Singapore has warned of a new scam tactic targeting users of Google's search platform, some of whom have unwittingly assumed advertisements containing fake bank hotlines to be legitimate. Victims of these scams have already lost more than S$495,000 ($367,775) since December 2021.
Singapore Police Force (SPF) said these phishing ads would pop up on Google when users searched for a bank's contact number with the intention of seeking advice for various reasons. These ads would show up amongst the first few search results and contain fake contact details for the bank, the police said in its advisory note released Wednesday.
Unwitting victims who called these numbers would speak with someone impersonating as a bank employee, who then would proceed to alert them of issues with their bank account, credit or debit cards, or loans. Victims would be instructed to temporarily transfer funds to bank accounts provided by the impersonator, in order to resolve the issue or make payments for outstanding loans.
Some victims would receive SMS messages with headers spoofing the bank's Sender ID, so these would appear as legitimate communications from the bank. The messages would either contain instructions to reset the victim's bank account as part of Singapore's efforts to combat scam or state that the victim had to transfer money for early loan settlement.
"Victims would only realise that they had been scammed when they contacted the bank via the authentic hotline to verify the new bank account number or when the bank contacted them to verify the reason for the large sum of money transferred," SPF said.
Since last month, at least 15 victims had lost more than S$495,000 ($367,775) to these scams, according to the police.
Its latest advisory follows a spate of phishing SMS scams that affected at least 469 customers of OCBC Bank and resulted in losses of more than SG$8.5 million. Some S$2.7 million alone was lost over the recent three-day Christmas weekend and several victims reportedly lost their life savings. The bank has since promised to make full restitution of losses to all victims of the scams.
Industry regulator Monetary Authority of Singapore (MAS) on Wednesday also introduced additional security measures that banks would have to implement, in light of the OCBC scams. These measures include the removal of hyperlinks from email or SMS messages sent to consumers and a 12-hour delay in activating mobile software tokens.
Banks also would have to set up dedicated and "well-resourced" customer assistance teams to deal with customer feedback on potential fraud cases.
MAS said the new measures, which should be deployed within two weeks, aimed to strengthen the security of digital banking. "MAS is also intensifying its scrutiny of major financial institutions' fraud surveillance mechanisms to ensure they are adequately equipped to deal with the growing threat of online scams," it said.