More fall for OTP scams, lose over $15m

More people were tricked into divulging to scammers their one-time passwords (OTPs) for online transactions, resulting in 1,101 victims losing around $15.3 million in total last year. It was a sharp increase from 2018, when 244 victims were cheated of about $456,000.

At a press conference yesterday, police said the scammers used various platforms to target their victims. These platforms include social media, phone calls and online chat applications. The scammers impersonated government or bank officials, technical support staff or the victim's friends to access personal details and accounts.

The scammers used "various ruses to induce the victims to share their OTPs, such as helping the victim to join a contest or to resolve some technical issues, or telling the victim that he has won a prize", added the police.

Once they had the OTPs - a security feature to verify a user's identity for online transactions - the scammers used them to access the victim's accounts, and either transferred money out to another account or used the funds within the account for fraudulent online purchases.

Citing a real-life example, police said a 75-year-old retiree lost $74,997 to a scammer who called her pretending to be a Singtel technician. The retiree was told that her Singtel account had been compromised by a "hacker", and she was instructed to download an application for Singtel to conduct "investigations".

The scammer then remotely accessed her computer, and asked her for her bank login details and an OTP, claiming he had to check if her account had been compromised. The woman provided the details, but realised subsequently that the scammer had remitted some of the money in her account to Hong Kong. She lodged a police report the next day.

The whole ruse can be over in a matter of minutes. A victim, who wanted to be known only as Marie, said she was cheated of $500 in just 20 minutes last week by someone who had impersonated her male former colleague by contacting her via Instagram.

After she gave him her mobile number, the scammer said a six-digit code from Grab was going to be sent to Marie's phone. It was for a contest, she was told. As she was preoccupied, she did it without thinking and assumed her "former colleague" needed it for his company's promotions.

But Marie, 23, grew suspicious when the scammer started asking for her credit card and bank details as well. When she checked her Grab account, she discovered unauthorised transactions amounting to $500. "The police told me that I might not be able to get the money back... it was a hard lesson for me."

Superintendent of Police Chew Jingwei, head of syndicated fraud in the Commercial Affairs Department, said scams involving OTPs are especially worrying, as victims often do not know that someone is using their account for transactions. "By giving your OTPs away, you are exposing yourself to fraud."

Banks such as OCBC Bank and firms operating online payment platforms such as Grab have included warnings of such fraudulent methods in their text messages to customers containing the OTPs, to remind users not to disclose passwords.

OCBC's head of operational risk management Patrick Chew said bank staff will never ask the public for information such as login credentials and OTPs over the phone or in any other direct communication with users.

Mr Foo Wui Ngiap, the head of integrity group at Grab, said OTPs act like keys to a subscriber's account. "Basically, you can have the most locked-up high-tech house, but if you pass your keys to the front door to somebody else, they can just walk right in," said Mr Foo.

A version of this article appeared in the print edition of The Straits Times on April 02, 2020, with the headline 'More fall for OTP scams, lose over $15m'. Print Edition | Subscribe