, but the situation worsened in the days leading up to Christmas. The bank knew it had a crisis on its hands.
The fraudsters had picked a clever time to attack, when people were winding down for the Christmas holidays, with some victims travelling overseas and not paying attention to their accounts, said Ms Wong.
OCBC issued text messages and pushed alerts to its one million customers to warn them of the attacks. A media advisory was also issued on Dec 23.
But over the Christmas weekend, another 186 customers fell prey, losing about $2.7 million.
<p>An SMS scam sms from ‘OCBC’ bank. </p>PHOTO: JOYCE FANG
While the bank’s front-line staff tended to victims, much more was going on behind the scenes to manage the crisis.
By Christmas, more than 100 people were working to fight the scams, operating round the clock.
Staff from various departments including fraud risk, and operations and technology teams, were deployed. Leave was cancelled and staff were recalled. Some who had retired were asked to come back to help, said Ms Wong.
Besides working to detect and stop the fraudulent transactions, there were staff who spent whole days just trawling through clients’ portfolios to check if there were any suspicious transactions, said Ms Wong, who meets her top management team every day.
With all hands on deck, the anti-fraud team managed to detect and stop suspicious transactions in more than 200 customers’ accounts.
“Some customers did not even know that their accounts had been hacked when our officers called them,” she said, adding that the team also managed to trace and recover some of the lost amounts. She did not reveal further details on this.
The bank’s hotline was jammed as worried customers called to make inquiries even though they did not receive the phishing messages. The volume of calls to the bank surged by 40 per cent, she said.
Staff from other departments were also deployed to help the call centre. Even so, some customers were unable to reach the bank in time.
“We feel very sorry about it, that they could not reach us promptly to report the scams. They do expect quick answers and assistance to stop the transactions that were occurring. And we fell short of their expectations and our own service standard,” said Ms Wong.
Apologising repeatedly during the interview at OCBC Centre, she said: “This truly bothers me. I feel truly sorry for the victims, and OCBC can and will do better. This is very important.”
Ms Wong, 60, became the first female chief executive to head a Singapore bank when she took over from Mr Samuel Tsien in April last year. The veteran banker was formerly the chief executive of HSBC in Greater China.
She said the decision to pay all customers their losses as a gesture of goodwill was made early this month, and the bank had been doing so since Jan 8.
By Dec 30, nearly 470 customers of the bank had lost at least $8.5 million, some with savings in the six figures wiped out.PHOTO: ST FILE
But there were several moral hazards the management team had to consider, which was why she did not announce it then.
One was whether customers might let their guard down, thinking they would get remediation if they were scammed.
The move could also invite alleged victims of past cases to call the bank now, when the focus was on the current scam.
And if scammers knew that banks in Singapore were willing to back their customers, would they focus more on Singapore banks, said Ms Wong, who felt that her decision could set a precedent for the banking industry.
With all that in mind, she said she still felt strongly about making good for the customers, knowing how many had lost their life savings. “I felt that we should help our customers,” she said.
Since early this month, about 30 employees have been on call to talk to victims of the phishing scams. Ms Susan Lim, 62, who retired as a bank teller in November last year, was one of several former employees who returned to help.
Ms Lim, who makes about 20 calls a day to update the victims on the situation, said: “I understand how the customers feel. They are all worried and want to get their money back. Even over the phone, I can sense how worried and stressed out they are. Some cry as they talk about their losses.”
As at Friday, more than 200 customers have received their full payouts from OCBC.
Last week, the Monetary Authority of Singapore said it expects all customers to be treated fairly and that financial institutions are expected to have in place “robust measures to prevent and detect scams as well as effective incident handling and customer service in the event of a scam”.
In a joint statement with the Association of Banks in Singapore, the regulator said banks in Singapore will have to put in place more stringent measures within two weeks to strengthen the security of digital banking, such as removing clickable links in SMSes or e-mails sent to retail customers. There should also be a delay of 12 hours before activation of a new soft token on a mobile device.
Ms Wong said OCBC has all seven measures in place. She will also beef up the bank’s customer service team and have a dedicated line for customers to report scams.
“We need to think how we can better anticipate a scam of this scale, speed and nature. We have to do better stress-testing, and also more drills,” she added.
She also hopes that the recent events will be a stark reminder to customers “to be very alert when handling their personal banking details”.
S’pore is known as a trustworthy place, so why are there so many scams?
It may be precisely because Singapore has a high-trust society that it attracts scammers.
Jeremy Au Yong
Mobile Editor
In a way, spotting a scam is a bit like driving. Everyone overestimates their ability, and fatigue and stress make you worse at it. PHOTO: PEXELS
PUBLISHED 3 HOURS AGO on 23rd Jan 2022 in Sunday Times.
My friend – a highly educated digital native in her 30s – has the profile of someone most would expect not to be a victim of a scam.
And in fact, despite having lived in cities in Latin America and Africa that many Singaporeans would consider quite dangerous, she never even came close to getting scammed. Shot, yes, but never cheated.
Then she moved here.
It began last year when she wanted to start a crowdfunding campaign to help a friend with medical bills. She searched for the popular fund-raising website gofundme.com on Google, clicked on the link that popped up, and set up her campaign.
She shared it with a group of her friends and within days had successfully raised a few thousand dollars. So far so good.
When the time came to close the campaign, she went to close the site and was puzzled when the site wouldn’t let her log in.
She discovered to her horror that she never started a campaign on gofundme.com. In her haste to start the campaign, she had clicked on a link for a site that looked like it but had changed the name ever so slightly.
Further checking would reveal that Scamadviser, a scam-fighting website, rated that other crowdfunding site as “suspicious”, and said the site’s domain was registered with a company that has a high percentage of spammers and fraud sites. The site would also change its name a few months later.
(The silver lining is that this site did not disappear with all the money. It charged a fee nearly 10 times that of gofundme – but it could have been much worse.)
As you can imagine, there was some disbelief when she recounted this story. And victims of scams can tell you that compassionate understanding is not typically the general reaction to such tales.
How was it possible, people would ask, that she could have missed the incorrect name for so many days? And how did so many of her friends not point it out as well?
There are no good answers to questions like these. In hindsight, the ploy always seems so obvious.
In a way, spotting a scam is a bit like driving. Everyone overestimates their ability, and fatigue and stress make you worse at it.
One thing I learnt from that episode is that everyone can be a victim, including those who believe they are immune.
But I also hypothesise that being in Singapore had made her more susceptible to falling for the ruse.
It’s not that the incidence of cyber crime here is especially high when compared globally. It’s just that being in Singapore may have meant she wasn’t as vigilant as she should have been.
She got used to trusting people.
Powered by trust.
It can be tempting to think that it really would be foolish for anyone to trust anyone else at this point of human civilisation.
After all, almost since money had value, humans have been trying to dishonestly liberate each other of it.
History is littered with all manner of audacious hustles, and each time, people have demonstrated no lack of willingness to trust each other again.
People have sold bridges that do not belong to them; promoted investments to fictional tropical islands; and even convinced others that they are princes from a country that has been a federal republic since the 1960s. And yet, every once in a while, you will find a similar scam working again.
MORE ON THIS TOPIC
4 common types of scams and how to recognise them
Is contactless payment safe? 5 tips to protect yourself in the wake of OCBC SMS scams.
Ponzi schemes are a century old and one would argue society has really not developed any significant defences to it.
Most scams generally depend on some unchanging forces. Respect for authority, for instance.
Nearly all your Internet scammers present themselves as some sort of authority figure.
In the OCBC case, they were masquerading as the bank. In others, they pretend to be the police, your telco or, in this time of pandemic, the Ministry of Health.
I get at least two calls a day from a recorded voice claiming to be from the health ministry, imploring me to press 3. I spend more time on the phone with the “press 3” woman than my own mother.
After establishing some sort of authority, the scammer’s other move is to create a sense of urgency.
Maybe they tell you about a Covid-19 infection or a bunch of unpaid bills, maybe it’s a pile of gold in some vault that is about to be confiscated – whatever it is, if you don’t act soon, you’re going to lose out on something good or have something bad happen to you.
The difference between your pre-Internet scams and your more modern ones is the scale. While in the past, scammers could seriously cultivate one target at a time, these days, scammers can hit millions of people at the click of a button.
That means the swindle can be a bit cruder. It doesn’t matter if nearly everyone rejects it. All they really need is a small number of gullible people to bite.
MORE ON THIS TOPIC
Cash-on-delivery scams: She orders perfume online, but gets water bottle instead
Tips to avoid online shopping scams.
And as the notorious showman and grifter P.T. Barnum famously said: “There’s a sucker born every minute.”
For the record, it is likely he never said this. Some people claimed he did and a bunch of people did not bother to verify it.
And that brings us back to trust, which is really what underpins all these scams through the years. Though methods and the ruses have changed, trust hasn’t changed much at all.
As author Amy Reading noted, the capacity for gullibility “is unchanging over time because it is a function of how we are programmed, by biology and culture, to take in the external world. Any of our tools of empiricism, which generally hold us in pretty good stead, can also be used against us”.
She was talking about Americans, but that also starts to explain why Singapore, despite being a high-trust society, can’t seem to rid itself of the scam problem.
The Canadian paradox
Former Bank of England regulatory economist Dan Davies argues that it is precisely the high-trust societies that tend to become the hot spots for fraud.
In his book about financial crimes, Lying For Money, he calls it the “Canadian paradox”.
He writes: “Why is it that the Canadian financial sector is so fraud-ridden that Joe Queenan, writing in Forbes magazine in 1985, nicknamed Vancouver the ‘Scam Capital of the World’, while shipowners in Greece will regularly do multimillion-dollar deals on a handshake?
“It is much more difficult to be a fraudster in a society in which people do business only with relatives or where commerce is based on family networks going back for centuries. It is much easier to carry out a securities fraud in a market where dishonesty is the rare exception rather than the everyday rule.”
MORE ON THIS TOPIC
Oh yes, young people may be easier targets for scams
Welcome to Britain, the bank scam capital of the world.
Intuitively, the Canadian paradox could just as well be a Singaporean one. People who normally trust that laws are upheld, that institutions are upstanding and that people they meet every day are generally honest, might not second-guess intentions as much.
It is, after all, impossible to verify everything, so every society decides how it balances what to check and what to take at face value.
In high-trust societies, that balance tips more towards trust.
Is the answer then to tip the balance the other way? Should people stop being so trusting here and should companies build in more levels of checks and verification?
Well, this is where it starts to get a little complicated.
Certainly we want to take all possible steps to make the lives of scammers as difficult as possible.
But we also have to be aware that we will likely never be able to plug every single loophole that we manage to squeeze out every scam.
Nor would we actually want to.
Scammers rely on some degree of trust to operate, but so does the legitimate non-scammer economy.
MORE ON THIS TOPIC
Can victims get their money back if they gave scammers bank details?
Interactive: How a love scammer’s 3-month ruse to swindle $165k got exposed.
A society in which people do not trust each other is not just one where scammers fail to thrive, it is one where society and the economy cannot thrive. If every deal is high risk and it is best to just do handshake deals with close friends and family, there is just going to be fewer deals done.
Put another way, trust may create opportunities for scammers to steal wealth, but without it, there might not be any wealth to steal.
As Mr Davies notes, though fraud is expensive, there is a cost to trying to prevent it.
“The cost of dishonesty itself is inseparable from the extent to which bad actors drive out good. The trade-off that we need to make at the level of society is between these two quantities.”
So where does that leave us?
Setting up safeguards and educating the public are important and are efforts that need to continue.
But it may well be that as long as we still tend to trust each other – and it will be a sad day if a time comes when this is no longer true – scams will never really go away.
MORE ON THIS TOPIC
All govt agencies to be on anti-SMS spoofing registry after spate of scams
Make banks pay for phishing scam losses
..
=======
.
Phishing or Fishing scams…banks should fix the loopholes within two weeks. How?
===========
I prefer the manual token as no one will/can break into my house to get hold of it. It is the safest. OTP via SMS is not safe when the crooks have taken control of your account. Crooks will not be able to steal the manual tokens of all the 469 victims of the OCBC’s scams by the crooks.
=====
Good. MAS and ABS want all the banks to fix their loopholes within two weeks.
============
What are the loopholes for the banks to fix?
Some three months ago, I received advice from DBS that they would stop the use of the manual token and replace it by the sms/handphone generated OTP.
I was hesitant and reluctant to make the switch. I know that sooner or later some bank customers will be hit hard by this change when the crooks use phishing scam on them.
Who among the banks’ CEOs have approved this switch and why? Or, was it approved and directed by MAS and/or the ABS?
Who will stand up and admit to this change, which have affected 469 victims within weeks, and they lost in total S$8.5 million to the crooks?
I hope all the banks will fix the loopholes:
1] restore the use of the manual token to generate the OTP. It should not be optional.
2] stop the generating of the OTP via sms/handphone;
3] have secondary password for every account, including deposit account, that belong to the same customer; the request for the secondary password must be authenticated by entering the OTP from the manual token; To execute a transaction on each account, the secondary password is needed. The primary password and OTP will be used to enter the account as a whole but it will not have access to each and every account of the same person to execute a transaction unless the secondary password is authenticated and entered separately.
4] for every transaction involving the changing of the email address, phone number, adding new payee, and increasing the payment/transfer amount in each account, the notification to the customer must be sent to the previous email address and phone number of the customer to ask for the OTP number generated from the manual token;
5] every payment or transfer of money from the account to a new payee or to an overseas account can only be executed after a 24-hour holding period, and it must be authenticated by entering the OTP number generated from the manual token. The request for the OTP number must be sent to the old email address and phone number of the customer if changes were made to it within the last 30 days.
========
The Straits Times’ Editorial says
Reassuring steps against banking scams
PUBLISHED 3 HOURS AGO on 22nd Jan 2022 in ST.
FacebookTwitter
Singaporeans should be reassured by the firm response of the Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) to the recent spate of SMS-phishing scams targeting bank customers. The two institutions are introducing a set of additional measures to bolster the security of digital banking. While the emphasis is on immediate steps to strengthen controls, longer-term preventive measures, too, are being evaluated for implementation in the coming months. Thus, banks will have to put in place measures such as removing clickable links in SMSes or e-mail sent to retail customers, within the next two weeks. Also, there must be a delay of at least 12 hours before activation of a new soft token on a mobile device, notification to existing mobile number or registered e-mail whenever there is a request to change a customer’s contact details, and dedicated customer assistance teams to deal with feedback on potential fraud cases on a priority basis.
These moves attest to a determination by the authorities to deal with the scourge of scams, including by making clear that all financial institutions are expected to have robust measures in place to prevent and detect scams, as well as effective incident handling and customer service in the event of a scam. MAS is also intensifying its scrutiny of the fraud surveillance mechanisms of major financial institutions to ensure they can deal with the growing threat of online scams.
ABS, on its part, has reiterated the banking industry’s continuing commitment to stronger consumer protection so that Singaporeans can enjoy safe, convenient and swift services. This reassurance is timely, to say the least, as what would be at stake otherwise is the faith of customers in the digital banking system. No matter how quick and convenient electronic banking might be, users will lose trust in it if scammers exploit flaws and gain convenient ways to relieve customers of their bank savings in the blink of an eye. In this context, OCBC Bank, which has been in the eye of the most recent scamming storm, has decided creditably to cover in full the losses suffered by its customers to SMS phishing scams last month.
However, online threats continue, as is evident from warnings issued by the Singapore Police Force and the Supreme Court. The onus thus also falls on the public to not let credulity get in the way of knowing how to operate in the online world. Digital transactions are safe only to the extent that consumers make them safe. Of course, banks and other institutions must strive to secure their systems and keep them up to date. However, scammers are clever enough to devise ways to get around the latest security features. They target the consumer who, and only who, can release personal details that gain them entry into secure systems. Consumers must stay vigilant.
======
On Facebook:
Should banks hold all important changes to a customer’s account for 12 hours as a way to stop scams?
PUBLISHED 7 HOURS AGO 22nd Jan 2022 in ST Forum.
FacebookTwitter
Yes, and an alert should be sent to the customer’s mobile phone regarding the impending changes.
Dominique Ngoo
This is an excellent suggestion. A 12-hour hold is a reasonable timeframe for account holders to act within.
Banks should also bring back customer service officers, and not let account holders deal with frustrating chatbots.
Samantha Foo
All person-to-person overseas fund transfers that are more than $5,000 should be put on hold for 24 hours to allow the banks to call the customers for confirmation. Once the customer confirms the transfer, the bank can no longer be held responsible. This is fair for all parties.
Lee Yuen
But if scammers can take control of the account, the customer might not know that the transaction is in progress. Banks should allow customers to totally opt out of overseas funds transfers if they do not need the option.
Bet Tay
.
