13/01/2022

Phishing and other SMS scams

How Malware takes remote control of your HP after you download 3rd party apps

Update 27 Sep 2023: Spate of Online Scams

An online order for grouper fillets that was supposed to cost $10 ended up costing one woman more than $44,000 after scammers took control of her Android phone and banking details remotely.

Ms Jacqueline Khoo, 58, lost $44,487 from two credit card accounts and three bank savings accounts from POSB in a few hours after she clicked on a link to download a third-party app, following which scammers then increased her credit limits and siphoned out her money. Ms Khoo had chanced upon a Facebook advertisement for grouper fillets from a seafood supplier called “Fresh Market TGS” on Aug 25.

She was attracted by a deal that offered $10 grouper fillet with free shipping and contacted the seller on Facebook. “Although I never bought anything from Facebook before, I had previously bought fish and pork from Shopee and Qoo10. I was not suspicious of the ad and it never occurred to me that this was a scam,” she told The Straits Times.


Banks to remove clickable links in emails, SMS sent to customers as part of new security measures
New measures for digital banking are to be rolled out for banks in Singapore, after a recent spate of SMS phishing scams affected at least 469 of OCBC's customers

Banks in Singapore will be removing clickable links in emails or SMS messages sent to retail customers and set the threshold for funds transfer notifications to customers by default at S$100 or lower. These are part of several measures to protect account holders from phishing scams. The changes, announced by the Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) in a joint statement on Wednesday (Jan 19), will be implemented within the next two weeks.

The new measures came after at least 469 customers were affected by an SMS phishing scam targeting OCBC bank customers, with losses totalling at least S$8.5 million. The fraudsters had sent out fake bank alerts that spoofed the bank's official SMS channel, duping many of them into clicking on web links and giving up their personal account information last month. In the joint statement, MAS and ABS said that these measures will bolster the security of digital banking, given that it will lengthen the time taken for certain online banking transactions and also provide an added layer of security to protect customers’ funds.

Other measures that banks will be putting in place include:
  • Delaying activation of a new soft token on a mobile device by at least 12 hours
  • Sending notification to a customer's existing mobile number or email registered with the bank whenever there is a request to change a customer’s mobile number or email address
  • Introducing a cooling-off period before executing requests to important account changes such as in a customer’s key contact details
  • Having dedicated and well-resourced customer assistance teams to deal with feedback on potential fraud cases on a priority basis
  • More frequent scam education alerts


Anti-SMS spoofing registry to shut and be replaced by full-fledged system

A registry meant to combat SMS spoofing will be shut down and replaced by a full-fledged system in response to the recent spate of SMS phishing scams, said the Infocomm Media Development Authority (IMDA) on Monday (Mar 7).

The SMS SenderID Protection Registry, which was initially piloted in August 2021 by IMDA and the Monetary Authority of Singapore (MAS), was done in collaboration with the UK Mobile Ecosystem Forum (MEF) as a commercial service provider. "MEF had informed that IMDA’s requirements to meet Singapore’s needs going forward are not consistent with its business model," said IMDA, in response to CNA's queries. "As IMDA will be moving towards a more fully-fledged SSIR, the MEF and IMDA have therefore jointly decided to conclude our pilot which has provided us with useful inputs to move on with our new model." It added that the recent spate of SMS phishing scams in Singapore warranted a "strong response".

The authority said that the "full-fledged" Singapore SMS Sender ID Registry (SSIR) can identify spoofed messages using protected SMS sender IDs, and block these messages upfront. "This more proactive stance to better protect consumers is a regulatory requirement going forward.


SMS providers, telcos to be required to block spoof SMSes from unregistered senders

The Infocomm Media Development Authority (IMDA) will require short message service (SMS) providers and telecommunications companies to check SMS senders against a national registry aimed at curbing scams, Communications and Information Minister Josephine Teo said. The SMS service providers and telcos will have to block spoofed messages sent under a registered sender ID when the sender’s details do not match the registry’s records, she added.

