On bank phishing scams: What banking institutions do to reduce them
Singapore is tightening security steps to reinforce the local banking and communications infrastructures, including the need for SMS service providers to check against a registry before sending messages. Banks are also expected to develop “more adaptable” artificial intelligence (AI) programs to detect illicit transactions.
The enhanced precautions come on the heels of a recent series of SMS phishing attacks, which wiped out SG$13.7 million ($10.17 million) from the accounts of 790 OCBC Bank clients. Scammers had modified SMS Sender ID details to push out messages that appeared to be from OCBC, pushing the victims to rectify difficulties with their bank accounts. They then were routed to phishing websites and asked to key in their bank login data, including username, PIN, and One-Time Password (OTP).
According to Lawrence Wong, the finance minister and deputy chairman of the Monetary Authority of Singapore (MAS), banks need to expand their fraud detection skills. They must also strengthen their ability to rapidly stop suspicious activity and reach out to clients to check transactions before they’re processed.
Authorities are also considering whether clients should be able to freeze their accounts without first contacting their financial institution if they believe their accounts have been compromised.
Currently, lenders are looking into expanding the use of biometric technology and accelerating the use of mobile banking apps for customer authentication, authorization, and the delivery of bank notifications, which, according to Wong, could make it more difficult for scammers.
In response to the OCBC scams, the MAS mandated new security measures, including mandating banks to delete hyperlinks from email or SMS messages delivered to consumers and implementing a 12-hour delay in activating mobile software tokens.
Many clients told their stories to the local media about how their life savings had been completely wiped out, and many expressed anger with the bank’s poor response time when they attempted to phone its 24-hour hotline. The event also prompted concerns about protections in the context of Singapore’s efforts to portray itself as a global center for technology and digital finance.
“This is by far the most serious phishing scam we have seen involving spoofed SMSes impersonating banks,” Wong said to lawmakers who put forward 39 questions about the incident. “I should add that this was not a cyber attack on OCBC, but a phishing scam on OCBC’s customers who were deceived into providing their banking credentials and OTPs at scam websites set up by the scammers. At no time was the bank’s systems breached.”
As a result, OCBC has provided full goodwill repayments to all impacted customers and enhanced its security measures, including beginning transaction notifications for fund transfers through PayNow and inter-bank payments for sums as small as one penny, among other things.
How a DPO can help against bank phishing scams
A Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA). Every Organization’s DPO should be able to curb any instances of Phishing scams as it is the officer responsible for maintaining the positive posture of an organization’s cybersecurity.
For instance, at Privacy Ninja, we randomly conduct simulated email phishing to clients to see if there are any vulnerabilities present that a bad actor can exploit and patch them to ensure that the client will never be a victim of such a scam.
DPOs complement the efforts of financial institutions in battling scams as DPOs ensure that when there is an instance of a cyberattack, a protocol for dealing with it has been established and can be employed to protect clients’ personal data.
DPOs play a crucial role when an organization is hit with phishing attacks, similar to the recent incidents with the OCBC. This is because they ensure safeguards are put in place to combat it when it happens.
Bank phishing scams: Measures to bolster digital banking security
DPOs ensure that the organization and its systems are secured from any vulnerabilities that scammers can exploit. It is important to have a rigid system free of any loopholes to ensure that security is at its peak.
On 19 January 2022, the MAS and the ABS announced the impending implementation of a set of additional measures aimed at enhancing the security of digital banking. Among the steps being considered by Singapore’s banks in consultation with the MAS are the following:
- Delete clickable links from emails and text messages sent to retail consumers;
- The default threshold for notifying consumers of funds transfer transactions is S$100 or less;
- At least 12 hours must pass before a new soft token can be activated on a mobile device;
- Notification of any request to convert a customer’s mobile number or email address to an existing mobile number or email address registered with the bank;
- Additional precautions, such as a cooling-off period prior to implementing requests for significant account modifications, such as changes to a customer’s critical contact information;
- Customer help teams that are dedicated and well-resourced to dealing with input on probable fraud instances on a priority basis; and
- Alerts about scams on a more frequent basis.
These safeguards mitigate the risk of being duped by phony links in scam SMS messages and improve the possibility that customers will be notified immediately of any fraudulent transaction or attempt to take control of their bank account. Additionally, the MAS is monitoring large banks’ fraud detection processes to ensure they are appropriately ready to deal with the growing threat of online fraud.
Bank phishing scams: UOBs stringent measures to combat phishing scams
Like any other banks, UOB has also made security measures to ensure that the massive phishing scam incident that happened on OCBC will never happen again. The following are the recent measures to combat phishing scams:
- Resetting all default transfer limits to S$5,000.
- One-time fund transfers are limited to S$5,000; additional transaction signing is required for transfers exceeding S$1,000.
- For newly added payees, an additional transaction signature will be required for transactions over $5,000.
- A 12-hour delay on the addition of new payees for transfer.
- The transaction notification threshold is set to S$100 by default.
- A 12-hour delay before the Digital Token is activated
- Receive SMS notifications when a request to update contact information is received.
- Receive email notifications when you first connect to the UOB TMRW app or UOB Personal Internet Banking account using a new device or browser.
- All clickable links in bank-sent SMSes and emails have been disabled.
- Anti-scam alert while logging into UOB Personal Internet Banking via the UOB TMRW app.
This will make sure that the history will never repeat itself and the learning we had with OCBC will be embodied moving forward.