======
Phishing or Fishing scams…banks should fix the loopholes within two weeks. How?
===========
I prefer the manual token as no one will/can break into my house to get hold of it. It is the safest. OTP via SMS is not safe when the crooks have taken control of your account. Crooks will not be able to steal the manual tokens of all the 469 victims of the OCBC’s scams by the crooks.
=====
Good. MAS and ABS want all the banks to fix their loopholes within two weeks. ============
What are the loopholes for the banks to fix?
Some three months ago, I received advice from DBS that they would stop the use of the manual token and replace it by the sms/handphone generated OTP.
I was hesitant and reluctant to make the switch. I know that sooner or later some bank customers will be hit hard by this change when the crooks use phishing scam on them.
Who among the banks’ CEOs have approved this switch and why? Or, was it approved and directed by MAS and/or the ABS?
Who will stand up and admit to this change, which have affected 469 victims within weeks, and they lost in total S$8.5 million to the crooks?
I hope all the banks will fix the loopholes:
1] restore the use of the manual token to generate the OTP. It should not be optional.
2] stop the generating of the OTP via sms/handphone;
3] have secondary password for every account, including deposit account, that belong to the same customer; the request for the secondary password must be authenticated by entering the OTP from the manual token; To execute a transaction on each account, the secondary password is needed. The primary password and OTP will be used to enter the account as a whole but it will not have access to each and every account of the same person to execute a transaction unless the secondary password is authenticated and entered separately.
4] for every transaction involving the changing of the email address, phone number, adding new payee, and increasing the payment/transfer amount in each account, the notification to the customer must be sent to the previous email address and phone number of the customer to ask for the OTP number generated from the manual token;
5] every payment or transfer of money from the account to a new payee or to an overseas account can only be executed after a 24-hour holding period, and it must be authenticated by entering the OTP number generated from the manual token. The request for the OTP number must be sent to the old email address and phone number of the customer if changes were made to it within the last 30 days.
==========
Forum: A little inconvenience a small price to pay for better security online
PUBLISHED 6 HOURS AGO on 21st Jan 2022 in ST Forum.
FacebookTwitter
I refer to the article, “Banks to beef up e-banking security after spate of scams” (Jan 20).
While it is a good step in the right direction, it is also a sad reflection of how it is society’s relentless pursuit of convenience that makes the various phishing attacks so effective to begin with.
If not for society’s ever-increasing demands for “faster, easier”, businesses would not have implemented interactive methods to communicate with customers that attackers can take advantage of. Globally, businesses often implement end-user convenience measures because enough customers demand them.
Similarly, the degree to which other financial industry-related entities implement basic security features should be reviewed.
I offer two examples, one personal and one corporate, for the Monetary Authority of Singapore (MAS) and other regulatory agencies to consider.
I recently used an online payment processor, whose website states that it is licensed by MAS as a major payment institution under the Payment Services Act, to pay a bill.
However, when I logged in to its website, I saw no two-factor authentication (2FA) being implemented, and my account was secured only by username and password.
I also saw no option inside the interface or dashboard which allowed 2FA to be enabled.
I would have thought that MAS would mandate all major payment institutions to have at least 2FA as an added layer of protection against unauthorised access.
For the other example, my employer recently applied to a major local stock brokerage for a corporate securities account.
However, it was informed that 2FA was available only for personal accounts – corporate accounts did not have any 2FA and could be secured using only username and password.
My employer cancelled the application and went with another brokerage that at least offers 2FA via SMS, which is better than no 2FA at all.
It is surprising that some brokerages do not offer any form of 2FA for corporate accounts. An attacker wanting to ruin a corporate client could potentially log in using just a compromised username and password, and execute intentional trades to cause the company massive financial loss.
I have often said that security and convenience are inversely related.
It should not take suffering financial or reputational loss to make regulators, businesses and customers start to appreciate how an ounce of preventative inconvenience is much better than a ton of reactive rectification.
Julian Ho
.
=======
.
Good. Banks to fix the loopholes within two weeks…
.
=======
.
Banks to tighten security, remove clickable links in SMSes after OCBC phishing scams
These measures were introduced following a spate of SMS phishing scams targeting bank customers. ST PHOTO: LIM YAOHUI
Choo Yun Ting
Business Correspondent
PUBLISHED 11 HOURS AGO on 20th Jan 2022 in Straits Times.
SINGAPORE – Banks in Singapore will have to put in place more stringent measures to bolster the security of digital banking, such as removing clickable links in SMSes or e-mails sent to retail customers, within the next two weeks.
These additional measures were introduced in view of the recent spate of SMS phishing scams targeting bank customers, the Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) said in a joint statement on Wednesday (Jan 19).
This comes after OCBC Bank said it would cover in full the losses suffered by its customers to SMS phishing scams last month and as other local banks, the Singapore Police Force and the Supreme Court issued warnings about phishing scams targeting their users.
The measures include a delay of at least 12 hours before activation of a new soft token on a mobile device, notification to existing mobile number or registered e-mail whenever there is a request to change a customer’s contact details, and dedicated customer assistance teams to deal with feedback on potential fraud cases on a priority basis.
The threshold for funds transfer transaction notifications to customers will also be set by default at $100 or lower, more frequent scam education alerts will be sent out, and additional safeguards such as a cooling-off period before implementation of requests for key account changes will also be in place.
In the statement, MAS and ABS said the growing threat of online phishing scams calls for immediate steps to strengthen controls, while longer-term preventive measures are being evaluated for implementation in the coming months.
The more stringent measures which banks will work to put in place in the next fortnight will lengthen the time taken for certain online banking transactions but also provide an additional layer of security to protect customers’ funds, they added.
New measures for banks
Remove clickable links in SMSes and e-mails to retail customers
Dedicated customer assistance teams to deal with feedback on potential fraud cases
Threshold for funds transfer to be set by default to $100 or lower
Delay of at least 12 hours before activation of new soft token on mobile device
Notifications to be sent to existing mobile number or e-mail for requests to change these details
Cooling-off period before implementing requests to make key changes, such as contact details
Last month, nearly 470 OCBC customers lost at least $8.5 million to SMS phishing scams, among them a mother of seven who said she lost almost $100,000 and a couple in their 20s who took five years to save about $120,000 to start a family.
Victims received unsolicited SMSes that appeared to be from OCBC, claiming there were issues with their banking accounts and asking users to click on the link given in the message.
The link led to fake bank websites and victims were asked to key in their Internet banking account login details.
OCBC said in a statement on Wednesday that all affected customers will receive “full goodwill payouts” covering the amount they lost by next week. More than 100 victims have received their payouts so far.
DBS Bank on Wednesday also warned its customers about a fake SMS being sent to users claiming to be from the bank.
It urged customers not to click on links sent through SMSes and said it would never ask for account details or one-time passwords (OTPs) over the phone, e-mail or SMS. DBS is actively taking down such phishing sites, it added.
In a Facebook post on Wednesday, UOB encouraged customers to remain alert to scams, warning users of SMS phishing scams where the bank’s name and images are being used fraudulently.
In the joint statement, MAS and ABS said banks will continue to work closely with MAS, the police and the Infocomm Media Development Authority (IMDA) to deal with the phishing scams.
This includes working on more permanent solutions to combat SMS spoofing, including adoption of the SMS sender ID registry by all relevant stakeholders.
The registry pilot was launched by the IMDA last August and enables organisations to register the SMS sender ID headers they wish to protect. When there is unauthorised use of this protected SMS sender ID, the messages will be blocked.
The central bank is also intensifying its scrutiny of major financial institutions’ fraud surveillance mechanisms to ensure they are adequately equipped to deal with the growing threat of online scams.
MORE ON THIS TOPIC
All affected OCBC customers of recent SMS scams to get ‘full goodwill payouts’
Make banks pay for phishing scam losses
MAS and ABS stressed that customer vigilance remains key and outlined several measures customers must take to avoid falling for online banking scams:
– Never click on links provided in SMSes or e-mails;
– Never divulge Internet banking credentials or passwords to anyone;
– Verify SMSes or e-mails received by calling the bank directly on the hotline listed on its official website;
– Verify that you are at the bank’s official website before making any transactions, or transact through the bank’s official mobile application; and
– Closely monitor transaction notifications so that any unauthorised payments are reported as soon as possible to increase the chances of recovery.
Victims received unsolicited SMSes that appeared to be from OCBC, claiming there were issues with their banking accounts and asking users to click on the link given in the message. ST PHOTO: JOYCE FANG
MORE ON THIS TOPIC
Young couple lost $120k in fake text message scam targeting OCBC Bank customers
Mum of 7 kids loses $100k in SMS scam: What we know so far and how to avoid such scams
MAS managing director Ravi Menon said the central bank is deeply concerned about the recent scams and the financial losses suffered by victims.
“The threat of scams will not go away, but we can reduce our vulnerabilities. This requires a multi-pronged response across the ecosystem,” he said, adding that MAS along with other agencies will work closely with the financial industry, telecoms industry, consumer groups and other stakeholders to strengthen collective resilience against scam attacks.
ABS chairman Wee Ee Cheong said the banking industry, along with MAS and ecosystem players, will continue to strengthen consumer protection measures.
“We also ask that the public stay vigilant given that scams continue to evolve and are executed quickly.
“We remain committed to upholding the confidence with which customers can transact online safely, while still maintaining a high level of service,” said Mr Wee.
In reply to the announcement on Wednesday, DBS said that in addition to the industry measures, it will stop sending non-essential SMSes from Friday. Only essential SMSes, such as security and trade notifications, and OTP authentication with no clickable links will be sent to retail and wealth customers until further notice, it said.
MORE ON THIS TOPIC
Anti-SMS spoofing: What it is and why there is no mandate for it yet in S’pore
Anti-SMS spoofing registry is not a cure-all for setting banks’ liability for funds lost to scams
Cyber-security firm Acronis’ chief information security officer, Mr Kevin Reed, said the steps introduced by MAS and ABS help to minimise risks by removing some weak points, such as links in SMSes, and improve the response time and process of detecting fraudulent activities.
“It’s good to have extra measures implemented, but it’s simply not enough – the attacks can still continue at this point. Some of them – like the cooling-off period, more frequent education alerts – can work if implemented correctly, while others may not have the desired effect,” he noted.
These changes must be well explained to customers. Otherwise, the change can cause confusion and temporarily open up even more new opportunities for attackers, Mr Reed said, adding that close collaboration between telecoms providers and banks is crucial to complicate the work of attackers and reduce the chances of customer accounts being compromised.
Mr Leow Kim Hock, Asia chief executive of cyber-security services provider Wizlynx Group, stressed that while these measures are good to restore public confidence, given the recent spate of the scams, the key is to educate customers, especially since the technology that scammers use is constantly evolving.
The banks could look at assessing users before they are qualified to use digital banking services, similar to how customers have to undergo a customer knowledge assessment before they wish to invest in specified investment products, he said.
.
=====
.
=
Banks to remove clickable links in emails, SMS sent to customers as part of new security measures
New measures for digital banking are to be rolled out for banks in Singapore, after a recent spate of SMS phishing scams affected at least 469 of OCBC’s customers.
BY
JANICE LIM
@janicelimtoday
Published January 19, 2022 in Today newspaper.Updated January 19, 2022
SINGAPORE — Banks in Singapore will be removing clickable links in emails or SMS messages sent to retail customers and set the threshold for funds transfer notifications to customers by default at S$100 or lower. These are part of several measures to protect account holders from phishing scams.
The changes, announced by the Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) in a joint statement on Wednesday (Jan 19), will be implemented within the next two weeks.
ADVERTISEMENT
The new measures came after at least 469 customers were affected by an SMS phishing scam targeting OCBC bank customers, with losses totalling at least S$8.5 million.
The fraudsters had sent out fake bank alerts that spoofed the bank’s official SMS channel, duping many of them into clicking on web links and giving up their personal account information last month.
In the joint statement, MAS and ABS said that these measures will bolster the security of digital banking, given that it will lengthen the time taken for certain online banking transactions and also provide an added layer of security to protect customers’ funds.
Other measures that banks will be putting in place include:
READ ALSO
OCBC phishing scam: Banks should stop using SMS to communicate with customers, experts say
Delaying activation of a new soft token on a mobile device by at least 12 hours
Sending notification to a customer’s existing mobile number or email registered with the bank whenever there is a request to change a customer’s mobile number or email address
Introducing a cooling-off period before executing requests to important account changes such as in a customer’s key contact details
Having dedicated and well-resourced customer assistance teams to deal with feedback on potential fraud cases on a priority basis
More frequent scam education alerts
“MAS expects all financial institutions to have in place robust measures to prevent and detect scams as well as effective incident handling and customer service in the event of a scam,” the joint statement read.
ADVERTISEMENT
“The growing threat of online phishing scams calls for immediate steps to strengthen controls, while longer-term preventive measures are being evaluated for implementation in the coming months.”
The banks will continue to work closely with MAS, the police and the Infocomm Media Development Authority to deal with these scams, including coming up with more permanent solutions such as getting all relevant stakeholders to register SMS sender IDs of individuals they wish to protect, MAS and ABS said.
Sender IDs are names that identifies the sender of an SMS message so that a word or phrase (eg. OCBC), instead of a number, is displayed on the recipient’s mobile phone.
“MAS is also intensifying its scrutiny of major financial institutions’ fraud surveillance mechanisms to ensure they are adequately equipped to deal with the growing threat of online scams,” they added.
MAS and ABS also reminded customers that they should be vigilant and must:
READ ALSO
OCBC phishing scam underscores trade-off between convenience and security, with bank customers at risk: Experts
ADVERTISEMENT
Never click on links provided in SMS messages or emails
Never reveal their internet banking passwords to anyone
Verify SMS messages or emails received by calling the bank directly on the hotline listed on its official website
Verify that they are looking at the bank’s official website before making any transactions
Transact through the bank’s official mobile application
Closely monitor transaction notifications so that any unauthorised payments are reported as soon as possible to increase the chances of recovery
Mr Ravi Menon, managing director of MAS, said that the threat of scams will not go away, but there are ways to reduce vulnerabilities of online banking.
“MAS, together with the police, IMDA and other relevant government agencies, is working closely with the financial industry, the telco industry, consumer groups and other stakeholders to strengthen our collective resilience against scam attacks. We will ensure that digital banking remains secure, efficient, and trusted,” he added.
READ ALSO
MAS considers action against OCBC for phishing scam
READ ALSO
DBS warns against phishing scams after SMS impersonating the bank surfaces
READ ALSO
OCBC to fully reimburse all victims for money lost to SMS phishing scam; arrangements to be made by next week.
.
========
.
.Phishing or Fishing scams…banks should fix the loopholes within two weeks. How?
.
===========
.
I prefer the manual token as no one will/can break into my house to get hold of it. It is the safest. OTP via SMS is not safe when the crooks have taken control of your account. Crooks will not be able to steal the manual tokens of all the 469 victims of the OCBC’s scams by the crooks.
.
=====
.
Good. MAS and ABS want all the banks to fix their loopholes within two weeks. ============
What are the loopholes for the banks to fix?
Some three months ago, I received advice from DBS that they would stop the use of the manual token and replace it by the sms/handphone generated OTP.
I was hesitant and reluctant to make the switch. I know that sooner or later some bank customers will be hit hard by this change when the crooks use phishing scam on them.
Who among the banks’ CEOs have approved this switch and why? Or, was it approved and directed by MAS and/or the ABS?
Who will stand up and admit to this change, which have affected 469 victims within weeks, and they lost in total S$8.5 million to the crooks?
I hope all the banks will fix the loopholes:
1] restore the use of the manual token to generate the OTP. It should not be optional.
2] stop the generating of the OTP via sms/handphone;
3] have secondary password for every account, including deposit account, that belong to the same customer; the request for the secondary password must be authenticated by entering the OTP from the manual token; To execute a transaction on each account, the secondary password is needed. The primary password and OTP will be used to enter the account as a whole but it will not have access to each and every account of the same person to execute a transaction unless the secondary password is authenticated and entered separately.
4] for every transaction involving the changing of the email address, phone number, adding new payee, and increasing the payment/transfer amount in each account, the notification to the customer must be sent to the previous email address and phone number of the customer to ask for the OTP number generated from the manual token;
5] every payment or transfer of money from the account to a new payee or to an overseas account can only be executed after a 24-hour holding period, and it must be authenticated by entering the OTP number generated from the manual token. The request for the OTP number must be sent to the old email address and phone number of the customer if changes were made to it within the last 30 days.
.
=========
.
Customers shouldn’t expect banks to reimburse money lost in scams, but industry guidelines will be helpful: Analysts
Aaron Low/TODAYOne business consultant said that reimbursements should be given to customers only when the scam was due to a breach in cybersecurity controls or internal lapses of a bank.