Mrs Teo, who is also the Minister-in-charge of Smart Nation and Cybersecurity, announced this in a ministerial statement in response to 39 parliamentary questions filed by Members of Parliament on online phishing and spoofing scams in the wake of the recent OCBC phishing scam. Sender IDs are names that identify the sender of an SMS message so that a word or phrase (such as "OCBC"), instead of a number, is displayed on the recipient's mobile phone.

All organisations seeking to send SMS messages using IDs registered with the SMS Sender ID protection registry must also have a valid unique entity number (UEN), which is an identification number issued to a registered entity. This, she said, will help the police with investigations in the event of a scam. However, even with the extra safeguards, Mrs Teo warned that the SMS system was never designed for secure messages and urged organisations to practise more restraint when sending such messages.


All government agencies to be on anti-SMS spoofing registry after spate of scams

All government agencies will register with a new anti-SMS spoofing registry to protect the names they use to send text messages to the public, in the wake of a spate of SMS phishing scams targeting OCBC Bank customers.

"This will make it more difficult for attackers to send spoofed messages disguised as government agencies, and facilitate tracing efforts by the Ministry of Home Affairs to catch scammers," said the Smart Nation Digital Government Group on Friday (Jan 21).

The group added that it will also explore using other channels, such as the inbox feature in the Singpass app, for the Government to send messages to the public.



New measures announced to boost digital banking security amid spate of SMS phishing scams

Additional measures will be put in place within the next two weeks to bolster security of digital banking services, following a recent spate of SMS phishing scams targeting bank customers. 
“The growing threat of online phishing scams calls for immediate steps to strengthen controls, while longer-term preventive measures are being evaluated for implementation in the coming months,” the Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) said on Wednesday (Jan 19).

“MAS expects all financial institutions to have in place robust measures to prevent and detect scams as well as effective incident handling and customer service in the event of a scam.” The measures include the removal of clickable links in SMSes or emails sent to customers, setting a default threshold of S$100 or lower for funds transfer transaction notifications and having a delay of at least 12 hours before the activation of a new soft token on a mobile device. Banks will also send a notification to the existing mobile number or email registered with the bank whenever there is a request to change these details.

Additional safeguards such as a cooling-off period before implementation of key account changes – such as key contact details – and more frequent scam education alerts will also be put in place. Dedicated and well-resourced customer assistance teams to deal with feedback on potential fraud cases on a priority basis are also required. 

related:


Banks should devote more resources to thwart cyber theft, and take their fair share of responsibility

DIGITAL banking is by now ubiquitous and that is a good thing. Until recently most individuals would profess confidence in the security of online banking where the most common precaution used by banks is 2-factor authentication. This means that after a client accesses his or her digital account via a user name and password, a second layer of verification kicks in where a one-time password (OTP) is sent via SMS, or by a physical or digital token. The vulnerabilities of this framework were thrown into sharp relief in the recent phishing debacle that engulfed 470 clients of OCBC, where roughly S$8.5 million was siphoned from their accounts last December.

To be sure, phishing isn't a new phenomenon. This mode of cyberattack, involving fraudulent communication that looks like it is from a reputable source, is in fact among the common today. The attack steals customer data such as credit cards, bank accounts or instals malware into people's devices. Customers are often warned not to click on links sent by SMS from unknown parties, but the rub in this case is that the fraudulent messages came in the same thread as genuine OCBC messages.

The Monetary Authority of Singapore has stepped up to say it will consider supervisory action against OCBC. On its part, OCBC has promised the bank's phishing scam victims their money back. It called the scam "particularly aggressive and highly coordinated'', and conceded that its customer service and response had fallen short. Some affected customers reported a long waiting time on OCBC's hotline, during which accounts were emptied within minutes.


Shouldn’t banks bear the cost?
Millions have been lost by customers but could safeguards have been put in place by banks to protect the monies of their customers? This phishing problem is a shared responsibility, Pinsent Masons partner Bryan Tan says

In December 2021, OCBC Bank made several announcements warning about scams targeting OCBC customers. These SMSes purportedly from OCBC claimed there were issues with the recipient’s bank accounts or credit cards. But they were not actually sent from the bank.

