How the banking sector is mobilizing to ensure your safety in a digital world

As the world enters an era of connected devices, big data, cloud computing and the Internet of Things, so do criminals.

Singapore police statistics show that scams remain the main driver of crime in the first half of 2022, with phishing scams being the second most common, after employment scams.

In phishing scams, victims typically receive text messages or calls from fraudsters posing as banks, government agencies, or e-commerce sites, and are tricked into revealing their bank details to these fraudsters, who then carry out monetary transactions from victims’ bank accounts. These scams where the victims give their banking credentials to the scammers are considered “unauthorized” scams, compared to “authorized” scams where the victims unwittingly transfer money on their own to the scammers.

These scammers have targeted not only older people who are less savvy about digital banking, but also the younger generation who regularly use online payments and
transfers. No one is safe from scams.

“Scammers don’t target any specific customer demographic and everyone is potentially vulnerable to scams. From what we’ve seen, scam victims don’t fall into any particular customer profile. We’ve seen people young and old, digitally savvy and new to online banking, fall victim to scams,” says Ms. Ong-Ang Ai Boon, Director of the Singapore Banking Association.

About $7.8 million was lost in 2,301 reported phishing cases in the first half of 2022, compared to $6.7 million lost in 1,102 cases during the same period last year.

To thwart the scammers, local banks have implemented new measures in recent months. Here’s how these measures make it harder for scammers to trick their victims, and why they’re important:

1. More clickable links in text messages or emails

Banks in Singapore will no longer include clickable links in text messages or emails sent to account holders. Now, when an account holder receives a prompt from the bank, they must manually enter the bank’s URL into the website browser to act on the alert. Alternatively, they can check for updates through the mobile banking app.

Text messages or emails with clickable URLs are among the most common channels used by scammers. When recipients click on these links, they are taken to fraudulent websites that look like a bank’s website. When recipients attempt to log in to the fake websites, personal information such as bank account login details, passwords, and one-time passwords (OTPs) are revealed to the crooks. Crooks can use this information to access and take control of victims’ bank accounts on official bank websites.

2. Lower Default Threshold for Transaction Notifications

Previously, the default minimum sum for transactions to trigger SMS or email alerts to customers was decided by individual banks. These thresholds apply to transactions ranging from ATM withdrawals to online transfers and credit card purchases.

Singapore banks have lowered this default threshold to $100 or less. This way, scammers attempting to transact over $100 will trigger alerts. If an account holder finds a suspicious transfer, they should immediately call the bank to report the incident.

In addition to transaction notifications, account holders can also lower the daily transaction limit — set by banks at $5,000 or less by default for online transfers since June — for their accounts. Any sum exceeding this limit, whether made by the account holder or by a scammer, will be automatically rejected by the bank.

3. Notification of change of contact details

Account holders will receive notifications to their phone, email or mailbox whenever contact details such as a mobile phone number or email address linked to their bank accounts are changed.

These notifications will set off alarm bells if the change was not requested by the
account holders. It is crucial that account holders pay attention to these notifications, as OTPs, which are used to authenticate transactions, will be sent to these updated phone numbers and email addresses.

4. Cooling off period for creating a new token

Banks have added a 12 hour buffer for the activation of new soft tokens. This will prevent an immediate takeover of the account by scammers and give account holders
time to react if their software token has been moved to a rogue’s device. The length of the withdrawal period – set at a minimum of 12 hours – varies from one bank to another.

The 12-hour wait for activation might seem like an inconvenience, but it’s a necessary step to combat scams as banks try to balance customers’ need for convenience with security.

5. Kill switch to freeze accounts

If an account holder suspects that a scammer has started withdrawing money from their account, they can activate a “kill switch” to prevent further losses.

This action will immediately freeze his bank account, including internet and mobile banking access. The “kill switch” can be activated via the bank’s hotline.

By October 31, 2022, all major retail banks in Singapore will make this feature available to their customers.

About the author