OCBC bank’s decision to fully reimburse all its customers for the money they lost through a phishing scam should not be set as an industry precedent, analysts said
This could lead to customers becoming complacent and cyber criminals targeting Singapore banks
Customers should also not expect their bank savings lost in fraud to always be reimbursed
The industry and the relevant authorities could come up with a set of guidelines on how banks may reimburse customers
SINGAPORE — OCBC bank’s move to fully reimburse all its customers who were victims of a recent SMS phishing scam should not set a precedent for the banking industry, professionals in business, law and cybersecurity sectors said.
They suggested instead that banks and the authorities could work together to come up with broad guidelines that set out the specific situations or parameters where reimbursements should be given to scam victims.
ADVERTISEMENT
Ms Emily Lai, business risk partner at advisory firm Grant Thornton Singapore, said that there should not be an industry-wide guarantee to bank customers that would cover all potential scams and frauds, especially those arising from their own ignorance, negligence or carelessness.
“Otherwise, the customers may let down their guards and not remain vigilant or cautious of such fraudulent activities.”
Mr Lim Yihao, head of intelligence for Asia Pacific at cybersecurity firm Mandiant, said that setting up such a guarantee could send a wrong signal and may even encourage more cases of fraud to occur.
“It’s similar to how cyber criminals already check if victims are covered by cyber insurance before attacking. Having a guarantee might encourage cyber criminals to target Singapore banks customers more, since consumers are not so concerned about clicking on fraud SMS messages or emails, et cetera, knowing that they will get their money back regardless.
“This could lead to more careless behaviour from consumers with respect to phishing email or SMS messages they receive,” Mr Lim added.
ADVERTISEMENT
OCBC said on Wednesday (Jan 19) that it will be making arrangements with all customers who were victims of a recent scam to fully reimburse them by next week for the money they lost.
Swindlers had sent out fake bank alerts that spoofed the bank’s official SMS channel, duping many of the victims into giving up their personal account information last month.
Several victims told TODAY about their shock and distress over the incidents that happened during the year-end holiday period.
“
When scams occur due to one’s ignorance, fraudulent or negligent actions, like sharing bank tokens, ATM cards, PIN and passwords knowingly to another person, then the onus should not be on the banks to reimburse the affected victims for the lost money.
Ms Emily Lai, business risk partner at Grant Thornton Singapore
”
The analysts who spoke to TODAY on Thursday believe that there should not be an industry-wide guarantee of reimbursement after a scam.
However, they recognised that OCBC’s move might push other banks to follow suit since people might expect the same thing if caught in the same situation.
Mr Jonathan Crompton, partner at RPC law firm, said that customers are looking to their banks for protection.
“Even without a significant legal and regulatory change, if a bank can gain a competitive advantage here commercially, this may be a factor for customers to switch,” he said.
Ms Lai of Grant Thornton Singapore said that expecting all other banks to copy OCBC’s move to fully reimburse their customers is a dangerous mindset, since people may subconsciously be less mindful and stop being vigilant.
“It is extremely vital and of utmost importance that customers be ingrained to always remember that banks do not owe customers reimbursements for the lost or stolen money in situations where it is the customers’ own ignorance, negligence or carelessness,” she added.
Though banks are generally not legally obligated to reimburse their customers, the analysts said that the various players as well as government authorities could get together to work out certain industry standards on whether banks should reimburse their customers who have been cheated and the amount to be repaid.
Ms Lai said that reimbursements should only be done when the scam was due to a breach in cybersecurity controls or internal lapses of a bank.
There may, however, be exceptions in cases where victims were unable to reach the banks in time to block, cancel or void the transactions due to the bank’s slow customer service, or when the bank’s internal controls are inadequate to prevent such scam tactics.
“The banks should be required to take some accountability and consider providing contingent reimbursements.
“This would be done by assessing the reasonable steps a victim is expected to take when faced with a scam and whether immediate correction action have been taken.
“Another thing to assess is the amount of reimbursements that should be given, considering the banks’ expected duty of care towards the affected victims,” she added.
Ms Lai also said that the industry can refer to some standards already put up in the United Kingdom, where the reimbursement process is assessed on a case-by-case basis.
“For instance, when scams arise because of a lapse — even a momentarily lapse — in the (bank’s) cybersecurity, internal controls or safeguards and features… reimbursements should be made to the affected victims in whole, based on the affected facility.
“Whereas in instances when scams occur due to one’s ignorance, fraudulent or negligent actions, like sharing bank tokens, ATM cards, personal identification number (PIN) and passwords knowingly to another person, then the onus should not be on the banks to reimburse the affected victims for the lost money,” she added.
For Mr Lim of Mandiant, trying to define the various specific situations where victims can be compensated is limiting because scam situations change — and quite quickly at that.
Instead, he suggested that the Monetary Authority of Singapore (MAS) and the banks consider compensation only in instances when victims have been cheated without any input on their end, and when there was nothing they could have done to prevent it.
One example is when criminals impersonate victims to socially engineer telecommunication firms to change SIM cards for phones and get one-time password notifications to be re-directed to the new SIM card.
Mr Terence Siau, chief executive office of cybersecurity firm Tindo, said that recommending a list of actions that banks should take within a given timeframe the moment they notice abnormal transactions would reduce risks and the amount of money lost to scammers.
And banks that manage to follow this set of actions may not be liable for compensation, while those that do not follow may have to make repayments.
Mr Siau also said that there is no way scams can be prevented, so coming up with guidelines that involves early detection is key.
Although Mr Crompton the lawyer agrees that an industry standard is a useful starting point for a bank’s internal team to deal with customer complaints, he noted that scams are complex and varied and it would be very difficult for an industry-wide standard to cover every situation.
“Victim customers are unlikely to be placated by a bank not compensating the loss and giving the reason that it is complying with the industry standard,” he said.
“Customers will continue to take legal action when they think a bank failed to meet its legal obligations, and the common law will continue to develop in this area.”
With or without such industry guidelines, Mr Crompton said that banks should maintain their own internal policies of how to handle fraud complaints and requests for compensation, as well as to ensure that they handle them quickly and in a consistent manner.
.OCBC unveils tighter security measures such as customer notifications for all transactions
ReutersOCBC Bank on Jan 21, 2022 outlined various security measures it is implementing in the wake of an SMS phishing scam that affected hundreds of its customers.
OCBC Bank on Friday (Jan 21) outlined various security measures it is implementing in the wake of an SMS phishing scam that affected hundreds of its customers
The measures include transaction notifications for fund transfers through PayNow and inter-bank payments for sums as low as one cent
From Jan 31, the bank will introduce a 24-hour cooling-off period for key account changes
SINGAPORE — OCBC Bank said it has stepped up its security measures, including initiating transaction notifications for fund transfers through PayNow and inter-bank payments for amounts as low as one cent.
In a media statement on Friday (Jan 21), the bank also said that it will implement a 24-hour cooling-off period for key account changes from Jan 31.
ADVERTISEMENT
The bank has set up a dedicated customer service team, which has been made permanent, to handle customer queries and reports on fraud.
The OCBC hotline (1800 363 3333) also contains a dedicated option for customers to escalate reports of suspected scams, said the bank.
Swindlers had sent out fake bank alerts that spoofed the bank’s official SMS channel, duping many of the victims into giving up their personal account information last month.
We will continue in our ongoing efforts to educate and inform customers about scams through multiple channels such as our social media channels, email, SMS, and on our website and mobile banking login pages.
OCBC Bank media statement
”
Several victims told TODAY about their shock and distress over the incidents that happened during the year-end holiday period.
ADVERTISEMENT
OCBC said on Wednesday that it would be making arrangements with all customers who were victims of the recent scam to be fully reimbursed by next week for the money they lost.
It said on Friday that it had already removed clickable links in marketing emails and SMSes since Jan 11, and reduced the default daily limit for funds transfer via PayNow from S$5,000 to S$1,000 on Jan 14.
Customers are also able to adjust it to their needs, to a minimum of S$100. The amount allowed to be transferred per transaction is also reduced from the default of S$1,000 to S$200, said OCBC.
It had implemented a 24-hour cooling-off period for digital token provisioning on Dec 31 last year.
Other security measures added included those introduced by the Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) which aim to protect account holders from phishing scams.
Allowing customers to adjust their account-to-account and overseas funds transfer limits for online banking, including deactivating funds transfers completely by setting their transfer limit to $0
Sending transaction notifications to customers’ existing mobile number or email address registered with the bank whenever there is a request to change their mobile number or email address
Not sending SMSes with links regarding banking transactions
“We will continue in our ongoing efforts to educate and inform customers about scams through multiple channels such as our social media channels, email, SMS, and on our website and mobile banking login pages.
“We would like to again remind consumers to be alert, protect their bank account login credentials, and to only perform banking transactions through the bank’s official website and mobile banking apps,” said OCBC.
Forum: A little inconvenience a small price to pay for better security online
PUBLISHED 6 HOURS AGO on 21st Jan 2022 in ST Forum.
I refer to the article, “Banks to beef up e-banking security after spate of scams” (Jan 20).
While it is a good step in the right direction, it is also a sad reflection of how it is society’s relentless pursuit of convenience that makes the various phishing attacks so effective to begin with.
If not for society’s ever-increasing demands for “faster, easier”, businesses would not have implemented interactive methods to communicate with customers that attackers can take advantage of. Globally, businesses often implement end-user convenience measures because enough customers demand them.
Similarly, the degree to which other financial industry-related entities implement basic security features should be reviewed.
I offer two examples, one personal and one corporate, for the Monetary Authority of Singapore (MAS) and other regulatory agencies to consider.
I recently used an online payment processor, whose website states that it is licensed by MAS as a major payment institution under the Payment Services Act, to pay a bill.
However, when I logged in to its website, I saw no two-factor authentication (2FA) being implemented, and my account was secured only by username and password.
I also saw no option inside the interface or dashboard which allowed 2FA to be enabled.
I would have thought that MAS would mandate all major payment institutions to have at least 2FA as an added layer of protection against unauthorised access.
For the other example, my employer recently applied to a major local stock brokerage for a corporate securities account.
However, it was informed that 2FA was available only for personal accounts – corporate accounts did not have any 2FA and could be secured using only username and password.
My employer cancelled the application and went with another brokerage that at least offers 2FA via SMS, which is better than no 2FA at all.
It is surprising that some brokerages do not offer any form of 2FA for corporate accounts. An attacker wanting to ruin a corporate client could potentially log in using just a compromised username and password, and execute intentional trades to cause the company massive financial loss.
I have often said that security and convenience are inversely related.
It should not take suffering financial or reputational loss to make regulators, businesses and customers start to appreciate how an ounce of preventative inconvenience is much better than a ton of reactive rectification.
Julian Ho
.
=========
.
.
Authorities working on requiring all banks, telcos, SMS aggregators to join anti-spoof registry
The authorities move to work on requiring telcos, banks and SMS aggregators to join the registry follows a series of phishing scams affecting OCBC customers.
The authorities said that they will roll out an anti-spoof national registry to all telcos, SMS aggregators and banks that use SMS for retail customers
TODAY understands that this will be made a requirement for these companies
When a fraudster tries to send messages using a registered sender name, the registered company will be able to block them
BY
DARYL CHOO
Published January 20, 2022 in Today newspaper.
SINGAPORE — The authorities are working on getting all telcos, banks and SMS aggregators in Singapore to sign up for a national registry that allows businesses to block spoofed scam messages from being sent to customers.
TODAY understands that this will be made a requirement for these companies and organisations, as part of a suite of security measures announced earlier that were designed to combat scams such as the recent OCBC bank phishing scam.
ADVERTISEMENT
In response to TODAY’s queries, spokespersons from the Infocomm Media Development Authority (IMDA) and the Monetary Authority of Singapore (MAS) said in a joint statement on Thursday (Jan 20) that they will “roll out the registry to all telcos, SMS aggregators, and banks that use SMS services for retail customers”.
“The recent surge in spoofing attacks involving banks underlines the need for robust defences at the ecosystem level against spoofing attacks,” the statement read.
The registry, called the Singapore SMS SenderID protection registry, had been in its pilot phase since last August.
Following the OCBC phishing scam, there have been calls to make it mandatory for firms to be part of the registry.
READ ALSO
Banks to remove clickable links in emails, SMS sent to customers as part of new security measures
As of Thursday, more than 2,100 people have signed an online petition to get IMDA to require all organisations in Singapore to register with the authorities before being allowed to send SMS messages with sender IDs. Earlier this week, IMDA had also urged more organisations to sign up.
ADVERTISEMENT
A slew of measures were announced on Wednesday evening by MAS and the Association of Banks in Singapore to tighten the security of digital banking and protect account holders from phishing scams.
These include banks removing clickable links in emails or SMS messages sent to retail customers and having dedicated customer assistance teams to deal with feedback on potential fraud cases.
The OCBC phishing scam claimed nearly 470 victims who lost at least S$8.5 million in all. The bank has said that it will fully reimburse all customers who lost money to the scam.
Many of these victims had been tricked by fake SMS messages that appeared in the same thread as legitimate text messages from OCBC for one-time passwords and transaction alerts.
The swindlers impersonated the bank by putting their sender ID as “OCBC”, claiming that there were issues with the customer’s bank accounts or credit cards and instructing them to click on a link in the SMS message that led the customer to a fake banking website.
READ ALSO
OCBC phishing scam: Banks should stop using SMS to communicate with customers, experts say
ADVERTISEMENT
Sender IDs are names that identify the sender of an SMS message so that a word or phrase (such as “OCBC”), instead of a number, is displayed on the recipient’s mobile phone.
To combat these forms of scams, the registry allows organisations to register their sender ID. When fraudsters try to send messages using a sender ID that is registered, these organisations may choose to block them from being sent.
IMDA previously said that “some banks” signed up when the pilot registry was started and named e-commerce platform Lazada and Singapore Post as being on it as well. OCBC is understood to be part of the pilot registry project.
“We urge more businesses and organisations that use SMS sender IDs to do so,” IMDA wrote in reply to a reader’s letter to The Straits Times on Monday.
The SMS SenderID protection registry is run by global trade body Mobile Ecosystem Forum (MEF), which developed and ran a registry in the United Kingdom where the firm is based.
ADVERTISEMENT
Speaking to TODAY earlier, MEF’s registry project director Mike Round previously explained how the registry works.
READ ALSO
OCBC phishing scam: ‘Goodwill payouts’ for 30 victims to date, all cases to be ‘reviewed and validated thoroughly’
He also said that the initial monitoring and discovery phase for the registry in Singapore is “working well”, but stressed that the registry is not foolproof in rooting out SMS phishing attacks.
Cybersecurity experts also said that the registry’s success may be limited, given the known vulnerabilities of SMS messages, suggesting instead that banks do away with communicating important information such as verification codes via SMS.
READ ALSO
OCBC phishing scam left victim broke and starving on Christmas Day
READ ALSO
OCBC phishing scam underscores trade-off between convenience and security, with bank customers at risk: Experts.
Why DBS and POSB accounts of a holder have same email address, password, phone number, etc?
Hack into one account will mean all the other accounts are compromised, penetrated by the crooks.
Banks should have password at a secondary level separately for each and every bank account, deposit account, etc, of the same person.
The primary password and OTP are to be authenticated for the person to have access to all his/her bank accounts via Internet and computer.
The primary password and OTP should have no access to each bank account by making it a requirement that a secondary password must be entered by the person to have access to each of his/her bank account separately.
The secondary password will prevent the crooks from penetrating to each bank account unless he knows the secondary password of each account.
=======
More at this link:
TANKOKTIM.WORDPRESS.COM
Beware of phishing scams; Retirees on government pension; Invest your money safely and wisely; Where? 470 people cheated by phishing scams in Dec 2021;
. ====== . OCBC phishing scam: ‘Goodwill payouts’ for 30 victims to date, all cases to be ‘reviewed and validated thoroughly’ Reuters OCBC described a recent phishing scam t…
Banks should have a primary and secondary password system for their customers in this digital age of IT banking.
.
The scammers and crooks must know or are familiar with how the banking systems and IT systems work. They either have worked in the banking industry before or have an accomplice who works in the banking sector or in the IT department of a bank.
Without the banking and IT experience or the support in cahoot by fellow crooks working in the banking sector, it will be like a layman ‘like many others and me’ trying to figure out which button to press to execute the scam/fraud in the IT banking system of a bank that is under attack.
I prefer the manual token as no one will/can break into my house to get hold of it. It is the safest. OTP via SMS is not safe when the crooks have taken control of your account. Crooks will not be able to steal the manual tokens of all the 469 victims of the OCBC’s scams by the crooks.
Good. MAS and ABS want all the banks to fix their loopholes within two weeks. ============
What are the loopholes for the banks to fix?
Some three months ago, I received advice from DBS that they would stop the use of the manual token and replace it by the sms/handphone generated OTP.