Instead, the SMSes carried links to a fraudulent website requesting for banking information and passwords to resolve these “issues”. Unsuspecting customers would be asked to key in sensitive bank account login information like their username, PIN and One-Time Password (OTP).

Using this information, the scammers could then transfer monies out of the affected customers’ accounts and carry out other transactions. The scammers would reroute received monies through various, often overseas accounts, making it difficult to track their movement and even harder to recover the cash.



Dealing with scourge of online scams
Victims received unsolicited SMSes purporting to be from the bank, claiming there were issues with their banking accounts & they had to click on a link given in the SMS to resolve the issue. PHOTO: SPORE POLICE FORCE

Scammers using fake text messages have targeted at least 469 OCBC Bank customers in recent phishing scams in which the victims have lost around $8.5 million in total. OCBC is not the only bank to have been targeted by fraudsters: Customers of DBS Bank or POSB, too, have felt their malevolence. Indeed, banking scams are part of a wider criminal use of the Internet to compromise everyday computer and online activity, to say nothing of threatening telephone calls from fake authorities that make victims drop their guard and composure to go along with the tricksters' demands.

Scams are nothing new. If anything, they are like a mutating virus which evolves constantly, updating its technique every time the devious methods of a previous attack are uncovered, revealed publicly and dealt with.

Sophistication marks the attack on OCBC customers. It is apparent that scammers have access to advanced software that enables them to spoof telecommunications services and send SMSes that appear in the same threads used by real organisations. Even if victims do not provide their one-time passwords, they fall prey when they enter other bank details on fraudulent sites. In the circumstances, customers are entitled to ask whether Internet banking remains as safe as it is claimed to be. It is one thing for banks to say that their security systems have not been compromised, but another when unsuspecting customers find themselves duped of their money, which sometimes cannot be recovered.

related:


OCBC phishing scam underscores trade-off between convenience and security, with bank customers at risk
Bank customers will generally be held liable for losses suffered in a banking scam only where they engage in gross negligence, experts said

As banks move towards digital banking, the recent phishing scam that affected hundreds of OCBC customers highlighted the trade-off between convenience and banking security, with bank customers at risk of bearing the entire financial cost of such modern day bank robberies, experts said.

After all, a scam in which the customer willingly, albeit unknowingly, gave up his bank account information to a cleverly disguised fake website is not technically a breach of the bank's cybersecurity infrastructure.

Mr Bryan Tan, a partner at law firm Pinsent Masons, told TODAY: "The current position is that the loss lies where it falls. If the money came out from your side, and you allowed (scammers) to authorise the transaction, the bank can defend themselves by saying they do not have a clue that the user isn't you." However, an ongoing review by the authorities on the responsibilities and liabilities of consumers and financial institutions for fraudulent payment transactions, announced last year, may give hope to those who practise good digital health.

related:


Caution: OCBC customers lose $140k in 10 days as scams spike by 8 times
The bank is working with the Singapore Police Force's Anti-Scam Centre to try and help the affected customers recover their lost funds.The Straits Times/Chong Jun Liang

OCBC Bank on Thursday (Dec 23) warned that there has been a sharp rise in the number of phishing scams via SMS impersonating it, with 26 customers losing a total of $140,000 to these scams in 10 days, from Dec 8 to 17.

It said: "For the month of December so far, OCBC Bank has detected and initiated the takedown of 45 phishing websites, about eight times more than the average takedown requests every month." The bank said of the scams: "Members of the public have received unsolicited SMSes purportedly from the bank claiming there are issues with their bank accounts or credit cards. "The SMSes contain a link to a fraudulent website disguised as a legitimate bank website requesting banking information and passwords."

OCBC said it would never send customers an SMS to inform them of an account closure or that they have been locked out of their accounts temporarily. It added that it would not send an SMS to customers with a link to reactivate their accounts as well. "These are always communicated via physical letters to prevent online fraud."

related:


OCBC Scam Allegedly Erases Couple’s Life Savings, They Hope Banks Will Be More Accountable
OCBC Scam Allegedly Wipes Out Couple’s Life Savings In 5 Transactions

Losing one’s hard-earned money through a vicious scam can really put someone down for the count.

