SINGAPORE – It starts with an advertisement dangling the promise of a good deal – perhaps durian tour tickets, roast duck, or even affordable holidays.
Victims who take the bait do not get what they paid for. Instead, they find that scammers have wiped out their savings, sometimes siphoning away tens of thousands of dollars in a matter of minutes. Other victims are saddled with debt, after loans are taken out in their names.
Criminals have been turning to malware to hijack mobile devices and carry out these unauthorised banking transactions. Millions of dollars have been lost from unwitting victims as these scams become increasingly common, prompting banks and the police to sound the alarm.
More than 1,400 victims fell prey to malware scams between January and August, with total losses amounting to at least $20.6 million, said the police.
Police statistics show that July and August saw about 650 victims, almost as many as the first six months of 2023.
July and August also saw about $10.6 million lost by victims of malware scams, which is roughly the same amount that victims lost in the first half of the year.
From January to June, there were more than 750 victims who lost a total of at least $10 million through these malware scams.
More than 30 people also had scammers take out loans in the form of credit card cash advances, with the money then transferred out of their accounts.
Generally, malware scams involve duping victims into downloading and installing malicious Android apps, which allow fraudsters to gain remote access to victims’ devices to obtain their Internet banking credentials or card details.
In response, major local banks in Singapore have hardened their defences, introducing a slew of anti-malware features in recent months.
OCBC was the first bank to do so in August. The bank’s anti-fraud head, Mr Beaver Chua, said that within a month of that happening, OCBC managed to prevent more than 30 cases of malware scams, where over $2 million could have potentially been lost to scammers.
“Our anti-malware security feature highlights unverified apps, especially apps containing risky permission settings, and blocks usage of the OCBC Digital app unless the unverified apps are uninstalled, or the risky setting is turned off,” he added.
And as reports of scams grew more common in recent days, banks have announced upcoming features that allow customers to ring-fence part of their savings from digital transactions. Depending on the bank, this “locked” money can be accessed only in person, either at an ATM or at a branch.
The police have also updated their advisories, urging the public to put their phones on flight mode, delete suspicious apps and even take extreme measures such as performing a “factory reset” if they suspect their devices have been compromised.
UOB declined a request for comment, and pointed to its previous statements, in which the bank’s head of group compliance said the new features might inconvenience customers, but are “necessary for enhanced security to mitigate the risks and protect customers’ exposure to malware scams”.
DBS head of legal and compliance Lam Chee Kin said the bank has rolled out features to make its customers more aware of the security implications of actions such as adding new payees or adjusting transfer limits.
The bank will “continue refining our approach to achieve a balance between mitigating the risk of fraud and inconveniencing some of the customer’s journey”, he added.
The latest efforts depict an escalating arms race between banks, the police and the public, and scammers, who are turning to more sophisticated means for criminal gain.
In this landscape, experts say customers need to exercise greater caution.
A spokesman for The Association of Banks in Singapore said the measures rolled out by banks will help detect potential malware and block access to banking apps, but “the best defence remains customers staying vigilant and practising good cyber hygiene, such as not installing apps from non-official app stores”.
Mr Bryan Tan, a partner from law firm Reed Smith who specialises in technology law, said customers need to do their part to avoid being victims.
“In the tech world, we talk about removing friction for added convenience, but now banks are adding friction to stop, or at least slow scammers down,” he added.
“That makes things more inconvenient, but we can’t have our cake and eat it too. Maybe in future, there’ll be a silver bullet, but there isn’t one now, and we need to act now.”
Bishan-Toa Payoh GRC MP Saktiandi Supaat, who spoke about the issue in Parliament in September, advocated a three-pronged approach.
Telcos could introduce anti-virus programs in their suite of services. And banks could introduce additional layers of checks when large sums of money are being transferred to ascertain that these funds are being moved for legitimate reasons.
Education about scams should also evolve to reach not just seniors but also the young “who may go on sites and click on links that are dubious, but seem legitimate”, Mr Saktiandi said.
Efforts to educate should also level up to address increasingly complex scams, he added.
“In the current economic environment with ageing demographics, we don’t need scams to worsen the situation for individuals who are affected by retirement inadequacy issues,” he said.
The other big question is that of liability – who should pay when scammers swindle their victims out of a lifetime of savings and even get them into debt?
DBS said it offers goodwill payments to victims after assessing their circumstances, and on a case-by-case basis.
The bank will play its “proportionate part” in protecting customers, but they also have to bear some liability, it said.
“Everyone has a part to play, including customers, and the liability for protecting the digital economy has to be spread among the companies profiting from that economy.”
Banking regulator Monetary Authority of Singapore (MAS) is working on a framework that will outline which entity is liable for losses arising from scams.
The framework, originally due to be published within three months of its February 2022 announcement, has been long delayed because of the complexity of the matter.
Mr Tan said banks and other stakeholders are anticipating a model of shared responsibility, although specifics are still unknown.
But he added that ultimately, consumers must exercise caution and bear responsibility for their actions.
“Unfortunately, people are setting themselves up in these scenarios,” he said, adding that banks will constantly face security gaps as technology evolves, and that there will always be room to improve their security.
“The problem is that it’s not as if someone broke into your property with brute force. What actually happened was they stole your credentials and were able to mimic you because of something you did, which is to install a suspicious app containing malware.”
What to do when you suspect your device has been compromised by malware:
- Switch on flight mode on your device and check that Wi-Fi has been disabled.
- Perform a scan on your device using an anti-virus app.
- Check your accounts for any unauthorised transactions using another device. This includes your bank, Singpass and CPF accounts.
- If you notice any unauthorised transactions being made, lodge a report with your bank, the relevant authorities and the police.
- If you believe that your device has not been affected by malware after conducting the steps above, you can continue using it as normal. However, you can consider factory resetting your phone to its original state and change your passwords as an added precaution.