I was hesitant and reluctant to make the switch. I know that sooner or later some bank customers will be hit hard by this change when the crooks use phishing scam on them.
Who among the banks’ CEOs have approved this switch and why? Or, was it approved and directed by MAS and/or the ABS?
Who will stand up and admit to this change, which have affected 469 victims within weeks, and they lost in total S$8.5 million to the crooks?
I hope all the banks will fix the loopholes:
1] restore the use of the manual token to generate the OTP. It should not be optional.
2] stop the generating of the OTP via sms/handphone;
3] have secondary password for every account, including deposit account, that belong to the same customer; the request for the secondary password must be authenticated by entering the OTP from the manual token; To execute a transaction on each account, the secondary password is needed. The primary password and OTP will be used to enter the account as a whole but it will not have access to each and every account of the same person to execute a transaction unless the secondary password is authenticated and entered separately.
4] for every transaction involving the changing of the email address, phone number, adding new payee, and increasing the payment/transfer amount in each account, the notification to the customer must be sent to the previous email address and phone number of the customer to ask for the OTP number generated from the manual token;
5] every payment or transfer of money from the account to a new payee or to an overseas account can only be executed after a 24-hour holding period, and it must be authenticated by entering the OTP number generated from the manual token. The request for the OTP number must be sent to the old email address and phone number of the customer if changes were made to it within the last 30 days.
Solutions for account holders to be safer. How? Have two bank accounts with two banks.
Keep all your money in the first account.
The first bank account shall be used only to transfer money to your second bank account, which shall be used for making payments of bills, etc. and for drawing cash from the ATM.
No payment shall be made from the first bank account.
Keep a minimum balance in the second bank account, keep the balance low.
Do not panic with your first bank account. When you encounter anything, threats, go personally to the bank immediately to check into it.
All banks should have an auto voice reply [in four languages] to a phone call and say:
“If you have been threatened that your account will be closed, please go to our branch to clarify. Do not phone in, and do not use the Internet to respond to the threat.”
=======
Phone in will not be useful as the lines will be overloaded with calls.
Go to the branch of the bank to sort it out.
Do not respond to the threat online or via Internet, etc.
Hi there, we appreciate your feedback on this matter and we will review accordingly. Thank you!
=
.
OCBC phishing scam: ‘Goodwill payouts’ for 30 victims to date, all cases to be ‘reviewed and validated thoroughly’
ReutersOCBC described a recent phishing scam that hit its customers as “particularly aggressive and highly coordinated”, becoming increasingly frequent over the year-end holiday period in 2021.
Since Jan 8, OCBC has handed out goodwill payouts to more than 30 victims of the recent SMS phishing scam that targeted its customers
The bank is in the process of reviewing and validating each case thoroughly
Payouts are made on a “goodwill basis” after taking into account the circumstances of each case
At least 469 customers were affected by the SMS phishing scam, with losses totalling at least S$8.5 million
Three victims told TODAY they have been contacted by the bank on the goodwill payouts, but have no idea how much they might be reimbursed for now
SINGAPORE — OCBC has started reimbursing customers who were affected by the recent SMS phishing scam, the bank announced on Monday (Jan 17).
More than 30 customers have already received “goodwill payouts” since the bank began giving them out on Jan 8, while the validation process is still ongoing for the others affected by the scam, OCBC said in a statement.
“The payouts to this group of customers are made on a goodwill basis after thorough verification, taking into account the circumstances of each case,” the bank added.
OCBC did not say whether the victims will be fully or partially reimbursed, or how many of the victims will not be eligible for these payments. TODAY has asked the bank for more details.
The bank also “acknowledged that its customer service and response fell short of our customers’ expectations, especially at a time of stress and anxiety”, and added that it has set up a dedicated team to support the victims.
“As the investigations into these cases are complex and extensive involving multiple checks and parties, the bank needed more time to get back to affected customers to address their concerns,” it added.
The fraudsters had sent out fake bank alerts that spoofed the bank’s official SMS channel with the victims, duping many of them into giving up their personal account information last month.
Several victims previously described to TODAY about their heartbreak and anxiety over suffering such towering financial losses during the holiday season.
Some also said that their OCBC bank accounts were hijacked and emptied by the scammers even though they did not provide the scammers with their one-time password or security token information.
On Monday, three victims told TODAY that the bank has reached out to them regarding the goodwill payouts, instructing them to meet bank officers with a copy of their police report. They were not informed about how much they would be reimbursed yet.
“It is possible that the payouts may not be in full, but I am hoping that won’t be the case,” one victim who declined to be identified.
OCBC warned early this month that people should not access their bank accounts through these messages, and that the bank will no longer send web links through SMS.
On Monday evening, the Monetary Authority of Singapore (MAS) said in a statement that it takes a “serious view” of the scam and will consider taking supervisory action against OCBC.
“MAS expects all financial institutions to have robust measures for fraud prevention, detection, and remediation, and to provide prompt assistance to customers who have been victims of scams,” it added.
OCBC described the scam as “particularly aggressive and highly coordinated”, becoming increasingly frequent over the year-end holiday period.
Scammers were able to impersonate the bank through the SMS thread that it uses with customers, by cloning a legitimate sender ID — OCBC, in this case — via SMS. Sender IDs are names that identifies the sender of an SMS message so that a word or phrase, instead of a number, is displayed on the recipient’s mobile phone.
OCBC said that this enables the scammer’s SMS to appear as if it originated from a legitimate sender, thus enabling the message to appear in the same thread as legitimate SMSes from the bank.
“From the time the bank first detected (the scam) in early December 2021, it had, since Dec 3, 2021, issued multiple alerts and warnings to its customers using multiple channels.
“It had issued security alerts and advisories on its website, internet and mobile banking log-in pages through customer e-mails, as well as through its own social media channels,” OCBC said.
These included two media advisories on Dec 23 and 30, and SMS messages to all customers on Dec 30 and Jan 4.
“The bank has also proactively reached out to customers who might not be aware that their banking activities were susceptible to the scam. This has helped to prevent more customers from falling prey to the scam,” it said.
The scale of the phishing scam has since attracted calls for banks and financial institutions to take greater responsibility for the losses of customers who are conned by such nefarious scams.
Based on an MAS circular sent to financial institutions last August, the issue of who bears the loss in these cases is still being reviewed by the authorities.
Ms Helen Wong, OCBC’s group chief executive officer, apologised on Monday for the bank’s response, adding that its banking systems and digital banking platforms are safe and secure.
“Digital banking remains a convenient way to do banking. We do not want this scam to take that away from us. But scammers are increasing in sophistication,” she said.
“Therefore, I urge everyone to stay alert and do your banking only at the bank’s official websites and on the official mobile apps.
“Together with the Association of Banks in Singapore and the Monetary Authority of Singapore, the industry will review to further strengthen the anti-fraud detection and prevention measures.”
.
=======
“The first recorded use of the term “phishing” was in the cracking toolkit AOHell created by Koceilah Rekouche in 1995, however it is possible that the term was used before this in a print edition of the hacker magazine 2600. The word is a leetspeak variant of fishing (ph is a common replacement for f ), probably influenced by phreaking, and alludes to the use of increasingly sophisticated lures to “fish” for users’ sensitive information.”
.
====
.
MAS considers action against OCBC for phishing scam
ReutersA man walks out of an OCBC Bank branch in Singapore on Oct 8, 2019.
SINGAPORE — Singapore’s central bank said on Monday (Jan 17) it will consider supervisory action against the country’s second-biggest lender Oversea-Chinese Banking Corp (OCBC), after hundreds of its customers were hit by a phishing scam last month.
Reported losses from the scam amounted to at least S$8.5 million in December and ensnared at least 469 customers.
“MAS takes a serious view of the recent phishing scams involving OCBC Bank. They have significantly impacted several customers,” the Monetary Authority of Singapore’s (MAS) deputy managing director (financial supervision) Ho Hern Shin said in a statement.
“MAS has been following up with the bank on these and broader issues relating to the incident,” she added.
The central bank said OCBC will conduct a thorough probe to identify deficiencies in its processes and implement necessary measures, after which “MAS will consider appropriate supervisory actions”.
In a separate statement, OCBC said it was making goodwill payouts to customers hit by the SMS phishing scam after reviewing each case and acknowledged that its incident response and customer service should have been better.
It said the scam was particularly aggressive and highly coordinated, and preyed on people’s fear there were issues with their accounts or credit cards.
“MAS expects all affected customers to be treated fairly,” said Ms Ho.
“MAS expects all financial institutions to have robust measures for fraud prevention, detection, and remediation, and to provide prompt assistance to customers who have been victims of scams. We are working with the Association of Banks in Singapore on industry-wide measures that may need to be taken to ensure that digital banking remains secure, efficient, and trusted.”REUTERS
Some three months ago, I received from DBS that they would stop the use of the manual token and replace it by the sms/handphone generated OTP.
I was hesitant and reluctant to make the switch. I know that sooner or later some bank customers will be hit hard by this change to crooks using phishing scam on them.
Who among the banks’ CEOs have approved this switch and why? Or, was it approved and directed by MAS and/or the ABS?
Who will stand up and admit to this change, which have affected 469 victims within weeks, and they lost in total S$8.5 million to the crooks?
I hope all the banks will fix the loopholes:
1] restore the use of the manual token to generate the OTP. It should not be optional.
2] stop the generating of the OTP via sms/handphone;
3] have secondary password for every account, including deposit account, that belong to the same customer; the request for the secondary password must be authenticated by entering the OTP from the manual token; To executive a transaction on each account, the secondary password is needed. The primary password and OTP will be used to enter the account as a whole but it will not have access to each and every account of the same person to execute a transaction unless the secondary password is authenticated and entered separately.
4] for every transaction in changing the email address, phone number, adding new payee; and increasing the payment/transfer amount in each account, the notification to the customer must be sent to the previous email address and phone number of the customer to ask for the OTP number generated from the manual token;
5] every payment or transfer of money from the account to a new payee or to an overseas account can only be executed after a 24-hour holding period, and it must be authenticated by entering the OTP number generated from the manual token. The request for the OTP number must be sent to the old email address and phone number of the customer if changes were made to it within the last 30 days.
.
=====
.
OCBC phishing scam: Banks should stop using SMS to communicate with customers, experts say
Illustration: Samuel Woo/TODAY
Two cybersecurity experts said SMS has been known to be an insecure form of communication
They suggested that banks stop sending out one-time passwords to customers via phone text messaging
At least S$8.5 million have been lost in phishing scams linked to SMS that affected nearly 470 OCBC bank customers
The authorities are doing a trial of a registry that can block spoofed SMS but the system is not foolproof
SINGAPORE — In the wake of a recent phishing scam involving hundreds of OCBC bank customers, some cybersecurity experts are suggesting that banks here do away with communicating important information such as verification codes via SMS.
This is because SMS, which stands for Short Message Service and is sent via mobile phones, have been known to be insecure for a very long time and have led to several forms of scams in the past, they told TODAY on Tuesday (Jan 18).
Many of the nearly 470 affected OCBC customers, who lost at least S$8.5 million in all to the phishing scams, were fooled by fake SMS messages that appeared in the same thread as legitimate text messages by OCBC for one-time passwords (OTPs) and transaction alerts.
The swindlers impersonated the bank by having their sender name as “OCBC”, claiming that there were issues with the customer’s bank accounts or credit cards and instructing them to click on a link in the SMS message that led the customer to a fake banking website.
Samuel Woo/TODAY
Mr Kevin Reed, chief information security officer at cybersecurity firm Acronis, told TODAY that a much better approach would be for banks not to use SMS at all for such notifications.
If banks stopped communicating important information via SMS, customers would be more alert and wary when they receive a text message purportedly from the bank.
Without SMS messages, customers would more likely log in to the bank’s official portals, applications or websites to view messages from the bank.
OCBC, on its part, has been reminding customers not to click on links in SMS messages purportedly sent by the bank, adding that the bank will never send one to inform them about account closures or reactivation.
However, it is hard for customers to remember these instructions, Mr Reed said.
“I still see people who are security professionals being successfully phished, so it’s hard and we cannot expect the consumers to make (the right) decisions, especially in a situation like the one that happened,” he added.
“I think the banks and the telcos are the ones that need to step up and not just publish instructions on a website.”
OCBC did not respond to a request to comment for this story. TODAY has also asked the Infocomm and Media Development Authority (IMDA) and the Monetary Authority of Singapore (MAS) about what steps they are taking to prevent such attacks from happening again.
One weakness pointed out by experts who spoke to TODAY was that banks are using SMS to provide customers with OTPs, which are codes that customers use to verify their identity.
However, hackers have used several methods of obtaining such OTPs in past attacks:
A hacker can call up the telecommunications company of a victim’s mobile phone plan and convince the telco to send him a new SIM card for the phone number, with personal information he has obtained about the victim
Some malware disguised as applications have also been known to steal OTPs from a user’s phone
Hackers have been able to intercept text messages containing OTPs by targeting flaws in the international telecommunications network
The experts suggested that banks revert to using physical tokens that generate OTPs as they had in the past, or rely on other forms of software authentication such as Google Authenticator or the Government’s SingPass authentication system.
Mr Lim Yihao, head of intelligence for Asia Pacific at cybersecurity firm Mandiant, said that doing away with SMS OTPs will reduce SMS scams, but warned that it will not put a stop to attacks on bank customers’ money.
“Most likely, (hackers) will shift their tactics to target the new authentication mechanism instead.”
On Monday, OCBC bank outlined how fraudsters were able to send spoofed messages to its customers via an SMS aggregator, which are intermediaries that handle SMS for businesses.
When customers click on the phishing link in the SMS message and key in their log-in details — including their OTP — on the fake website, the fraudsters then use those details to log in to the victims’ bank accounts.
From there, the fraudsters are able to request to activate a digital token that allows them to receive OTPs from the bank on their device, allowing them to make transactions.
This scam tactic is not entirely new. In 2020, the police said that at least S$600,000 was lost between January and May that year to spoofed SMS messages from “banks” claiming that the customer’s accounts had been suspended or deactivated.
Last August, IMDA and MAS launched the Singapore SMS SenderID protection registry.
The registry allows organisations to register their sender ID, which are the names that appear on SMS messages instead of mobile numbers. When fraudsters try to send messages using a sender ID that is registered, the message will be blocked.
In reply to a reader’s letter to The Straits Times on Monday, IMDA said that “some banks” signed up when the registry was started. E-commerce platform Lazada and Singapore Post are also on the registry.
“We urge more businesses and organisations that use SMS sender IDs to do so,” IMDA wrote.
Mr Tobias Gondrom, United Overseas Bank’s group chief information security officer, told TODAY that it was among the first Singapore banks to join the pilot for the registry.
“Given the possibility of scammers to spoof SMS sender names in the current telecommunications infrastructure, we see this pilot as a positive step towards preventing scammers exploiting consumers,” he added.
More than 1,500 people have signed an online petition to get IMDA to require all organisations in Singapore to register with the authorities before being allowed to send SMS messages with sender IDs.
The SMS SenderID protection registry is run by global trade body Mobile Ecosystem Forum (MEF), which developed and ran a registry in the United Kingdom where it is based.
Besides Singapore and the UK, similar registries are being run by MEF in Ireland and Spain.
In response to TODAY’s queries, MEF’s registry project director Mike Round explained how the registry works:
Participating merchants register the sender IDs they use in SMS, such as “OCBC”
SMS aggregators provide information to MEF and the participating merchants whenever they get a request to send an SMS using a sender name that is registered to a merchant
The merchant can then choose whether to allow or block that message from being sent
In the UK, 23 merchants have signed up to be part of the registry. They include the major banking groups, postal service Royal Mail, retailers as well as five government agencies.
Mr Round said that the initial monitoring and discovery phase for the registry in Singapore is “working well”, but stressed that the registry is not foolproof in rooting out SMS phishing attacks.
“The success of the project relies on changing the behaviour of fraudsters. To this end, our experience in the UK and Ireland proves the registry to be extremely effective,” he said.
However, Mr Reed from Acronis said he “highly doubts” that such a measure will be successful.
One way hackers can bypass the registry’s checks, he said, could be by getting access to a telco, such as one in a developing country that may not have strong security.
That way, the hackers will be able to send spoofed messages directly to customers via the compromised telco.
Mr Lim from Mandiant said that requiring businesses to register their sender IDs could work in the short term, but cyber criminals’ tactics change constantly.
Ultimately, he added, all organisations must be kept up to date on the latest methods employed by these criminals and update their security systems accordingly.
Solutions for account holders. Have two bank accounts with two banks.
Keep all your money in the first account.
The first bank account shall be used only to transfer money to your second bank account, which shall be used for making payments of bills, etc. and for drawing cash from the ATM.