Even though it’s a horrible experience, a couple in Singapore managed to find some perspective and fortunately came out of the incident better than most. The couple had allegedly lost their life savings through an OCBC scam but managed to recover money from 2 out of 5 unauthorised overseas transactions.

In a Facebook post, the couple shared their hopes that banks will be more accountable with cases like theirs.

related:


Banks need to accept more responsibility for protecting customers against scams
It's easy for the government and banks to encourage everyone to switch to digital banking but look what happens when people get scammed

To the editor:
  • My husband tells me that it is not my fault. But I find it hard to believe.
  • I am Siti, a mother of seven wonderful children. A wife to a caring educator. A victim of the most recent OCBC Scam.
  • I am grateful that celebrities like Jamie Yeo are making the plight of our family more visible. Echoing our pain so something can be done, this is so much more compared to the silence we are hearing from OCBC right now. Over 16 days have passed and all the news that OCBC has given us, is a hastily replied extension of the timeline to 45 days for any answers. You would think, since this has happened to OCBC before, that they would have a department that offers a human touch in dealing with the heartbreak of losing your life’s savings. But no. No responses. No updates. No financial assistance. Nada.
  • Life has to go on for us, the victims. But how? I feel so helpless at the lack of help. Especially when I see the faces of my children, the real victims in this case – $60,000 of my children’s future wiped out. The monies we have so frugally saved, to ensure that they have a chance for success – gone.


Scrap SMS use in wake of rising scams, banks urged
Rising SMS-related banking scams continue to expose a damaging weakness in Singapore's cybersecurity infrastructure, one that remains challenging to pinpoint exactly where given the hyper-connectedness of our networks today. PHOTO: THE NEW PAPER

RISING SMS-related banking scams continue to expose a damaging weakness in Singapore's cybersecurity infrastructure, one that remains challenging to pinpoint exactly where given the hyper-connectedness of our networks today.

Banks, telcos, payment providers and government agencies all have some part to play in beefing up their own systems, experts said, calling for stronger cooperation within the industry as well.

"No single entity can address this alone. Cybersecurity is a team sport and it is constantly evolving," Koo Juan Huat, Cisco director of cybersecurity for Asean, told The Business Times.

related:


New type of phishing scam targets bank customers with spoof SMSes
Screenshots of a spoof SMS (left) with a link directing victims to a phishing website (Screenshots: SPF)

Banking-related phishing scams have re-emerged in the form of spoof SMSes that trick victims into thinking they were sent by their bank. 
A total of S$1.07 million was lost in 374 cases of such scams between January and May this year, said the Singapore Police Force (SPF) in a news release on Saturday (Jul 10).

Victims of the scam received an SMS allegedly sent by their bank to inform them of payment attempts detected from their bank account. "As the scammers had spoofed the bank's SMS accounts, the scammers' message might appear in the same SMS conversation thread as a bona fide SMS message from the bank," said the police. The message prompted the victims to click on the link provided if they had not made the transactions.

When victims clicked on the link, they were led to a phishing website resembling the bank's official website. They were then asked for their personal particulars, Internet banking details and one-time passwords. After providing the details, the victims realised they had been scammed when they received SMSes about money being transferred from their accounts, said SPF. The police reminded the public not to click on links or call the numbers provided in unsolicited messages, and to verify the authenticity of the information with the official website or sources.

related:


How to spot an investment scam

Find out how you can spot an investment scam and what you can do to avoid falling prey to one. Key takeaways:
  • All investments carry risks. Be wary of opportunities that offer high returns at little or no risk.
  • Don't take everything at face value, or rush into committing your money.
  • Always ask, check and confirm before you invest.
Scammers use increasingly sophisticated and effective tactics to get you to part with your money. Even though some investment scams may look like a real deal, there are some red flags you can spot to help you steer clear of them. All investments carry risk. The greater the promised investment returns, the higher the risk. Be wary when you encounter an investment opportunity that claims to guarantee or protect your capital while promising high returns. Many investment scams offer such lucrative promises in order to lure investors in.

