SINGAPORE - Picture this - a man wearing a jacket bearing the name of your bank turns up at your door, declares there is a problem with your account and asks you to hand over your details so he can fix the issue.
And all without showing a bank identification card or even seeming to know your name.
Pretty much everyone would spot this as a scam and laugh at the notion of handing over important bank details to a guy with "crook" written all over his face.
Even the idea that a bank would send an employee door to door to ask for customers' details is preposterous in itself. The reality is no bank would ever approach customers and ask for banking details outside of a branch.
This applies even to online banking.
Remember those times you call the bank for assistance? They ask for personal details only to verify your identity; the staff do not ask for your account details because a real bank knows everything about you. Only scammers want such information because they don't know who you are and what accounts you hold.
Most people would not hand over bank details to strangers who show up at their doors even if they wear a shirt with the bank's name.
But how come such vigilance disappears when you receive an SMS or e-mail asking you to hand over your banking details by logging into a site? And instead of wearing a bank's name on their shirts, online scammers spoof the bank's name via electronic messages to say your account has a problem and that you must key in your account details by clicking on the attached link.
The message still does not identify you by your name or IC number, and if you pause to think for a moment, why would a bank ask you to log into your account to verify a banking problem when it could resolve such issues at its end?
Yet scores of bank customers have fallen victim to such phishing scams, which lure them to part with critical data by setting up fake bank sites. In the latest phishing scam involving OCBC bank customers, 790 of them lost a total of $13.7 million to the crooks.
Such scam tactics have been around for years, so it is worrying that many of the recent victims were young and tech-savvy; some even worked in tech-related jobs.
Cyber-security and corporate governance expert Anthony Lim, who is a fellow at the Singapore University of Social Sciences, believes that the pervasive use of social media and online services has made many people impatient - they yearn for instant results because they are used to getting answers with a tap of their phones.
"It is common knowledge that no bank will ask its customers to log into their accounts via SMS or e-mails whatever the circumstances and yet many people continue to do so. Scammers are counting on their behaviour of always clicking on links without checking and they have succeeded yet again.
"It is time for all of us to take a step back and pause... if there appears to be a problem."
Mr Lim notes that scammers always use "fear tactics" to push their victims into doing their bidding. Some of these ruses include claims that their accounts have been hacked, their relatives were hurt or kidnapped, and more recently, being in contact with Covid-19 patients.
He says people can avoid being ripped off if they take the time to make their own checks instead of following the instructions that come with such calls and messages.
Here are four good practices that can prevent you from being the next scam victim.
1. Always be on the alert when you are online
The authorities and the banks have stepped up various measures that can make it harder for scammers to siphon money from a victim's account. These include lowering the default fund transfer amounts as well as delaying the process of putting the changes to accounts, such as adding a new payee, into effect.
But all these efforts will come to nought if you still respond to unsolicited messages and calls and then disclose your account details. This is akin to allowing thieves to enter your home and hoping that someone will stop them before they escape.
Note that if a bank's database is truly compromised, it will usually make a public announcement and then take remedial steps to solve the problem. In short, if you didn't do anything that put your own account at risk, you have nothing to worry about.
Some people wonder why it is hard to recover the stolen money. After all Hollywood movies suggest that all bank transfers leave a digital trail that allows the cops to track down the criminals.
The reality is that once money is transferred overseas, it is hard to even locate the owners of the recipient accounts as they could just be money mules who allow their accounts to be used and they know nothing about the real masterminds.
2. Have only one online banking practice
Everyone who uses digital banking should do this - always do your banking transactions the same way and never deviate from this practice.
This means bank online only through the official bank apps on your phone or from your personal computer that is well-protected from spyware, and log into the genuine website by keying in the URL yourself, instead of googling for the bank websites.
This is because scammers are known to use online ads to push their fake sites to unsuspecting users.
Even if you feel compelled to log in to check after receiving a message that says your account is compromised, do so in your usual way and not by clicking any links in the message. And never use a stranger's device or do important transactions in public places because your keystrokes and inputs can be recorded easily, either by embedded software or hidden cameras.
3. Save important hotlines on your phone
When you plan for retirement, you start now and not wait when you are retired. Similarly, when you are planning for financial security, you do it now and not wait for troubles to hit you.
Start by saving all the relevant hotlines on your phone so that you can call instantly without having to search for the numbers online. Again, it is not wise to search for important information only when you need it because you can also end up with outdated, or worse, decoy links.
4. Don't keep big sums in your savings account
Some of the recent OCBC Bank victims had up to a few hundred thousand dollars in savings accounts that were wiped clean by the scammers.
This begs the question: Why keep so much money in a savings account because even from a financial planning perspective, this is not prudent given that you earn a pittance in interest every month.
Even if you prefer to hold cash and not invest it, put the portion that you are unlikely to use in the near future in a fixed deposit with a different bank.
Doing so will allow you to enjoy a higher rate because it is "fresh funds" to the new bank and if you do not have online banking with this bank, no one else can touch your money.
You can open a fixed deposit with the same bank but if a scammer gains access to your online account, you should know that fixed deposits can also be withdrawn online.
Yes, it is more troublesome to open a fixed deposit with another bank but the incentive for doing so is peace of mind and up to a couple of thousand dollars extra from the higher interest as a reward for your vigilance.