No payment shall be made from the first bank account.
Keep a minimum balance in the second bank account, keep the balance low.
Do not panic with your first bank account. When you encounter anything, threats, go personally to the bank immediately to check into it.
.
Why DBS and POSB accounts of a holder have same email address, password, phone number, etc? Crack one account will mean all the other accounts are compromised, penetrated by the crooks.
All banks should have secondary password for each account of the same person.
.
=======
.
Possible solution:
All banks should have an auto voice reply [in four languages] to a phone call and say:
“If you have been threatened that your account will be closed, please go to our branch to clarify. Do not phone in, and do not use the Internet to respond to the threat.”
=======
Phone in will not be useful as the lines will be overloaded with calls.
Go to the branch of the bank to sort it out.
Do not respond to the threat online or via Internet, etc.
===========
S$8.5 million gone, cheated. Sad.
Many will not welcome and see sunrise on 1st Jan 2022 in joy and happiness.
One more day to 1st day sunrise.
Many will not be able to be happy, in unity, love and harmony, and have no grudges. Why?
.
.
=======
.
I prefer the manual token as no one will/can break into my house to get hold of it. It is the safest. OTP via SMS is not safe when the crooks have taken control of your account.=
.
=====
.
OCBC Bank has made goodwill payments to SMS scam victims since Jan 8
The bank said more than 30 customers have received the payouts so far.ST PHOTO: CHONG JUN LIANG
SINGAPORE – OCBC Bank said on Monday (Jan 17) that it has already been making goodwill payments to customers who lost funds from their bank accounts in a recent spate of SMS phishing scams.
The bank said it has been doing so since Jan 8 and that more than 30 customers have received the payments so far.
“The payouts to this group of customers are made on a goodwill basis after thorough verification, taking into account the circumstances of each case,” OCBC said, adding that affected customers will be contacted as soon as the review and validation process for their cases is completed.
The bank did not reveal how much it has paid out or if it intends to fully compensate every victim, when asked by The Straits Times.
As the investigations into the cases are extensive, involving multiple checks and parties, the bank said that it needed more time to get back to affected customers to address their concerns.
“I sincerely ask our customers to allow us the time to conduct a thorough review and validation before we inform them of the payouts,” said OCBC Bank group chief executive Helen Wong.
“We seek our customers’ patience and understanding as investigations are complex, and we apologise that our response fell short of our customers’ expectations during their time of distress.”
Some victims claimed that the bank took a long time – 20 minutes or more in some instances – to respond to their calls for help after they noticed suspicious activities. By the time the bank was able to act, the victims had lost much of their funds.
Many victims reportedly fell for the ruse because the fake SMSes were grouped by their phones together with legitimate messages previously sent by the bank for one-time passwords and transaction alerts.
This happened as the scammers had spoofed the OCBC name used for sending out official SMSes.
With the details, including one-time passwords that they stole, the fraudsters made fund transfers, in some cases wiping out victims’ life savings.
OCBC on Monday said that the scam, which it described as “particularly aggressive and highly coordinated”, preyed on people’s fear that there was an issue with their bank accounts or credit cards.
Victims had clicked on a link in SMS messages, which led them to a bogus bank website where they keyed in their Internet banking account login details.
Past cases of SMS phishing scams largely targeted consumers with “too good to be true” deals.
The bank also sought to address criticisms from some customers that claimed they did not receive sufficient warnings on the scams, which surfaced in early December and became more aggressive during the year-end holiday period.
OCBC said that since Dec 3, it has issued multiple alerts and warnings to its customers, such as on its website, Internet and mobile banking login pages, e-mails and social media channels.
Media advisories from the bank were also issued on Dec 23 and 30, and SMS texts were sent to all customers on Dec 30 and Jan 4.
OCBC added that it reached out to customers who might not be aware that their banking activities were susceptible to the scam. “This has helped to prevent more customers from falling prey to the scam,” it said.
Ms Wong assured customers and members of the public that OCBC’s banking systems and digital banking platforms “are safe and secure”.
“Digital banking remains a convenient way to do banking. We do not want this scam to take that away from us,” she said.
However, she pointed out that scammers are becoming more sophisticated and urged customers to stay alert and bank only at OCBC’s official websites and official mobile apps.
Those pushing for digitalisation have duty to provide for adequate redress when banks fail to do so
Han Fook Kwang
Editor-at-Large
In July, Finance Minister Lawrence Wong announced that MAS was reviewing the matter and that it will take till the end of that year. ST PHOTO: CHONG JUN LIANG
PUBLISHED 3 HOURS AGO on 16th Jan 2022 in Sunday Times.
FacebookTwitter
If you receive an SMS from your bank telling you there is a problem with your account and that to fix it, you need to go to its website through the link provided, what would you do?
Okay, you have a suspicious mind and you do not ordinarily fall for the usual online scams like helping a Nigerian get his money out of the country.
You look at the SMS again and find that it comes from the same thread as previous bank messages.
In fact, it is in the same thread which the bank has been sending you one-time passwords (OTPs) for all the online transactions you have been making.
How can it not be legitimate?
So you click on the link and it takes you to what looks like the bank’s log-in website, with its logo and all the usual features in place, as professionally done as what you would expect from a rock-solid bank.
You log in with the OTP which has been sent to your mobile phone in that same SMS thread.
And that is when your entire savings get transferred out, leaving you with exactly zero dollars in your account.
It is as if you have gone to the physical bank to withdraw all your money and somewhere in the bank – or maybe it was just outside the bank, you are so confused you don’t know exactly where – someone points a gun at you and relieves you of all your cash.
I think this must have been how those 469 OCBC Bank customers felt when they fell for this scam last month, losing $8.5 million altogether.
Among them: a 38-year-old software engineer who lost $250,000 that he had been saving since 2010; a young couple whose $120,000 was money to start a family; and a mother of seven whose savings of $100,000 disappeared, out of which $60,000 was in her children’s Young Savers Account.
The tragedy is that this fraud, using what is known as spoofed telephone numbers that impersonate caller IDs to trick victims into thinking the text messages originate from OCBC, isn’t new or terribly sophisticated.
ST ILLUSTRATION: CEL GULAPA
It has been used for some time, especially over the last two years, and both the police and banks were well aware of the increased prevalence.
As a result, in July last year, the police issued a statement that these scams affecting banks’ customers had re-emerged, resulting in 374 of them losing $1.07 million from January to May.
This was what it said: “As the scammers had spoofed the bank’s SMS accounts, the scammers’ message might appear in the same SMS conversation thread as a bona fide SMS message from the bank.”
This was five months before the December OCBC incident. Same old trick, yet so many still fell for it.
It raises the question whether banks have done enough to take preventive and pre-emptive steps to safeguard their customers’ money when they knew the danger was clear and present.
MORE ON THIS TOPIC
Is it time to phase out SMS OTPs to stem scam scourge?
Can victims get their money back if they gave scammers bank details?
I do not have an account with OCBC, but when I checked my DBS SMS thread from July when that police statement was issued, there was not a single message from it warning me of this threat.
A friend had a closer shave.
He received the same scam message as those 469 on Dec 17, which meant that he might have been one of the earliest targeted.
He immediately informed OCBC about it, adding that it should alert all its customers.
Alas, according to him, he did not hear from it until Jan 4, when he received an SMS text from the bank alerting him of these scams.
This was almost three weeks after his first call to the bank and well after those 469 had been robbed.
In fact, of those three persons cited above who lost their entire life savings, two were scammed on Dec 28 and one on Dec 21, quite some time after my friend alerted OCBC.
If the bank had been more alert to the problem and warned its customers more proactively, they might not have fallen victim.
MORE ON THIS TOPIC
OCBC cautions about SMS scams after customers lose $140k in 10 days
Young couple lost $120k in fake text message scam targeting OCBC Bank customers
Are banks too complacent and slow in taking the necessary steps to safeguard their clients’ money?
It baffles me why so many of them did not send SMS messages to their clients warning them of the impending danger.
What will prod them to be more proactive in dealing with the problem?
I can think of one way – make them pay, if not all, at least a substantial amount of the losses suffered by their clients.
Under existing laws, they are not obliged to, as they will argue that the customers were negligent in falling for the scam.
In fact, they are always quick to say that their security systems were not compromised. No one hacked into and broke through their defences.
In other words, they were not at fault as all the trickery took place outside of the bank and inside their customers’ own mobile phones.
But this is not satisfactory, and it is unfair for unsuspecting people to have to bear all the burden of having to look out for devious crooks who know everything about what makes a person vulnerable to these tricks.
To be fair, the Government recognises that more should be done to address these issues, particularly over the question of how to define more clearly where banks’ and customers’ liabilities and responsibilities fall.
In July, Finance Minister Lawrence Wong announced that the Monetary Authority of Singapore (MAS) was reviewing the matter and that it will take till the end of that year.
He also added that banks were already flexible in reimbursing their clients’ losses, taking into account the merits of each case.
MORE ON THIS TOPIC
Nearly 470 people lose $8.5m in phishing scams involving OCBC Bank
OCBC continues with physical tokens, reversing plan to phase them out
All eyes will now be on how OCBC deals with its affected clients and demonstrates exactly how flexible it is.
MAS should use this latest scam as a case study and seek a fairer balance that takes into account the vulnerability of customers to the increasing sophistication of online scammers.
If banks are held to a higher standard of accountability, even when there is no security breach in their own systems, they will have a greater incentive to do more to prevent such fraud.
If they are liable for some or all of these losses, you can bet they will do more to outsmart the crooks.
But there is also the danger that if customers believe they are completely insured against all losses, they will let their guard down and not do their bit to ensure safe banking.
There is a moral hazard which needs to be addressed and the balance set appropriately.
The most important issue is public confidence in the banking system which is even more critical now that Singapore has moved aggressively into the digital world, involving more and more activities and transactions.
We are constantly told by the authorities that digitalisation is the way forward for the country and will give it a competitive advantage.
Those pushing this transformation have a duty to make this new world safe for all, and to provide for adequate redress when banks and other financial institutions fail to do so.
For those 469 cheated bank customers, their confidence in the banking system has been completely shattered.
It needs to be restored quickly.
• Han Fook Kwang is also senior fellow at the S. Rajaratnam School of International Studies, Nanyang Technological University.
MORE ON THIS TOPIC
Consumers more likely to fall victim to phishing SMSes, says expert
MAS working with banks to review liability framework on scam payment transactions
.
=====
.
Forum: More banks should sign up for pilot to protect SMS sender ID
PUBLISHED 5 HOURS AGO on 17th Jan 2022 in ST Forum.
We refer to Mr Koh Wai Kit’s letter, “Telcos the first line of defence against spoof traffic” (Jan 15), Straits Times editor-at-large Han Fook Kwang’s commentary “Make banks pay for phishing scam losses” (Jan 16), and the article, “7 ways to stem the scourge of scams and phishing” (Jan 16).
Scams are a cause of concern worldwide. In Singapore, there has been ongoing work to combat this, including identifying the risks of scams from spoofed SMS sender IDs.
In August last year, the Infocomm Media Development Authority (IMDA) initiated the Singapore SMS SenderID protection registry pilot, in collaboration with the Monetary Authority of Singapore (MAS).
This registry enables organisations to register the SMS sender ID headers they wish to protect. When there is unauthorised use of this protected SMS sender ID, the messages will be blocked.
The success of this measure, however, requires business and organisations such as banks to participate in the pilot, which would include registering the SMS sender IDs they wish to protect, and choosing the approved SMS aggregators that are allowed to send SMSes on the banks’ behalf.
When the registry was initiated, some banks signed up for the registry. Other organisations such as Lazada and SingPost also signed up. We urge more businesses and organisations that use SMS sender IDs to do so.
In addition, Singapore’s telcos have been collaborating with IMDA to introduce other sectorwide measures, which include blocking commonly spoofed numbers, prefixing all incoming international calls with “+65” to alert the public to a potential scam call and educating their users to recognise and avoid scams.
Scams will evolve and new threats will emerge. IMDA will continue to work with all partners to enhance mitigating measures.
For more information on scams, members of the public can visit www.scamalert.sg or call the Anti-Scam Hotline on 1800-722-6688.
Foo Wen Dee
Director
Communications and Marketing
Infocomm Media Development Authority
.
======
.
Forum: Industry standard needed for banks’ security protocol, customer service
PUBLISHED 5 HOURS AGO on 17th Jan 2022 in ST Forum.
I am writing in response to Ms Siti Raudhah Mohd Ali’s plight of losing her savings to the scam targeting OCBC Bank customers (Scammed of $100,000, but fault is not mine alone, Jan 15).
I sympathise with the victims of these scams and am concerned about their loss.
But I am also confused by the handling of the scams by OCBC.
From reading Ms Siti’s account, and others that have been published, it seems that there was a small window during which the victims were trying to salvage the situation but were let down by the slow response by OCBC’s customer service.
I bank with Standard Chartered, which actively sends me messages when I make online purchases that are out of my usual pattern.
The bank sends me SMSes about the purchases – “reply 1 if you made the transaction, reply 2 if you did not” – and forces me to reply, with recurring messages reminding me to acknowledge the message.
Should I send an SMS indicating that the purchase was not made by me, my account is immediately frozen and a customer service agent calls me immediately to check on my situation.
There is also an option on the bank’s phone line to immediately inform it that a scam is taking place.
The common thread I noticed with these scams is that urgency is needed to salvage the situation, and appropriate mental and emotional support needs to be provided for victims like Ms Siti after they have lost their life’s savings.
Shouldn’t there be a banking industry standard for security protocols and for customer service when it comes to scams, especially as such cases are rising?
This is especially a concern as many of the people affected are no longer just the elderly, who may be more gullible, but younger, more educated persons.
I hope these discussions can not only bring about much-needed changes in the banking industry, but also give the victims the restitution they deserve.
Ruth Amsani Perry.
.
====
.
MAS considers action against OCBC for phishing scam
ReutersA man walks out of an OCBC Bank branch in Singapore on Oct 8, 2019.
SINGAPORE — Singapore’s central bank said on Monday (Jan 17) it will consider supervisory action against the country’s second-biggest lender Oversea-Chinese Banking Corp (OCBC), after hundreds of its customers were hit by a phishing scam last month.
Reported losses from the scam amounted to at least S$8.5 million in December and ensnared at least 469 customers.
“MAS takes a serious view of the recent phishing scams involving OCBC Bank. They have significantly impacted several customers,” the Monetary Authority of Singapore’s (MAS) deputy managing director (financial supervision) Ho Hern Shin said in a statement.
“MAS has been following up with the bank on these and broader issues relating to the incident,” she added.
The central bank said OCBC will conduct a thorough probe to identify deficiencies in its processes and implement necessary measures, after which “MAS will consider appropriate supervisory actions”.
In a separate statement, OCBC said it was making goodwill payouts to customers hit by the SMS phishing scam after reviewing each case and acknowledged that its incident response and customer service should have been better.
It said the scam was particularly aggressive and highly coordinated, and preyed on people’s fear there were issues with their accounts or credit cards.
=========
“MAS expects all affected customers to be treated fairly,” said Ms Ho.
“MAS expects all financial institutions to have robust measures for fraud prevention, detection, and remediation, and to provide prompt assistance to customers who have been victims of scams. We are working with the Association of Banks in Singapore on industry-wide measures that may need to be taken to ensure that digital banking remains secure, efficient, and trusted.”REUTERS
Many will be become more complacent and give callousness to the wind and give their personal details like goodies with no concern by knowing that they will get their money back.
.
======
.
Can fraud victims get their money back if they gave scammers their bank details?
A bank’s responsibility to customers is typically spelt out in the terms of contract, which limits their obligations to customers. PHOTO: ST FILE
Kenny Chee
Senior Tech Correspondent
PUBLISHED JAN 11, 2022, 6:14 PM SGT on 15th Jan 2022 in Straits Times.
FacebookTwitter
SINGAPORE – Victims misled into giving out their banking details in phishing scams are often responsible for the funds lost, especially if bank information technology systems are up to mark and not compromised, say lawyers.
However, financial institutions can be held liable if they are found to be negligent or have breached their contracts with customers, such as by not patching their systems regularly.
Mr Marshall Lim, a partner at RHTLaw Asia, said a bank’s responsibility to customers is typically spelt out in the terms of contract, which limits their obligations to customers.
“If that is the case, the banks may not be responsible for money that you have lost through fraud, especially if you had authorised the transaction, and even if you were tricked into doing so,” added Mr Lim.
This includes situations such as phishing scams, where messages and e-mails customers receive appear legitimate and may even seem to come directly from the bank.
Pinsent Masons MPillay lawyer Bryan Tan said: “The only way to reverse the liability on a customer is if the bank knew about the fraud or facilitated it, or vice versa.”
In this scenario, it would be a matter of how the liability is shared.