It is important to check how the investment scheme can generate such high profits with low or no risk. Benchmark the returns - find out what other investments offer the same returns and see what the risks are like. It is unlikely that the investment you are being offered can provide the same returns without the same risks at least. Pressure tactics:
  • "Limited time only! Invest before it sells out!"
  • "Special rates for first 50 investors. Don't miss out on this golden opportunity!"
  • "More than 2,000 people have invested - what are you waiting for?"
  • "Invest today and get extra 10% credit with many other benefits."

POLICE ADVISORY – PHISHING SCAMS TARGETING BANK CUSTOMERS

The Police have observed an increasing trend in phishing scams where scammers impersonate banks and target victims through SMSes or Facebook advertisements. Since November 2021, at least 27 victims have fallen prey to such scams with reported losses amounting to at least $109,000.

In some of these cases, victims would receive unsolicited SMSes claiming that there were issues with their iBanking accounts and they would be asked to click on a link in order to resolve the issues. In other cases, they would come across fake bank advertisements on Facebook offering prizes. Upon clicking on the links embedded within the SMSes and Facebook advertisements, victims would be redirected to fake bank websites and asked to key in their iBanking account login details. Victims would discover that they had been scammed when they received notifications informing them of unauthorised transactions charged to their bank accounts.

Members of the public are advised to follow these crime prevention measures:
  • Do not click on dubious URL links provided in unsolicited text messages and online advertisements;
  • Always verify the authenticity of the information with the official website or sources;
  • Never disclose your personal or Internet banking details and OTP to anyone;
  • Report any fraudulent transactions to your bank immediately. 
If you have any information relating to such crimes, please call the Police Hotline at 1800-255-0000, or submit it online at www.police.gov.sg/iwitness.  If you require urgent Police assistance, please dial ‘999’.


Another family loses life savings, this time to DBS’ S’pore Bicentennial Commemorative S$20 note phishing scam
Her mother was scammed by an SMS posing as DBS bank, wherein the receiver was "eligible to receive the Singapore Bicentennial Commemorative Note of S$20 for free."

A concerned individual appealed for assistance online after her mum fell victim to a “DBS Bicentennial Commemorative Note” phishing scam, resulting in her life savings “gone within seconds.”

Complaint Singapore Facebook page member Nayer Soh asked for advice from others on Sunday (Jan 23) as they were allegedly left in the dark regarding another phishing scam incident. She noted that her mother was scammed by an SMS posing as DBS bank, wherein the receiver was “eligible to receive the Singapore Bicentennial Commemorative Note of S$20 for free.”

The SMS included a URL, where, once clicked, enables scammers to retrieve the victim’s banking information and passwords. “Her entire life savings is gone within seconds, we called the bank and made police report immediately, but till today DBS has given no update (sic),” wrote Ms Soh.


Flier supposedly giving out FairPrice vouchers not created or endorsed by supermarket
The flyer has a QR code that leads to an online financial survey. PHOTO: NTUC FAIRPRICE/FACEBOOK

A flier being distributed that purports to give away free FairPrice vouchers is not from the supermarket chain, said FairPrice. The Chinese New Year flier instructs people to scan a QR code to an online financial survey to receive $20 worth of FairPrice vouchers. It is not clear if actual FairPrice vouchers are being given out.

In a Facebook post on Monday (Jan 24), FairPrice said the fliers are of unknown origin. It is not currently running any promotion that requires users to complete a survey to obtain gift vouchers, it added. "We would like to clarify that this flier and its attached promotion is neither created nor endorsed by FairPrice," said the supermarket. There have been a slew of high-profile scams recently, and organisations are on high alert. Nearly 470 OCBC customers lost at least $8.5 million in total last December in an SMS phishing scam. Some lost life savings built up over the years for their families.

FairPrice has also been targeted by scams. In 2018, it had to clarify that a message telling people that it was giving out gift cards worth $400 for its 45th anniversary was a scam. In 2016, a phishing scam claimed to offer people who filled in an online survey $500 in FairPrice vouchers.



