Banks and financial institutions in Singapore will have to implement new security measures that have been mandated following a series of phishing SMS scams that wiped several victims out of their savings. These measures include the removal of hyperlinks from emails or text messages sent to consumers and a 12-hour time limit for the activation of mobile software tokens.

The Monetary Authority of Singapore (MAS) and the Association of Banks of Singapore (ABS) said in a declaration Wednesday that the additional measures were aimed at bolstering the security of digital banking, in light of recent scams targeting bank customers.

the SMS phishing scams involving at least 469 customers of OCBC Bank and resulted in losses of over S$8.5 million, including S$2.7 million alone lost over the recent three-day Christmas weekend. Several of the victims are said to have lost their life savings, including a 43-year-old man whose the account was cleared of 500,000 singaporean dollars, a 38-year-old man software engineer who lost S$250,000, and 33-year-old financial executive who had his account emptied of 68,000 Singapore dollars.

In these cases, the scammers have manipulated the sender ID details of the SMS to send messages that appeared to come from OCBC. These SMS messages tricked victims into fixing problems with their accounts, redirecting them to phishing websites and asking them to enter their banking login details, including username, PIN and password. disposable (OTP).

Since OCBC’s legitimate sender ID was successfully cloned and spoofed, these messages appeared in the same thread as previous alerts or notifications from the bank, leading victims to believe that they were legitimate.

Affected OCBC customers have also expressed frustration at how they have been put on hold in their efforts to contact the bank’s hotline and have their accounts locked, after receiving payment transfer notifications and requests for increasing their transaction limits, which they never did.

“MAS expects all financial institutions to have robust measures in place to prevent and detect scams as well as effective incident handling and customer service in the event of a scam,” the regulator said in its statement. communicated. “The growing threat of online phishing scams requires immediate action to tighten controls, while longer-term preventative measures are being evaluated for implementation in the coming months.”

Local banks, in consultation with the MAS, would work to implement stricter measures within the next two weeks. This would include setting the default threshold for remittance transaction notifications to S$100 or less and triggering a notification to the existing mobile number or email address registered with the bank, whenever a request is made to change a customer’s mobile phone number or email address.

Banks should also set up dedicated and “well staffed” customer support teams to handle customer feedback on potential fraud cases, MAS said. The regulator added that additional safeguards, such as applying a cooling-off period before key account change requests, including a customer’s contact details, should be implemented.

In addition, the banks are reportedly working closely with MAS, local law enforcement and the Infocomm Media Development Authority (IMDA) to deal with the current “scam scourge”. This would include working on more permanent measures to combat SMS spoofing, including the adoption of an SMS sender identification registry by all relevant stakeholders, MAS said.

“MAS is also stepping up its review of the fraud oversight mechanisms of major financial institutions to ensure they are properly equipped to deal with the growing threat of online scams,” he added.

MAS Managing Director Ravi Menon said: “The threat of scams will not go away, but we can reduce our vulnerabilities. This requires a multi-pronged response across the ecosystem. MAS, together with the police, IMDA and other relevant government agencies, works closely with the financial sector, telecommunications industry, consumer groups and other stakeholders to build our collective resilience against fraudulent attacks. We will ensure that digital banking services remain secure, efficient and reliable. »

OCBC said Wednesday that all customers affected by the SMS phishing scam would receive “full goodwill payments” including the amount they lost. It came after his previous statement on Monday that it had started making “goodwill payments” since January 8, but did not say whether these covered the full amount lost by customers.

The bank acknowledged that its customer service and response “falls short” of customer expectations.

RELATED COVERAGE