Their comments come in the wake of a spate of SMS scams.
A police statement on Dec 30 revealed that nearly 470 OCBC Bank customers had lost at least $8.5 million since the beginning of December to scammers sending unsolicited SMSes to victims, claiming there were issues with their banking accounts.
The text directed bank customers to click on a link in the message to resolve the issue. This led to fake bank websites where victims keyed in their Internet banking account login details.
Victims said they were fooled because the fake SMS texts had appeared in the same message thread as the genuine ones OCBC previously sent to customers for one-time passwords or transaction alerts.
The bank, in a statement on Dec 23, said the scammers could do this because they had spoofed the name of the sender of the scam texts as OCBC.
This enabled them to group fake messages with genuine SMSes.
MORE ON THIS TOPIC
OCBC cautions about SMS scams after customers lose $140k in 10 days
Young couple lost $120k in fake text message scam targeting OCBC Bank customers
Mr Steven Lam, a director at Templars Law, said customers may not be able to claim against a bank if they shared their OTPs or had logged on to websites without checking if they were genuine.
Mr Tan noted that banks’ terms and conditions usually exclude liability for the uncertainty in electronic communications, such as delays in delivering messages about transactions which could have alerted a customer of suspicious activities.
One victim who spoke to The Straits Times said there was a more than three-hour delay between the time the bank sent him a genuine text message to alert him to some transactions and when he received it.
If the victim of a fraudulent transfer reports the matter to the bank and the financial institution takes a very long time to freeze the affected bank account, Mr Lam said that the bank could be seen as being negligent for not acting fast enough.
But, again, the bank might have exclusion clauses that seek to remove responsibility from the bank for its slow action.
Still, “it’s for the courts to decide if the bank’s exclusion clauses are reasonable”, said Mr Lam.
MORE ON THIS TOPIC
OCBC continues with physical tokens, reversing plan to phase them out
OCBC’s scam detection helped customers save $10m this year
Another instance in which a bank might be considered negligent when fraud happens is if the bank’s IT system does not meet industry standards, such as not patching software regularly, which then allows hackers to compromise the system.
However, if a bank’s risk detection system fails to detect fraudulent transactions but the system satisfies industry requirements, the bank might not be negligent, said Mr Lam.
Better safeguards for victims of fraud are on the cards.
The Monetary Authority of Singapore (MAS) is leading a task force to review how to apportion the liability of a fraudulent online transaction between affected consumers and financial firms.
Announced in July last year, the task force will also review practices that the financial industry can put in place to better protect consumers against scams and fraudulent transactions.
Mr Lam said that the task force could consider the possibility of insurance coverage to protect against fraudulent transfers but this would mean more costs which could be passed to consumers.
“Alternatively, multiple steps of verification could be put in place, but this also means more costs and greater inconvenience,” he added.
MORE ON THIS TOPIC
Is the customer or bank responsible for fraudulent transactions in Singapore?
UOB sues retiree to recover more than $100k lost in alleged phone scam
In a written parliamentary reply on Monday (Jan 10), Mr Tharman Shanmugaratnam, Senior Minister and Minister-in-charge of MAS, said that the Government is coordinating its efforts to address the growing scam threat through the Inter-Ministry Committee on Scams.
“One key area of progress has been the strengthening of funds recovery for victims of such scams. The Singapore Police Force works with banks in Singapore to freeze, within one day, domestic bank accounts receiving scam monies,” said Mr Tharman.
But he added that freezing overseas accounts is more challenging as it involves agencies in different jurisdictions.
But there has been some progress made recently, said Mr Tharman.
For example, between June and Sept 2021, the Singapore Police Force worked with its international law enforcement counterparts to smash 10 transnational syndicates.
The syndicates, which were involved in job scams, Internet love scams and impersonation scams, were busted by the Royal Malaysian Police and the Hong Kong Police Force.
MORE ON THIS TOPIC
Interactive: How a love scammer’s 3-month ruse to swindle $165k got exposed
Singapore and Malaysian police cripple two international scam syndicates, 15 arrested in series of raids
.
========
.
Forum: Scammed of $100,000, but fault is not mine alone
PUBLISHED 5 HOURS AGO on 15th Jan 2022 in ST Forum.
FacebookTwitter
I am Siti, a mother of seven wonderful children. A wife to a caring educator. And a victim of the recent scam targeting OCBC Bank customers.
On Dec 28 last year, at 11.47am, I received an SMS which looked very much like the other ones I have received from the OCBC SMS system, which read: “The transaction function of your OCBC account will be suspended. To prevent the account from being locked out, update it on December 28. Access bit.ly/3q****.”
At that time, I was occupied with my children and did not act upon it. At 2pm, I reread the SMS and followed the instructions and clicked on the link. It brought me to an authentic-looking site with the OCBC name.
As I was anxious about the account being suspended and I had some transactions to make to my children’s accounts later in the day, I did not think further, and keyed in my username and password and other relevant details and checked into my account.
A few moments later, I received a notification stating that my transfer limit had been increased to $100,000. When I noticed that, I immediately called OCBC as I had not approved this.
However, OCBC’s hotline is not equipped to immediately handle scams which are in progress.
I had to navigate an automated system for a long time before reaching a person.
By this wasted time, I had already received multiple notifications stating that monies were transferred out of my savings accounts and six of my children’s savings accounts.
In just a few minutes, almost $100,000 was gone.
We have since made a police report but we have been told that even though accounts are insured by up to $50,000, we are unlikely to have any of our funds returned to us as it was my mistake for clicking on the link.
How can the blame be pinned entirely on me when OCBC’s scam prevention measures are poorly equipped to urgently deal with a case as it is happening?
Siti Raudhah Mohd Ali
.
=======
.
Good idea to have a 12-hour holding period for changes to personal details for it to become effective. It will only work if the bank systems send the notifications of the 12-hour changes holding period to the old phone number and the old email address. To beat the crooks, the banks must send the notifications to the old phone and old email address as the smart crooks will change the phone number and email address to those of their own. Hope more ex senior bankers will come forth with more brilliant ideas to beat the crooks.
.
=============
.
Why DBS and POSB accounts of a holder have same email address, password, phone number, etc? Crack one account will mean all the other accounts are compromised, penetrated by the crooks. Banks should have password at a secondary level separately for each and every bank account, deposit account, etc, of the same person.
The primary password and OTP are to have authenticated access to all the bank accounts of the same person on Internet and computer.
The primary password and OTP should have no access to each bank account as it will require the secondary password for the person to have access to each bank account separately. The secondary password will prevent the crooks from penetrating to each bank account unless he knows the secondary password.
.
=============
.
Banks should have a primary and secondary password system for their customers in this digital age of IT banking.
.
The scammers and crooks must know or are familiar with how the banking systems and IT systems work. They either have worked in the banking industry before or have an accomplice who works in the banking sector or in the IT department of a bank.
Without the banking and IT experience or the support in cahoot by fellow crooks working in the banking sector, it will be like a layman ‘like you and me’ trying to figure out which button to press to execute the scam/fraud in the IT banking system of a bank that is under attack.
.
===========
.
Forum: Banks should hold off key changes to account for 12 hours
PUBLISHED 5 HOURS AGO on 15th Jan 2022 in ST Forum.
FacebookTwitter
Once again, the newspapers are filled with sad stories of people falling victim to scammers and losing their savings.
The modus operandi of scammers is to send a fake message to the individual, purportedly from the bank, that persuades the individual to provide not just his user identity and password, but also the one-time password sent to his mobile phone.
With these in hand, the scammer then takes control of the account.
The e-mail address and phone number are changed immediately, which diverts all communications on the account to the scammer.
New payees are added and transaction limits for fund transfers are increased. Even credit card limits are increased.
Funds are then siphoned off and the credit card used for shopping sprees. The account is drained.
The security system used by banks is generally sound, relying on a two-factor authentication system. There have been suggestions to improve security features further through the banning of SMSes, for example. No matter how good the systems are, the weak link is that there will always be individuals who fall for scams.
I suggest that banks put in an additional security feature – an execution hold on important changes to a customer’s profile.
All important changes, such as changing e-mail addresses and telephone numbers, adding new payees and increasing transaction limits, should be subjected to a 12-hour hold.
Upon receiving such instructions, the bank should immediately send an SMS and e-mail to the customer informing the customer that a request has been made, and the changes would be effective in 12 hours’ time if there is no objection from the customer.
This will give the customer adequate time to receive the message and take necessary action if the changes are fraudulent.
If the customer had indeed asked for the changes, there would be no need for any action and the changes would become effective after this holding period.
There may be some inconvenience to the customer since changes requested cannot be effective immediately, but I think a 12-hour wait would not compromise service quality or customer satisfaction.
In the old snail mail days, banks would write to the customer to inform him of a request to change the mailing address.
This suggested feature will act as a backstop for any scamming activity.
Kuo How Nam
.
======
Forum: Telcos the first line of defence against spoof traffic
PUBLISHED 5 HOURS AGO on 15th Jan 2022 in ST Forum.
FacebookTwitter
I refer to the recent spate of scams targeting bank customers.
The banks may be the last line of defence, but the telcos are the first line of defence.
Beyond the usual refrains about individual vigilance and public education, we need to look at the data and consider specific solutions.
What technological solutions are the telcos investing in or adopting to detect spoofs and scam calls and SMSes?
How do the regulators hold the telcos accountable?
Social media platforms like Facebook and Twitter are increasingly being held accountable for the content on their platforms.
Telcos must be held to similar standards of accountability and harm prevention.
Koh Wai Kit.
.
========
.
Forum: IC details needed for verification to protect data
PUBLISHED 5 HOURS AGO
FacebookTwitter
We refer to Ms Cecilia Nathen’s letter, “Don’t ask for full IC number over the phone” (Jan 12).
Public sector agencies may request NRIC details to accurately identify an individual accessing government services.
SkillsFuture Singapore (SSG) asks for an individual’s NRIC number as part of identity verification, for certain queries made over the phone. The purpose is for data protection, to confirm that the caller is indeed who he says he is, before confidential information such as account details, grants and transaction details are shared over the phone.
In Ms Nathen’s case, as she had requested assistance with her SkillsFuture account which contains confidential information, her NRIC number was used to verify her identity.
We understand Ms Nathen’s concern and would like to assure her that personal data and call recordings are strictly confidential, and that SSG takes our responsibility as a custodian of individuals’ data seriously. As part of continuous improvement, we regularly review our identity verification process to be aligned to industry best practices.
Angelina Soh
Director, Integrated Business Services Division
SkillsFuture Singapore.
.
=========
.
The Straits Times’ Editorial says
Dealing with scourge of online scams
PUBLISHED 2 HOURS AGO on 12th Jan 2022 in ST.
Scammers using fake text messages have targeted at least 469 OCBC Bank customers in recent phishing scams in which the victims have lost around $8.5 million in total. OCBC is not the only bank to have been targeted by fraudsters: Customers of DBS Bank or POSB, too, have felt their malevolence. Indeed, banking scams are part of a wider criminal use of the Internet to compromise everyday computer and online activity, to say nothing of threatening telephone calls from fake authorities that make victims drop their guard and composure to go along with the tricksters’ demands. Scams are nothing new. If anything, they are like a mutating virus which evolves constantly, updating its technique every time the devious methods of a previous attack are uncovered, revealed publicly and dealt with.
Sophistication marks the attack on OCBC customers. It is apparent that scammers have access to advanced software that enables them to spoof telecommunications services and send SMSes that appear in the same threads used by real organisations. Even if victims do not provide their one-time passwords, they fall prey when they enter other bank details on fraudulent sites. In the circumstances, customers are entitled to ask whether Internet banking remains as safe as it is claimed to be. It is one thing for banks to say that their security systems have not been compromised, but another when unsuspecting customers find themselves duped of their money, which sometimes cannot be recovered.
Banks need to do more to protect depositors’ trust in the integrity of their IT systems. After all, digitalisation helps improve their efficiency, productivity and reach. It enhances their local and global status as well. Online banking has been a boon and convenience for many. But customers are right to expect greater protection from the wild fringes of the Internet. Banks should redouble their efforts and educate and remind their depositors regularly. Not being liable to pay compensation, when the fault is on the consumer’s side, does not absolve banks of being responsible for ensuring that their Internet banking systems are secure and trustworthy.
That said, banks also cannot be held solely responsible for the mistakes made by customers – who ought to be more alert, especially given the widespread publicity about phishing scams. Family, too, can play their part by alerting, educating and guiding especially their vulnerable members on the need for caution when it comes to revealing bank details over the Internet, or in any other form. The media can play a role to spread awareness of scams, so their readers are forewarned. At the end of the day, however, every online user owes it to himself or herself to internalise the dangers of fraud in its many forms being perpetrated over the anonymous Internet.
.
======
.
Forum: Don’t ask for full IC number over the phone
PUBLISHED 5 HOURS AGO on 12th Jan 2022 in ST Forum.
FacebookTwitter
I called SkillsFuture Singapore for assistance on a problem I had with my SkillsFuture account, and was asked to give my full name and full NRIC number for the operator to verify my identity.
I am surprised that callers are still required to give full NRIC numbers for verification purposes or to facilitate checking of records, especially when the calls are being recorded.
Data breaches are not unusual nowadays. Recent cases have shown that no organisation, public or private, is immune to cyber attacks.
It is therefore disturbing that call recordings that contain names and NRIC numbers are being kept.
Organisations need to move away from asking for full NRIC numbers over the phone, and find other ways to verify a caller’s identity.
Cecilia Nathen.
.
=========
.
Forum: Lowest daily bank transfer limit seems too high
PUBLISHED 6 HOURS AGO on 12th Jan 2022 in ST Forum.
FacebookTwitter
After the recent online scams, some experts advised customers to lower the daily limits for transfer between bank accounts.
I went into OCBC’s website and, to my surprise, learnt that the lowest limit is $5,000.
I hope the bank can let customers opt to lower this limit, or allow us to deactivate services that many of us do not use, such as overseas transfers.
If customers do not need such services, why leave them there for scammers to take advantage of?
Nelly Yap
.
=
.
OCBC Bank customer lost $120k in fake text message scam; another lost $250k
The victims who reportedly fell victim to phishing scams involving OCBC Bank lost around $8.5 million in all.PHOTO: ST FILE
David Sun
Jan 08, 2022 12:48 pm
It took a man and his wife five years to save about $120,000, but in just 30 minutes, scammers using a fake text message stole the money they had kept in their OCBC Bank joint savings account.
The couple in their 20s were among at least 469 people who reportedly fell victim to phishing scams involving OCBC Bank in the last two weeks of December last year.
The victims lost a total of around $8.5 million.
Speaking to The Straits Times, the couple, who declined to be identified, said they had been saving up to start a family. They have not been able to get their money back.
The man works in the e-commerce sector while his wife is in the hospitality industry. The man said he received the phishing message with a link around noon on Dec 21 last year.
It claimed that an unknown payee had been added to their account, and instructed him to click on the link if it was not approved by him.
“The SMS looked like it came from OCBC and entered the usual SMS chat history from OCBC used for authentic banking services,” he said.
“The link took me to a site that looks exactly like the OCBC login page.”
He then entered his account details, unwittingly handing over control of the whole account to scammers.
They realised they had been scammed only when the man received SMSes from the bank informing him of changes and transactions involving the account that had taken place earlier that afternoon.
He showed ST his text message history. According to the timestamp, the bank sent him the alert at about 2pm, only for him to receive it past 6pm.
“Had we received the notifications on time, we would have been able to react faster, and perhaps been able to reach the relevant teams during the same business day to stop the transactions,” said the man.
After news broke that others had also been scammed, the couple decided to start a group for victims in an attempt to collectively seek answers.
A 38-year-old software engineer who fell prey to the same scam on Dec 28 told ST that he lost about $250,000 he had been saving since 2010.
The father of a young child with special needs said the loss has been devastating, and he has been hiding it from his family.
“It’s a horrible situation that impacts my whole life,” he said. “I didn’t know there was a scam going around… how would I have known?”
Eight victims have reached out to ST to share their frustration.
Responding to queries from ST, Mr Francisco Celio, head of group corporate security at OCBC Bank, said it has been assisting those affected.
“The recent SMS phishing scam impersonated OCBC and preyed on the fears of consumers about their personal bank accounts,” he said.
“It is particularly aggressive and highly sophisticated in duping consumers into disclosing their personal banking details despite repeated bank warnings to be alert and not to do so.”
The bank said it has since halted its plans to phase out physical hardware tokens by the end of March this year, and has also stopped sending SMSes with links in them in the light of the spate of phishing incidents.
OCBC launched its fraud surveillance system in 2016, and uses machine learning to assist in detecting and immediately flagging fraudulent transactions which are then reviewed by a fraud analyst.