财叔投资到身上长满蜘蛛网了😥 Did Uncle Cai invest in spider webs? Why are they all over him?

#金刚媒体 #kingkongmediaproduction MoneySense


4 common types of scams and how to recognise them

Scams are on the rise. Nearly 470 OCBC Bank customers lost at least $8.5 million to a spate of SMS phishing scams last month, and other banks such as DBS and UOB recently warned of similar scams impersonating bank employees.

Here are some of the most common types of scams going around:
  • SMS phishing scams - In the recent scams involving OCBC Bank, fraudsters sent SMS messages claiming to be from the bank to trick its customers.
  • Impersonation scams - Another type of phishing scam involves crooks posing as authority figures such as the police, job recruiters or government officials.
  • E-commerce and delivery scams - Scams involving fake item listings often take place on e-commerce marketplaces, auction sites or trading features on social media platforms.
  • Love scams - Posing as attractive potential partners, scammers usually target vulnerable victims on dating and social media platforms, often using stolen photos on their profiles.


Top 10 Scams in Singapore - How You can Avoid being Scammed
Scams have been increasing of late. Here’s how to stay safe

Ever received emails from “royals” seeking help to transfer money out of their country in exchange for a percentage of the loot? Or phone calls informing that you’ve won a seven-figure overseas lottery and the only way to receive the payout is by providing your banking details? These are just some examples of classic scams that have been around since mobile technology became a part of our everyday life.

Scammers, though, have been evolving in recent years, becoming sophisticated cons who not only target individuals but businesses and organisations as well. The first half of 2020 saw the number of scams in Singapore jump by 140 per cent compared to 2019. More troublingly, a survey by the Home Team Behavioural Sciences Centre found that 45 per cent of scam victims reported being scammed more than once. According to the Singapore Police Force, last year saw a whopping $201 million lost to scammers, much of it online as Singaporeans turned to websites and apps to carry out activities like banking and buying groceries due to the COVID-19 pandemic. Scammers have also begun to target people working from home through robocalls, as well as seniors who are unfamiliar with the Internet.

The rising number of scam victims is testament to the increasing psychological sophistication of scammers’ tactics ­in crafting false proof, impersonating the victim’s close friends and using the victim’s shame about possibly falling for a scam to continue extracting money from them. Romance scammers are especially adept at identifying victims who are lonely, vulnerable and easily manipulated — a group that is increasing in size worldwide, due to COVID-19’s impact on social lives. Ensure your safety and that of others by familiarising yourself with common methods of fraud. Here are the top 10 scams in Singapore (in no particular order):
  • E-COMMERCE
  • SOCIAL MEDIA IMPERSONATION
  • INTERNET LOVE
  • CREDIT-FOR-SEX
  • CHINESE OFFICIALS IMPERSONATION
  • TECH SUPPORT
  • BANKING-RELATED PHISHING
  • NON-BANKING-RELATED PHISHING
  • LOANS
  • INVESTMENT

What Is Pig-Butchering Scam And how to Prevent it?

“Pig-Butchering Scam” is a fraud method that induces users to participate in various types of fraudulent investments such as financial investments, gambling games, foreign exchange and other types of fake investments through online dating. Scammers call the deceived users “pigs”.

Next, scammers will follow some established scripts and define themselves as rich and handsome / beautiful, then they will induce users to fall in love and try to gain trust. We call it “pig raising” during this stage. When it reaches a certain level of emotional foundation, scammers will start to lure the other party to invest, and the final stage of fraud is “kill the pig”.

Suggestions of The Prevention of “kill the pig” Fraud:
  • “Don't believe it”, you need to be cautious when making friends online. Don't trust netizens, and don't believe in investment lies such as “stable profit without loss”, “low cost and high return” and so on.
  • "Don't be greedy”, refuse the temptation of gambling and high-return investment, remember that only greed will be deceived because there is no such thing as a free lunch.
  • “Don't transfer”, don't transfer money to unfamiliar accounts. When transferring money to acquaintances, you must also be cautious, and communicate more with your relatives and friends and ask more to prevent falling into a “trap”.