Singapore to step up security measures in aftermath of phishing scams

SMS phishing scams that led to SG$13.7 million in losses have prompted additional security measures to be introduced, including the need for SMS service providers to check against a registry before sending through messages and for banks to develop "more versatile" AI algorithms to detect suspicious transactions.
Written by Eileen Yu, Senior Contributing Editor

Singapore is stepping up security measures to bolster the local banking and communications infrastructures, which include the need for SMS service providers to check against a registry before sending through messages. Bank also are expected to develop "more versatile" artificial intelligence (AI) models to detect suspicious transactions. 

The additional safeguards come in the heels of a recent spate of SMS phishing scams, which wiped out SG$13.7 million ($10.17 million) from the accounts of 790 OCBC Bank customers. Scammers had manipulated SMS Sender ID details to push out messages that appeared to be from OCBC, urging the victims to resolve issues with their bank accounts. They then were redirected to phishing websites and instructed to key in their bank login details, including username, PIN, and One-Time Password (OTP).  

Describing the incident as the country's most serious phishing scam involving spoofed SMSes impersonating banks, Minister for Finance Lawrence Wong said various steps would be taken to better mitigate the risks of such scams. These would span the entire ecosystem, including banks, telecommunications, law enforcement, and consumer education, Wong said Tuesday during his ministerial statement in parliament. The minister also is deputy chairman of the Monetary Authority of Singapore (MAS). 

The OCBC scams prompted MAS to mandate new security measures last month that, amongst others, required banks to remove hyperlinks from email or SMS messages sent to consumers and implement a 12-hour delay in activating mobile software tokens. 

Wong noted that MAS last October were in discussions with local banks to highlight gaps that surfaced from the regulator's "focused supervisory review", which was conducted in the third quarter of 2021. Initiated in view of the increase in scam cases over the past two years, the review assessed fraud controls in the digital banking channels of the three local banks, including DBS Bank and UOB. 

Wong said the banks were provided recommendations to remediate the gaps and they put in place timelines to deploy the various measures, some of which required extensive changes in their IT systems. With the spike in phishing scams last December, he said OCBC accelerated the implementation of some of these measures, such as extending the cooling period--during which higher risk transactions could not be carried out--after a digital token had been set up on a new mobile device. 

More steps were in the works, the minister said. 

Banks would be working to further bolster their fraud monitoring capabilities to better identify suspicious and anomalous transactions, including credit card transactions. While most banks already had some rules-based parameters, these needed to be expanded to take account of a brander range of scam scenarios, Wong explained. 

"Beyond pre-defined parameters, MAS will expect banks to develop more versatile algorithms employing AI and machine learning to detect suspicious transactions," he said. "Such algorithms should be based on multiple sources of information, including customer profile and vulnerabilities, past transaction patterns, account activity, and mobile device identification."

He stressed, though, that advanced fraud monitoring systems would not be able to detect every scam. 

Singapore banks also would be beefing up their ability to more quickly block suspicious transactions and contact customers to verify their authenticity. Transactions would only be unblocked and processed when confirmed by the customer, he said. Again, while banks already had these capabilities today, he noted that these were not consistent across various types of transactions. 

In addition, MAS was looking into the possibility of allowing customers to freeze their own accounts without needing to contact the banks. 

Banks also would introduce additional confirmations from customers, beyond notifications, for significant changes made to their accounts or high-risk transactions, such as changes in the details of the account holder and activation of tokens on another device. 

These would come with added inconvenience to customers carrying out legitimate transactions, but were necessary to boost the security of digital banking and users would have to adapt, Wong said. 

Local banks also would look at widening the use of biometrics as a means of authentication, in addition to passwords and OTPs. The minister said this would add another layer of security that could not be easily phished by scammers. 

Banks would further accelerate the move towards using mobile banking apps to authenticate customer's identity, authorise transactions, and deliver bank notifications. 

A review also was being carried out on the use of SMS-based OTPs and measures needed to reduce the risks of its use. 

Security measures needed across infrastructures

Further steps are in the pipeline that involve other proponents in the ecosystem, specifically, telecommunications services providers.

Commenting on the need to beef up defences through telco networks, Minister for Communications and Information Josephine Teo, said: "To combat phishing and spoofing by scammers, we should disrupt as many parts of their modus operandi as possible. Apart from enhanced safeguards in the banking system to prevent scams from easily succeeding, upstream measures are also needed to disrupt scammers' reach to potential victims."

 For one, SMS service providers and telcos will be required to check against the national Sender ID registry and only send through messages when the sender details match the registry records, Teo said Tuesday, during her ministerial statement in parliament. This means that SMS messages that spoof registered IDs will not reach their intended targets. 

A pilot was launched last August to enable organisations to register SMS Sender ID headers they wished to safeguard with the registry. Doing so would help ensure messages sent via unauthorised use of the protected SMS Sender ID would be blocked. 

According to Teo, all organisations also must have a valid UEN (unique entity number) if they want to send SMS messages through registered IDs, to phone subscribers in Singapore. 

She added that MAS had made it mandatory for all major retail banks to register their Sender ID details with the registry. All government agencies also would do likewise. 

Noting that scammers also used IDs that looked similar to legitimate Sender IDs, she said the government was exploring the possibility of requiring all users of alphanumeric IDs to be registered. This would prevent scammers from sending SMS messages using such IDs, without first joining the registry, she said. 

Teo said these measures would require time to implement and involved additional costs for businesses. Those that chose not to register their Sender ID details would have their SMS messages show up only with their telephone number. Customers then would have to save the number in their contact list to recognise future messages from the organisation. 

Industry regulator Infocomm Media Development Authority would consider such implications in deciding whether to mandate the registration of all alphanumeric IDs, she said. 

She urged businesses to assess their use of SMS to engage customers, as the medium was based on an old technology and not designed for secure communications. She called for "more restraint" in using the platform to transmit sensitive or confidential information or for high value transactions. 

Other measures also were planned, including telcos' efforts to incorporate additional analytics to block more suspected scam calls. This could lead to 55 million calls blocked a month, up from the 15 million, or one in seven of all incoming overseas calls to Singapore, currently blocked each month.

Phishing websites also would continue to be blacklisted. Some 12,000 scam websites were blocked last year, up from 500 websites blocked in 2020, according to Teo.

The National Crime Prevention Council also will start a WhatsApp channel, by the third quarter of this year, to crowdsource from the public information on scam websites and messages, she added. 

Wong said: "There is no single measure that can guarantee the security of digital banking. The techniques employed by scammers are constantly evolving and gaining in sophistication. This is why in the fight against scams, banks need to employ a combination of measures in prevention, detection, response and recovery, and constantly review and recalibrate these measures."

He added that customers, the industry, and infrastructure providers must remain alert to prevent a recurrence of large-scale scams such as those involving OCBC. 

"The breadth of the issues raised underscore we need to take an ecosystem approach to strengthen our collective defence against phishing scams, and scams in general," he said. "Everyone in this ecosystem must play their part."

In the OCBC phishing scams, to date, the Singapore Police Force has frozen 121 bank accounts here and recovered some SG$2 million. Another SG$2.2 million of victims' funds were traced to 89 overseas bank accounts. At least 107 local and 171 overseas IP addresses were linked to the unauthorised access of the victims' internet banking accounts. 

Many of the phishing websites used in the OCBC scams were hosted on web hosting companies based overseas, according to Minister of State for Ministry of Home Affairs, Desmond Tan. He said the SPF was working with the Interpol and foreign law enforcement agencies to investigate recipients of funds transferred overseas as well as hosts of the scam websites.


Editorial standards