It also implemented its anti-financial malware system in 2019. It is able to identify what device its banking services are accessed from.
Mr Celio added that OCBC’s banking systems remain safe and secure and have not been hacked.
A group of victims issued a statement to ST, alleging that the bank had not responded fast enough, failed to ensure the security of its SMS channel, and that remediation for customers was lacking.
“While the attack may have been particularly aggressive, it is OCBC’s duty to their customers to be ready for this,” they said.
Cyber security expert Anthony Lim, who is also a fellow at the Singapore University of Social Sciences, said scammers have advanced software enabling them to spoof telecommunications services and send SMSes that appear in the same threads used by real organisations.
He added that even if victims did not provide their one-time passwords (OTP), they would have sealed their fate when they entered other bank details on the fraudulent sites.
“Once the victim unwittingly responds by entering the bank account credentials, the hackers’ technologies can divert and capture a copy of the SMS OTP issued by the bank,” he said.
He also said there is a limit to how much a consumer can be protected, and that consumers need to be aware and protect themselves.
“Quite unfortunately, with regard to such message scams, there is only so much technology can do (to protect consumers),” he said.
“The best way to avoid falling prey to these is still awareness, and the accompanying scepticism.”
With scammers using more advanced technologies and software, the simplest advice may work best – be suspicious of messages sent via SMS or WhatsApp asking for personal details.
Cyber security expert Anthony Lim said consumers should take the following precautions when dealing with online transactions and banking details:
• Do not act in a hurry or under duress
• Do not respond to messages asking for personal credentials, passwords or PINs
• Be suspicious of messages sent via SMS or WhatsApp asking for personal details
• Never click on links in such messages
• Never download any attached file in such messages, however interesting or attractive it may be made out to be
Separately, OCBC Bank advises consumers not to access their bank accounts through SMS links.
Mobile access to bank accounts should always be done using the official banking or payment app, or by keying in the bank’s URL directly into the browser.
Solutions for account holders. Have two bank accounts with two banks.
Keep all your money in the first account.
The first bank account shall be used only to transfer money to your second bank account, which shall be used for making payments of bills, etc. and for drawing cash from the ATM.
No payment shall be made from the first bank account.
Keep a minimum balance in the second bank account, keep the balance low.
Do not panic with your first bank account. When you encounter anything, threats, go personally to the bank immediately to check into it.
.
Why DBS and POSB accounts of a holder have same email address, password, phone number, etc? Crack one account will mean all the other accounts are compromised, penetrated by the crooks.
All banks should have secondary password for each account of the same person.
.
=======
.
Possible solution:
All banks should have an auto voice reply [in four languages] to a phone call and say:
“If you have been threatened that your account will be closed, please go to our branch to clarify. Do not phone in, and do not use the Internet to respond to the threat.”
=======
Phone in will not be useful as the lines will be overloaded with calls.
Go to the branch of the bank to sort it out.
Do not respond to the threat online or via Internet, etc.
==============
S$8.5 million gone, cheated. Sad.
Many will not welcome and see sunrise on 1st Jan 2022 in joy and happiness.
One more day to 1st day sunrise.
Many will not be able to be happy, in unity, love and harmony, and have no grudges. Why?
.
============
.
Nearly 470 people lose at least $8.5m in phishing scams involving OCBC Bank
Victims received unsolicited SMSes purporting to be from the bank, claiming that there were issues with their banking accounts.ST PHOTO: CHONG JUN LIANG
SINGAPORE – Since the start of December 2021, at least 469 people have fallen prey to phishing scams involving OCBC Bank, with reported losses totalling at least $8.5 million.
Most of the amount was lost over the past two weeks, said the police in a media release on Thursday evening (Dec 30, 2021).
Over the Christmas weekend alone, OCBC said 186 customers lost about $2.7 million.
Victims received unsolicited SMSes purporting to be from the bank, claiming there were issues with their banking accounts and they had to click on a link given in the message to resolve the issue.
The link led to fake bank websites and victims were asked to key in their Internet banking account login details.
Victims received unsolicited SMSes purporting to be from the bank, claiming there were issues with their banking accounts and they had to click on a link given in the message to resolve the issue. PHOTOS: SINGAPORE POLICE FORCE
They discovered that they had been scammed when they received notifications that there were unauthorised transactions in their bank accounts.
“Once the funds have been fraudulently transferred out of the victim’s bank account, it would be challenging and difficult to recover the stolen monies,” said the police.
They added that OCBC Bank has warned its customers about the phishing SMSes via several channels, including its online banking platforms, social media page and media advisories.
Having seen an increase in such phishing scams, the police are urging the public to follow crime prevention measures.
First, do not click on dubious URL links provided in unsolicited text messages. OCBC will not send SMSes containing bit.ly links.
Second, always verify the authenticity of the information with the official website or sources.
Third, never disclose your personal or Internet banking details and one-time password to anyone.
Lastly, fraudulent transactions should be reported to your bank immediately.
The police urge anyone with information relating to such crimes to call their hotline at 1800-255-0000, or submit it online. Those who require urgent police assistance should dial 999.
Despite advisories and warnings issued by the authorities throughout the year, scams of different varieties continue to be a scourge in Singapore.
According to figures released by the police in end-August, scam victims lost $168 million to conmen in the top 10 scam categories in the first six months of this year alone.
This was over 2½ times the amount lost to scammers in the same period in 2020.
Loan scams had the highest number of reported cases among scam types, with victims cheated of $10.6 million. This was followed by e-commerce scams, which saw victims lose $2.4 million.
Job and investment scams also surged significantly, with victims having lost $6.5 million, compared with last year’s $60,000.
Investment scam victims, on the other hand, lost $66.2 million, which was more than triple the $21.6 million in the same period last year.
The year-end shopping season has also seen the emergence of non-banking-related phishing scams.
Since last month, more than 300 people have fallen prey to phishing scams involving delivery companies, amid the slew of year-end online shopping events.
As at Dec 20, 2021, the police said there were at least 341 victims, who made losses amounting to at least $759,000.
These victims typically received e-mails and text messages from scammers impersonating delivery companies such as SingPost, claiming that there were outstanding payments that had to be made before the parcel could be delivered.
Victims were told to click on URL links to make payment, where they were asked to provide their card details and a one-time password. It was only later that they realised unauthorised transactions had been made with their card.
All banks should have an auto voice reply [in four languages] to a phone call and say:
“If you have been threatened that your account will be closed, please go to our branch to clarify. Do not phone in, and do not use the Internet to respond to the threat.”
=======
Phone in will not be useful as the lines will be overloaded with calls.
Go to the branch of the bank to sort it out.
Do not respond to the threat online or via Internet, etc.
===========
S$8.5 gone, cheated. Sad.
Many did not welcome and see sunrise on 1st Jan 2022 in joy and happiness.
Many have not been happy, in unity, love and harmony, and welcome 2022 with no grudges. Why?
=========
.
Forum: Banks can do more to share customers’ losses due to online scams
PUBLISHED 4 HOURS AGO on 4th Jan 2022 in ST Forum.
FacebookTwitter
Online scams are on the rise.
There will always be people who are more vulnerable in the transition from physical to digital banking, and asking them to be more careful and vigilant will not suffice. More needs to be done to address this systemically.
As Internet banking benefits not only the customer but also the banks themselves, financial institutions could commit more to compensating scam victims or creating an insurance scheme to spread the losses resulting from such criminal behaviour.
Unless it can be proved that they showed gross neglect, scam victims should be fully compensated.
Banks profit from digital banking’s cost savings, and they should do more. Regulations should lean in favour of the consumer.
John Koh Tiong Lu
=======
What other solutions?
What is the missing link?
=======
Solution:
All banks should have an auto voice reply [in four languages] to a phone call and say:
“If you have been threatened that your account will be closed, please go to our branch to clarify. Do not phone in, and do not use the Internet to respond to the threat.”
=======
Phone in will not be useful as the lines will be overloaded with calls.
Go to the branch of the bank to sort it out.
Do not respond to the threat online or via Internet, etc.
===========
S$8.5 gone, cheated. Sad.
Many have not welcome and seen sunrise on 1st Jan 2022 in joy and happiness.
Many will not be able to be happy, in unity, love and harmony, and have no grudges. Why?
=======
.
Forum: Step up efforts to prevent phishing scams
PUBLISHED 6 HOURS AGO on 3rd Jan 2022 in ST Forum.
FacebookTwitter
I was shocked by the news that hundreds of people fell prey to phishing scams involving OCBC Bank (469 lost $8.5m to phishing scams involving OCBC Bank this month, Dec 31).
It must be heart-wrenching for victims who lost their savings or had their lives upended.
The Government and banks should intensify their efforts to stop or go on the offensive against phishing scams. They should consider the following measures:
Increase public awareness of the ScamShield app, which blocks unsolicited messages and calls on iOS phones.
Government agencies and banks could send public service alerts via SMS or WhatsApp after they receive reports of phishing scams.
Educate the public on the dangers of phishing scams using posters in all major languages put up in public, as well as TV commercials.
Banks should revamp their security systems to flag unusual transfers of money.
Rachel Tan Wee Cho.
.
=============
.
Banks should have a primary and secondary password system for their customers in this digital age of IT banking. The scammers and crooks must know or are familiar with how the banking systems and IT systems work. They either have worked in the banking industry before or have an accomplice who works in the banking sector or in the IT department of a bank.
Without the banking and IT experience or the support in cahoot by fellow crooks working in the banking sector, it will be like a layman ‘like you and me’ trying to figure out which button to press to execute the scam/fraud in the IT banking system of a bank that is under attack.
=====
Why DBS and POSB accounts of a holder have same email address, password, phone number, etc? Crack one account will mean all the other accounts are compromised, penetrated by the crooks. Banks should have password at a secondary level separately for each and every bank account, deposit account, etc, of the same person.
The primary password and OTP are to have authenticated access to all the bank accounts of the same person on Internet and computer.
The primary password and OTP should have no access to each bank account as it will require the secondary password for the person to have access to each bank account separately. The secondary password will prevent the crooks from penetrating to each bank account unless he knows the secondary password.
=======
OCBC Bank has made goodwill payments to SMS scam victims since Jan 8
The bank said more than 30 customers have received the payouts so far. ST PHOTO: CHONG JUN LIANG
Kenny Chee
Senior Tech Correspondent
PUBLISHED 39 MINS AGO on 17th Jan 2022 in Straits Times.
FacebookTwitter
SINGAPORE – OCBC Bank said on Monday (Jan 17) that it has already been making goodwill payments to customers who lost funds from their bank accounts in a recent spate of SMS phishing scams.
The bank said it has been doing so since Jan 8 and more than 30 customers have received them so far.
“The payouts to this group of customers are made on goodwill basis after thorough verification, taking into account the circumstances of each case,” OCBC said.
Nearly 470 customers lost at least $8.5 million to fraudulent fund transfers in December last year after scammers posed as OCBC and sent SMSes to victims with links to phishing sites.
OCBC did not reveal how much it has paid out or if it intends to fully compensate every victim. ST has contacted the bank for more details.
Many victims reportedly fell for the ruse because the fake SMSes were grouped by their phones with legitimate SMSes previously sent by the bank for one-time passwords and transaction alerts.
This happened as the scammers had spoofed the OCBC name used for sending out official SMSes.
MORE ON THIS TOPIC
Young couple lost $120k in fake text message scam targeting OCBC Bank customers
Don’t access accounts via SMS links, OCBC says; what else you need to know to avoid scams.
==========
Don’t access accounts via SMS links, OCBC says to customers; what else you need to know to avoid scams
At least 469 people reportedly fell victim to phishing scams involving the bank in the last two weeks of December in 2021. PHOTO: UNSPLASH
PUBLISHED 5 HOURS AGO on 17th Jan 2022 in Straits Times.
FacebookTwitter
SINGAPORE – A couple in their 20s lost about $120,000 in a fake text message scam targeting OCBC Bank customers. They were among at least 469 people who reportedly fell victim to phishing scams involving the bank in the last two weeks of December in 2021.
The victims lost around $8.5 million in total.
Can such victims get their money back, or are they responsible for the funds lost? Should banks be made to pay for phishing scam losses? Meanwhile, how can you avoid being scammed in a similar way?
Young couple lost $120k in fake text message scam targeting OCBC Bank customers
It took a man and his wife five years to save about $120,000, but in just 30 minutes, scammers using a fake text message stole the money they had kept in their OCBC Bank joint savings account.
“The SMS looked like it came from OCBC and entered the usual SMS chat history from OCBC used for authentic banking services,” the husband said.
“The link took me to a site that looked exactly like the OCBC login page.”
READ MORE HERE
Mum of seven children scammed of $100,000, but ‘fault is not mine alone’
A victim said that after she keyed in her username, password and other relevant details, and checked into her account, she received a notification stating that her transfer limit had been increased to $100,000.
When she noticed that, she immediately called OCBC as she had not approved this. However, “OCBC’s hotline is not equipped to immediately handle scams which are in progress”.
She had to navigate an automated system for a long time before reaching a person. In just a few minutes, almost $100,000 was gone.
–– ADVERTISEMENT ––
READ MORE HERE
Can bank stop funds transfer by scammer if you immediately report incident to it?
Here’s a scenario: You received a call from a scammer who claimed to be from your telecoms provider and offered to help you resolve your Internet issues. You were tricked into giving him remote access to your laptop and also access to your bank accounts.
When you realised that something was amiss, you hung up and immediately reported the incident to the bank. Can the bank stop the funds transfer entered by the scammer?
Here’s what a bank’s head of group corporate security said.
READ MORE HERE
Can fraud victims get their money back if they were the ones who gave scammers bank details?
Victims misled into giving out their banking details in phishing scams are often responsible for the funds lost, especially if bank information technology systems are up to mark and not compromised, say lawyers.
“The banks may not be responsible for money that you have lost through fraud, especially if you had authorised the transaction, and even if you were tricked into doing so,” says a lawyer.
However, financial institutions can be held liable if they are found to be negligent or have breached their contracts with customers, such as by not patching their systems regularly.
READ MORE HERE
Commentary: Make banks pay for phishing scam losses
Are banks too complacent and slow in taking the necessary steps to safeguard their clients’ money? Editor-at-large Han Fook Kwang commented that it baffled him as to why so many of them did not send SMS messages to their clients warning them of the danger.
What will prod them to be more proactive in dealing with the problem? He wrote: “I can think of one way – make them pay, if not all, at least a substantial amount of the losses suffered by their clients.”
Under existing laws, they are not obliged to, as they will argue that the customers were negligent in falling for the scam. But “this is not satisfactory, and it is unfair for unsuspecting people to have to bear all the burden of having to look out for devious crooks who know everything about what makes a person vulnerable to these tricks”.
READ MORE HERE
Is it time to phase out SMS OTPs to stem scam scourge?
SMSes are one of the weak links in the latest bank scams. One suggestion is to do away with using text messages to send OTPs because SMS OTPs can be stolen by scammers.
One stop-gap measure is to rely on physical tokens to generate the OTPs instead as it can be harder for the crooks to steal them than text messages, never mind the inconvenience of having to carry a token.
In the wake of the scams, the local banks – DBS, OCBC and UOB – have said that customers can still use hardware tokens even though some of these banks had stopped issuing them.
READ MORE HERE
OCBC continues with physical tokens, reversing plan to phase them out
OCBC Bank will allow customers to continue using hardware tokens for security verifications after an earlier announcement said they would be axed.
The bank had planned to phase out the physical tokens on its online banking platform by March 31 and transition to a fully digital authentication process. But it has reversed that position, as its head of global consumer financial services noted on Jan 7.
Security has become increasingly important to local banks given a sharp rise in phishing scams. OCBC has also stopped sending SMSes with links in them in light of the incidents.
READ MORE HERE
OCBC Bank has made goodwill payments to SMS scam victims since Jan 8
OCBC Bank said on Monday (Jan 17) that it has already been making goodwill payments to customers who lost funds from their bank accounts in a recent spate of SMS phishing scams.
The bank said it has been doing so since Jan 8 and more than 30 customers have received them so far.
“The payouts to this group of customers are made on goodwill basis after thorough verification, taking into account the circumstances of each case,” OCBC said.
=========
I prefer the manual token as no one will/can break into my house to get hold of it. It is the safest. OTP via SMS is not safe when the crooks have taken control of your account.
========
The OTP using the token is safer than using sms on handphone and computer. Why? When a second OTP is needed, the crooks cannot do so unless they have stolen the token as well? Hope the crooks do not have the manual token to generate the 2nd, 3rd, etc. OTP for every change made to the account, eg. change of email address, phone number, a new recipient, change of amount for transfer money out, etc.
=========
Does a bank customer need to use the token to execute a OTP to enter a new recipient, make a transfer, change to a higher transaction amount, etc? I hope the second and third, etc. OTP will be needed to execute every change and transaction. The OTP must come come from the manual token.
