Banks and financial institutions in Singapore will have to implement new security measures that have been mandated following a series of phishing SMS scams that wiped several victims of their life savings. These measures include the removal of hyperlinks from email or SMS messages sent to consumers and a 12-hour delay in activating mobile software tokens.
The Monetary Authority of Singapore (MAS) and Association of Banks in Singapore (ABS) said in a statement Wednesday that the additional measures aimed to strengthen the security of digital banking, in light of the recent scams targeting bank customers.
The SMS-phishing scams involving at least 469 customers of OCBC Bank and resulted in losses of more than SG$8.5 million, with S$2.7 million alone lost over the recent three-day Christmas weekend. Several of the victims reportedly lost their life savings, including a 43-year-old man whose account was wiped of S$500,000, a 38-year-old software engineer who lost S$250,000, and 33-year-old finance executive who had her account emptied of S$68,000.
In these cases, scammers manipulated SMS Sender ID details to send messages that appeared to be from OCBC. These SMS messages prompted the victims to resolve issues with their accounts, redirecting them to phishing websites and instructing them to key in their bank login details, including username, PIN, and One-Time Password (OTP).
Because OCBC's legitimate Sender ID was successfully cloned, and spoofed, these messages appeared in the same thread as previous alerts or notifications from the bank, leading victims to believe they were legitimate.
Affected OCBC customers also expressed frustration over how they were put on hold in their efforts to contact the bank's hotline and have their accounts locked, after they received notifications of payment transfers and requests to increase their transaction limits, which they never made.
"MAS expects all financial institutions to have in place robust measures to prevent and detect scams as well as effective incident handling and customer service in the event of a scam," the regulator said in its statement. "The growing threat of online phishing scams calls for immediate steps to strengthen controls, while longer-term preventive measures are being evaluated for implementation in the coming months."
Local banks, in consultation with MAS, would work to implement more stringent measures within the next two weeks. These would include setting the default threshold of funds transfer transaction notifications at S$100 or lower and triggering notification to existing mobile number or email registered with the bank, whenever a request is made to change a customer's mobile number or email address.
Banks also would have to set up dedicated and "well-resourced" customer assistance teams to deal with customer feedback on potential fraud cases, MAS said. The regulator added that further safeguards, such as enforcing a cooling-off period before requests for key account changes, including a customer's contact details, should be implemented.
In addition, banks would work closely with MAS, local law enforcements, and Infocomm Media Development Authority (IMDA) to deal with the current "scourge of scams". This would include working on more permanent measures to combat SMS spoofing, including the adoption of SMS Sender ID registry by all relevant stakeholders, MAS said.
"MAS is also intensifying its scrutiny of major financial institutions' fraud surveillance mechanisms to ensure they are adequately equipped to deal with the growing threat of online scams," it added.
MAS' managing director Ravi Menon said: "The threat of scams will not go away, but we can reduce our vulnerabilities. This requires a multi-pronged response across the ecosystem. MAS, together with the Police, IMDA, and other relevant government agencies, is working closely with the financial industry, the telco industry, consumer groups, and other stakeholders to strengthen our collective resilience against scam attacks. We will ensure that digital banking remains secure, efficient, and trusted."
OCBC on Wednesday said all customers affected by the SMS phishing scam would receive "full goodwill payouts" comprising the amount they lost. This came after its previous statement on Monday that it had begun to make "goodwill payouts" since January 8, but did not specify if these covered the entire amount customers lost.
The bank acknowledged its customer service and response "fell short" of customers' expectations.