How the banking industry is stepping up to keep you safe in a digital world

As the world moves into an era of connected devices, big data, cloud computing and Internet of Things, so have criminals.

Statistics from the Singapore Police Force show that scams remain the main driver of crime in the first half of 2022, with phishing scams the second-most common – after job scams.

In phishing scams, victims typically receive SMSes or calls from fraudsters posing as banks, government agencies or e-commerce sites, and are duped into revealing banking details to these fraudsters, who then make monetary transactions from the victims’ bank accounts. These scams where victims give away their banking credentials to scammers are viewed as “unauthorised” scams, compared with “authorised” ones where victims unwittingly transfer money on their own accord to scammers.

These fraudsters have targeted not only the elderly who are less savvy with digital banking, but also the younger generation who regularly use online payments and
transfers. No one person is immune to scams.

“Scammers do not target any specific customer demographic and everyone is potentially vulnerable to scams. From what we have seen, scam victims do not fall into any particular customer profile. We have seen young and old, digitally savvy individuals and those new to online banking, fall victim to scams,” says Ms Ong-Ang Ai Boon, director of The Association of Banks in Singapore.

Around $7.8 million was lost through 2,301 reported cases of phishing in the first half of 2022, compared with the $6.7 million lost via 1,102 cases over the same period last year.

To thwart scammers, local banks have introduced new measures in recent months. Here’s how these measures make it more difficult for scammers to dupe their victims, and why they matter:

Banks in Singapore will no longer include clickable links in SMSes or e-mails sent to account holders. Now, when an account holder receives a prompt from the bank, he would have to manually type in the bank’s URL in the website browser to follow up on the alert. Alternatively, they can check for updates via the mobile banking app.

SMSes or e-mails with clickable URLs are among the most common channels used by scammers. When recipients click on these links, they are directed to fraudulent websites that resemble a bank’s website. When recipients attempt to log into the fake websites, personal information such as bank account login details, passwords and one-time passwords (OTP) are revealed to scammers. Scammers can use these details to access and take over the victims’ banking accounts on banks’ official websites.

Previously, the default minimum sum for transactions to trigger SMS or e-mail alerts to customers was decided by individual banks. These thresholds apply to transactions ranging from ATM withdrawals to online transfers and credit card purchases.

Banks in Singapore have moved that threshold down to a default $100, or lower. In this way, scammers attempting to make transactions of more than $100 will trigger alerts. If an account holder finds a transfer suspicious, he should immediately call the bank to report the incident.

On top of transaction notifications, account holders can also lower the daily transaction limit – set by banks to a default $5,000 or lower for online transfers since June – for their accounts. Any sum that exceeds this limit, regardless of whether it is made by the account holder or a scammer, will be automatically rejected by the bank.

Account holders will receive notifications on their phones, via e-mail or in their letterboxes whenever contact details such as a mobile number or e-mail address linked to their bank accounts are changed.

These notifications will set off alarm bells if the change was not requested by the
account holders. It is crucial that account holders pay attention to these notifications, because for OTPs, which are used to authenticate transactions, will be sent to these updated phone numbers and e-mail addresses.

Banks have added a buffer of 12 hours for the activation of new soft tokens. This will prevent an immediate account takeover by scammers and give account holders
time to react if their soft token was shifted to a scammer’s device. The duration of the cooling-off period – set at a minimum of 12 hours – varies from bank to bank.

The 12-hour wait for activation may seem like an inconvenience, but is a necessary step towards combating scams as banks attempt to balance customers’ need for convenience with security.

If an account holder suspects that a scammer has started moving money out from his account, he can activate a “kill switch” to prevent further losses.

This action will immediately freeze his bank account, including Internet and mobile banking access. The “kill switch” can be activated via the bank’s hotline.

By Oct 31, 2022, all major retail banks in Singapore will have this feature available to their customers.