========
Manual token is safer until it is stolen by the crooks. OTP by sms and on handphone is different from an OTP given on a manual token. Why? The manual token has to be stolen first by the crooks. Not easy to steal all the manual tokens of 469 victims.
=========
What are the loopholes for the banks to fix?Some three months ago, I received from DBS that they would stop the use of the manual token and replace it by the sms/handphone generated OTP.I was hesitant and reluctant to make the switch. I know that sooner or later some bank customers will be hit hard by this change to crooks using phishing scam on them.Who among the banks’ CEOs have approved this switch and why? Or, was it approved and directed by MAS and/or the ABS?
Who will stand up and admit to this change, which have affected 469 victims within weeks, and they lost in total S$8.5 million to the crooks?
I hope all the banks will fix the loopholes:
1] restore the use of the manual token to generate the OTP. It should not be optional.
2] stop the generating of the OTP via sms/handphone;
3] have secondary password for every account, including deposit account, that belong to the same customer; the request for the secondary password must be authenticated by entering the OTP from the manual token; To executive a transaction on each account, the secondary password is needed. The primary password and OTP will be used to enter the account as a whole but it will not have access to each and every account of the same person to execute a transaction unless the secondary password is authenticated and entered separately.
4] for every transaction in changing the email address, phone number, adding new payee; and increasing the payment/transfer amount in each account, the notification to the customer must be sent to the previous email address and phone number of the customer to ask for the OTP number generated from the manual token;
5] every payment or transfer of money from the account to a new payee or to an overseas account can only be executed after a 24-hour holding period, and it must be authenticated by entering the OTP number generated from the manual token. The request for the OTP number must be sent to the old email address and phone number of the customer if changes were made to it within the last 30 days.
========
.
Top government officials in retirement.. Those on pension and those not.. Happiness for some but not all. Why?
.
====
.
Losing money to scams…
It is payback time by descendants for the misdeeds with money, money debts of our ancestors.
Who are our ancestors? What did they do with money matters?
Who planted the seed of impurities with money since ancient times?
Payback by descendants, is it fair to them?
Inherit their looks and DNA, it is absolute fairness, the true unfairness in fairness.
Some settlement, payback, come with even blood, sweat, tears, pain, suffering, poverty, and the highest is untimely, sudden, and unnatural death.
.
====
.
Some S$430,000 lost to scams involving hotel room bookings, 2 people arrested in separate cases
Singapore Police ForceScreenshots of messages exchanged between a seller and buyer for hotel room bookings that are now under police investigations.
SINGAPORE — Victims of various scams lost more than S$430,000 when booking hotel room packages and two people were nabbed for their alleged involvement in these transactions.
In a news release on Thursday (Dec 16), the police said that a 45-year-old man and a 32-year-old woman have been arrested in separate cases.
In the first case, the police received multiple reports in December from victims who allegedly failed to get their hotel rooms despite making payment to an unknown seller.
The victims came across the man’s advertisement for the room bookings on e-marketplace Carousell and proceeded to reach out to him via WhatsApp.
They made payments through bank transfers and the PayNow digital application but did not get what they bought.
Officers from the Woodlands Police Division established the identity of the man through investigations and arrested him on Wednesday.
“Preliminary investigations revealed that the man was allegedly involved in at least 29 similar cases with total reported losses amounting to S$30,000,” the police said.
He will be charged on Friday with cheating offences.
If found guilty, he can be jailed up to 10 years and fined.
In the case involving the woman, the police received several reports this month from victims who were purportedly cheated by a seller who offered discounted room packages for numerous popular hotels in Singapore. The offers were posted on a social media platform.
Similar to the first case, the victims failed to get the rooms after making payments through bank transfers and PayNow.
Officers from the Commercial Affairs Department uncovered the identity of the woman and arrested her for cheating offences.
“She is currently assisting with investigations,” the police said.
The woman is believed to be involved in more than 300 “non-fulfilments of hotel room package bookings with total reported losses amounting to more than S$400,000”, they added.
The police warned that they take a serious view against those who may be involved in scams and frauds.
They stressed that such perpetrators will be dealt with in accordance with the law.
In a reminder to the public, the police said that people have to be careful when making online hotel bookings.
Among other reminders, the police also said that people should avoid making impulsive bookings and pay for such bookings only if they are from authorised or reputable sources.
Those with information on scams may call the police hotline at 1800-255-0000 or submit information online at www.police.gov.sg/iwitness.
.
Five yes..but what is the annual ROI on your investment?
What are the upside and downside risks of your investment in this time of uncertainty?
Only God knows…
.
=======
.
5 Dividend Stocks That are Perfect for Beginner Investors
Royston Yang
Mon, 5 July 2021, 7:30 AM in yahoo.com.sg
Commercial Properties
As you embark on your first steps in investing, it’s helpful to search for solid, dividend-paying companies.
The ability to pay consistent and dependable dividends is usually associated with financial strength and resilience, as demonstrated by certain blue-chip companies.
If you’re a beginner investor, you should start building up a portfolio of stocks that comprise a mix of growth and dividends.
Through the power of compounding, you can reinvest these dividends over time to grow your passive income stream.
Here are five dividend stocks that are suitable for a new investor’s watchlist.
DBS Group (SGX: D05)
DBS is one of Singapore’s three largest banks and offers a comprehensive range of banking services to individuals and corporations.
The lender has withstood the pandemic thus far and reported a stellar set of results for its fiscal 2021 first quarter.
Net profit surged to S$2 billion, a record for the bank.
Growth was backed by healthy loan growth of 5% year on year amid a pandemic.
DBS paid out an interim dividend of S$0.18, with annualised dividend clocking in at S$0.72.
There could be better news on the horizon.
Recently, Singapore’s central bank said that it is conducting stress tests on the banks to see if the dividend cap for the lenders that were imposed last year can be relaxed.
Assuming the banks are allowed to pay higher dividends, this will serve as a catalyst for DBS to hike its full-year 2021 dividend.
Mapletree Industrial Trust (SGX: ME8U)
Mapletree Industrial Trust, or MIT, invests in a portfolio of industrial real estate and data centres in both Singapore and the US.
As of 31 March 2021, the REIT’s total assets under management (AUM) stood at S$6.8 million, comprising 87 industrial properties in Singapore and 28 in the US.
For its fiscal year 2021 ended 31 March 2021, MIT reported a strong set of earnings.
Gross revenue rose 10.2% year on year to S$447.2 million, boosted by the acquisition of 14 data centres in the US in June last year.
Net property income (NPI) increased by 10.4% year on year while distribution per unit (DPU) inched up 2.5% year on year to S$0.1255 due to an enlarged base of units.
Moving forward, MIT has continued to boost its data centre exposure with its latest acquisition two months ago, thus ensuring the REIT’s DPU remains resilient.
Singapore Exchange Limited (SGX: S68)
Singapore Exchange Limited, or SGX, is Singapore’s sole stock exchange operator.
The group operates a platform for the buying and selling of securities such as stocks, bonds and derivatives.
SGX reported a creditable set of earnings for its fiscal 2021 half-year ended 31 December 2020.
Revenue rose 9% year on year while net profit jumped by 12% year on year to S$240 million.
The bourse operator increased its quarterly dividend from S$0.075 to S$0.08.
The group is well-positioned to grow further and has communicated its plans to grow both its revenue and operating margins in the years ahead.
Frasers Centrepoint Trust (SGX: J69U)
Frasers Centrepoint Trust, or FCT, is a retail REIT that owns 10 suburban malls in Singapore.
FCT’s AUM is around S$6.4 billion as of 31 March 2021 and its portfolio comprises around 2.3 million square feet of retail space.
For its fiscal 2021 half-year, the REIT reported a 73.8% year on year surge in gross revenue.
The increase was mainly due to the addition of properties from the REIT’s acquisition of the AsiaRetail Fund’s portfolio of five malls.
NPI rose by the same quantum, clocking in at S$125.6 million, while DPU surged by 28.4% year on year to S$0.05996.
FCT’s malls are enjoying an uptick in tenant sales as suburban malls remain popular with HDB heartlanders.
For February 2021, tenant sales rose 11.7% year on year, demonstrating a promising rebound from the depth of the pandemic.
Hongkong Land Limited (SGX: H78)
Hongkong Land Limited, or HKL, owns, operates and develops commercial and retail properties in Hong Kong, Singapore, Jakarta and China.
Its portfolio consists of around 850,000 square metres of prime real estate.
The group experienced challenging conditions when the Hong Kong riots broke out in 2019, and the problems were exacerbated by the outbreak of the pandemic early last year.
For its fiscal year 2020, HKL reported an 11% year on year dip in underlying profit.
However, the property giant maintained its total dividend per share at US$0.22 despite the challenges.
The group’s high-quality portfolio positions it well to withstand the downturn, and its healthy free cash flow should ensure the continuation of dividend payments.
Whether you’re in your 20s or in your 50s, dividend investing is one of the most reliable methods to build an extra income stream. But you don’t have to sacrifice growth for income.
Because once you have names of these 8 SGX stocks, you can have the best of both worlds. These stocks come ready with strong dividends and excellent growth potential. Download the report today and get the names of these 8 stocks now.
Follow us on Facebook and Telegram for the latest investing news and analyses!
Disclaimer: Royston Yang owns shares of DBS Group and Singapore Exchange Limited.
The post 5 Dividend Stocks That are Perfect for Beginner Investors appeared first on The Smart Investor.
.
========
.
Retirees …the main issue that cause their unhappiness…
Some returnees to red dot during COVID-19 shutdown are given quality hotel room with sea view, etc, all paid for by the government, including full free medical treatment when they have to be hospitalised due to COVID19 infection.
Foreign workers in the 43 dormitories have been given free meals, wifi, medical treatment,etc. They like it to receive pay and have time to relax and chat.
Well and good.
=======
There is no problem for the retired top government officials to see all these kindness by the government. They must be feeling proud of the government who is caring.
Those on government pension for life in retirement know that the government pays the full medical bill at the SGH for them and their wife. It is free medical for them as long as they live. These are the terms and conditions for their pension scheme.
However, some top government officials not on government pension cannot swallow the bitter pill as they have to foot their medical bills when they are terminally ill or having a debilitating illness when in their 70s or 80s.
They cannot accept it especially when the hospital staff came with the statement for them to sign at their hospital bed to confirm that they will pay for their own medical bills upon discharge. Some are asked to foot the deposit or top up payments whenever the bills grow larger and the deposit is insufficient.
It hurts even more when the staff, not sensitive to their conditions or background, are not aware that the patient has served the country at top level for all their lives but are now asked to pay for the full medical bill.
They feel that they have not been taken care of, some not knowing why they have to go through this ordeal as if by fate or by their own choosing.
When down and in pain or counting their final days in death bed, they and their loved ones cannot apply to keep their reasoning faculty in balance, but let their visceral emotions take over clouding their acceptance of the situation.
It is their choice by opting out of the government pension scheme that has brought about their present predicament to fend for themselves at the end stage of their life in suffering.
.
======
.
Unhappiness of retirees over health matters, harmony issues and money-wealth issues.
They know who to blame and the main issue of unhappiness out of the three is over money.
Money unhappiness, they know who to blame.
They do not blame others that much over their health matters, or harmony issues when they have grudge and hatred against this person, or that person, or with their loved ones.
.
========
.
Coronavirus: Singapore residents returning from China to serve 14-day stay-home notice
The fast lane agreement with China is part of Singapore’s plans to gradually re-open its borders.ST PHOTO: KEVIN LIM PUBLISHEDJUN 9, 2020, 12:00 AM SGT in Straits Times
by Tee Zhuo
SINGAPORE – Singapore residents returning from China under the new “fast lane” agreement between the two countries will have to stay at home for 14 days.
If they keep to this and other terms of the agreement, they will not need to pay coronavirus-related medical bills at public hospitals, which are being borne by the Singapore Government for now.
The fast-lane agreement, which exempts visiting essential business travellers from both sides from quarantine requirements of up to 14 days, started on Monday (June 8).
Quarantine orders isolate those suspected or known to carry an infectious disease either at home or at hospitals and dedicated facilities, and are legal orders with severe penalties if they are breached.
Those on a stay-home notice are not allowed to leave their homes.
The fast lane agreement with China is part of Singapore’s plans to gradually re-open its borders by slowly easing restrictions on flights and resuming trade.
The new scheme applies only to business and official travel, for flights between Singapore and six provinces in China: Shanghai, Tianjin, Chongqing, Guangdong, Jiangsu and Zhejiang.
Covid-19: Don’t miss the latest on the outbreak and its impact
Stay in the know with e-mail alerts
Sign up
By signing up, you agree to our Privacy Policy and Terms and Conditions.
Among other requirements, travellers also have to seek approval from the authorities and adhere to a submitted itinerary.
Answers to frequently asked questions on the SafeTravel Pass website launched on Monday said the “fast lane” is not for long-term work or study.
Singapore residents – citizens, permanent residents, and long-term pass holders – who wish to enter China for purposes other than essential business or official travel should contact the Chinese embassy here for more details.
Fast lane travellers departing for China must take a swab test within 48 hours of their departure, and get a health certificate that states they have tested negative for Covid-19.
Related Story
Approved travellers on new Singapore-China ‘fast lane’ need not serve quarantine but must do Covid-19 swab tests
Related Story
Firms welcome move to reopen travel with China
For now, such tests can be conducted only at select clinics from Raffles Medical Group at Changi Airport Terminal 3, Harbourfront Centre, Holland Village, Raffles City and Shaw Centre.
The website added that travellers should expect to pay $180 to $200 for the pre-departure test, and the amount is not payable by Medisave, MediShield Life or Integrated Shield Plans.
Upon arrival in China, fast lane travellers will have to go through a swab test and a serology test and will then be quarantined in a designated area for one to two days until the test results are ready.
If found to be Covid-19 positive, the traveller will be given medical treatment. The costs of the tests, stay at the designated location and medical treatment will all be borne by the traveller.
Related Story
Coronavirus microsite: Get latest updates, videos and graphics
Related Story
Coronavirus explainers: What you should know to protect yourself
Related Story
Coronavirus visual guide: Interactive graphics on the pandemic
Both tests have to be negative before the traveller can proceed with travel plans in China.
Travellers do not need to take another swab test in China before they return to Singapore.
Those who need more information can visit safetravel.ica.gov.sg or e-mail covid_safetravelpass@mti.gov.sg
.
=======
.
To prevent money laundering…
Do we know why it could take some 14 days to open a bank account in red dot? It is to check the person to prevent using the bank account for money laundering, and also to prevent anyone to use a fake ID or fake passport [lost or stolen passport or ID card] to open a bank account for fraud purpose.
When big companies use cheques [getting less now and cheques will no longer be in use in 2025] to pay their creditors, they will use cheque printer to prepare their cheques [not handwritten].
Crooks will try to steal from the post office [or postmen] and target the cheques with huge amount.
They know how to remove the type-written name of the creditor and retype with their own name [the name of fake bank account opened using stolen ID card or passport] on the cheque and bank it into the bank account.
Within days, they will withdraw the money from their ‘fake’ bank account to zero.
They normally use their ‘fake’ bank account for one huge stolen cheque, one hit only, as they will disappear into thin air after drawing out the money.
By the time the big companies know the ‘fraud’, it will be months later when the creditor ask them for payment of their bills. The crooks would be gone by then, untraceable.
It is a joy to share, and the more I share, the more it comes back in many ways and forms. Most of what I shared are not mine. I borrowed and shared it on my Blog.
If you like any particular post in my Blog, please feel free to share it far and wide with your loved ones, friends and contacts.
You may delete my name before sending it to them.
You may also use the articles to write on the same topic or extract and paste any part of it in your article.
My posts are available to all, young and old, students too.
If they wish, they can extract or plaglarize any of the points to write their articles or essays with it. Np.
==============
I share what I wrote worldwide with Facebook friends and contacts, not with Singaporeans only.
I share it by pasting the link method as it is easier and a shortcut rather than copy paste my comments in full text.
Some want me to stop posting. I shall stop giving comments and/or my link when others stop posting. When they stop, I stop.
When they continue to give comments, I shall continue to give my short-cut link, or a short cut-and-paste comment plus the link.
If I stop giving my link or comments, it will by default be letting others a free hand to give possibly a one-sided comment without anyone giving the other perspective on an issue.
If I stay quiet, it will be considered my failure not to give the opposite perspective.
Some want me to be silent, and to stop posting.
If I accept their demands, it will be a failure to my Facebook friends worldwide by staying silent.
I owe it to my Facebook friends and to the society to comment and give an opposite perspective on an issue.
=======
My contact: tankoktim@yahoo.co.uk
tankoktim 