SINGAPORE - More people were tricked into divulging to scammers their one-time passwords (OTPs) for online transactions, resulting in 1,101 victims losing around $15.3 million in total last year.
It was more than a fourfold increase from 2018, when 244 victims were cheated of about $456,000 in total.
At a press conference on Wednesday (April 1), the police said the scammers used various platforms to target their victims.
These platforms include social media, phone calls and online chat applications. The scammers either impersonated government officials, technical support staff or the victim's friends to access personal details and accounts.
The scammers used "various ruses to induce the victims to share their OTPs, such as helping the victim to join a contest or to resolve some technical issues, or telling the victim that he/she has won a prize", added the police.
Once they had the OTPs - a security feature to verify a user's identity for online transactions - the scammers used them to access the victim's accounts and either transferred money out to another account or used the funds within the account for fraudulent online purchases.
The scammers also used other ruses such as bank phishing scams - in which fraudsters pretend to be bank officials to trick victims - and lucky draw scams, where victims are told they have won lucky draws.
Citing a real-life example, police said a 75-year-old retiree lost $74,997 to a scammer who called her pretending to be a Singtel technician.
The retiree was told that her Singtel account had been compromised by a "hacker", and she was instructed to download an application called "Teamviewer", for Singtel to conduct "investigations".
The scammer then remotely accessed her computer, and asked her for her bank login details and an OTP, claiming he had to check if her account had been compromised.
The woman provided these details, but realised subsequently that the scammer had remitted some of the money in her account to Hong Kong. She lodged a police report the next day.
The whole ruse can be over in a matter of minutes.
A victim who wants to be known only as Marie said in just 20 minutes, she was cheated of $500 last week by someone who had impersonated her male ex-colleague by contacting her via Instagram.
After she gave him her mobile number, the scammer said a six-digit code from Grab was going to be sent to Marie’s phone. It was for a contest, she was told.
As she was preoccupied, she did it without thinking and assumed her “ex-colleague” needed it for his company’s promotions.
But Marie, 23, grew suspicious when the “ex-colleague” started asking for her credit card and bank details as well.
When she checked her Grab account, she discovered unauthorised transactions amounting to $500. “The police told me that I might not be able to get the money back... it was a hard lesson for me,” said Marie.
Superintendent of Police Chew Jingwei, Head of syndicated fraud in the Commercial Affairs Department, said scams involving OTPs are especially worrying, as victims often do not know that someone is using their account for transactions, said Supt Chew.
"If someone asks for your OTP over the phone, it is a big red flag. By giving your OTPs away, you are exposing yourself to fraud," said Supt Chew.
Banks such as OCBC and firms operating online payment platforms like Grab have included warnings of such fraudulent methods in their text messages to customers containing the OTPs, to remind users not to disclose passwords.
OCBC's head of operational risk management Patrick Chew said bank staff will never ask the public for information like login credentials and OTPs over the phone or in any other direct communication with users.
"Do not be afraid to hang up a phone call if you suspect something is amiss.
"You can always return the call to the telephone numbers that are posted on the websites of the organisations they claim to be from, to verify if the call is genuine," said Mr Chew.
Mr Foo Wui Ngiap, the head of integrity group at Grab, said technology advances can only go so far in preventing fraud if users are not vigilant. OTPs act like keys to a subscriber’s account, said Mr Foo.
“Basically, you can have the most locked-up high-tech house, but if you pass your keys to the front door to somebody else, they can just walk right in,” he added.