Tag: scams

Tackling the scourge of scams

The rise of sophisticated online scams and the resulting financial devastation on victims is a critical concern impacting Singaporeans from all walks of life. Across our nation, residents, both young and old, tech-savvy and not, have fallen victim to these fraudulent schemes.

I have met constituents who have lost their life savings to scammers, with even fixed deposit accounts being cleared out by these criminals. Some have joint accounts with their children or parents, doubling the impact on families. These incidents demonstrate a concerning vulnerability that affects us all. While I consider myself relatively tech-savvy, I have to admit that even I feel the looming threat of becoming a victim one day.

Many victims I have spoken with describe a disheartening response from their banks. Upon reporting the fraud, they frequently receive responses that are frustratingly vague and non-committal. They offer little information, citing banking secrecy, and at times, a goodwill payment that doesn’t fully cover the loss. Victims are sometimes told by the police that the funds have been transferred overseas and nothing further can be done to retrieve the funds.

The technical nature of these scams is deeply concerning. “Drive-by download” attacks and the more advanced “zero-day” exploits make it possible for malware to be installed on phones with little or no user action. These methods exploit vulnerabilities in operating systems and applications.

In view of these sophisticated attacks, how far do the authorities investigate each reported scam, especially those involving screen reading and keylogging malware? Without thorough investigations, it will not be possible to ascertain fault and ensure that innocent victims are not held responsible for losses they did not cause. Is the default blame then placed on the victims who have to bear most of the financial loss?

Scams have emerged as a formidable obstacle in advancing digital access for our citizens, particularly in our senior community. Numerous elderly residents I have encountered express a fear of using internet banking or online payments because they are apprehensive about falling prey to scams. Consequently, I find myself hesitant to advocate the use of digital banking to them, despite its convenience, due to the real risk of them losing their entire life savings if they are targeted by scammers.

This situation has precipitated what the Member for Aljunied, Ms Sylvia Lim, aptly describes as a “crisis of confidence” with the digital banking system. Unless the authorities address the issue of scams more effectively and establish stronger consumer protections, our extensive efforts to transition all our citizens into a digitally empowered society will come to nought.

One tool the government has on hand to deal decisively with scams is the Online Criminal Harms Act. This will allow the government to, inter alia, direct online platforms to disable access to accounts suspected to be involved in scams. Parliament passed this Act last July, however it is only set to be progressively rolled out from this year. When will the Online Criminal Harms Act be fully operationalised? Given that an average of 87 scams are taking place every day in Singapore, each day of delay will be one day too late for many scam victims.

Banks must shoulder a greater responsibility in protecting their customers. I echo Ms Sylvia Lim’s earlier call for banks to reintroduce physical tokens as the default measure for multi-factor authentication for all their customers. Multi-factor authentication relies on a combination of “something you know” and “something you have”. However, when phones are compromised by malware, allowing scammers to view screens and keystrokes, this system collapses into a single factor. This allows scammers, who have access to the password entered by the user, to bypass the additional security layer. Therefore, bringing back physical tokens will reinstate the crucial second layer of security.

The Monetary Authority of Singapore (MAS) must more assertively and decisively tackle the problem of scams in the banking system to protect consumers. In my dealings with MAS when advocating for constituents victimised by scams, I have observed that MAS tends to forward these critical cases to the banks for follow up, instead of directly addressing and resolving the issues on behalf of victims. This delegation process then places the onus on the banks to determine who is at fault — the institution or the victim — for the occurrence of the scam. Such a practice raises serious concerns about the impartiality and effectiveness of the investigation.

I have also observed a discrepancy in MAS’ approach to enforcing actions on financial institutions for different violations. On one hand, MAS imposes very punitive measures like restrictions on acquisitions and additional capital requirements on banks when there are brief downtimes in online banking and ATM services. On the other hand, this level of decisiveness and rigour is markedly absent when addressing scam cases. MAS should require banks to tackle scams with the same level of intensity and rigour as they do in safeguarding consumers’ interests for system outages. 

Scam victims need a comprehensive explanation from a knowledgeable and impartial entity like MAS about how the scam occurred. This explanation should detail the roles of banks, telcos, customers and other entities in both the occurrence and prevention of such scams. This will determine who is responsible and who should bear the cost of these fraudulent acts.

Furthermore, responsibility should not be limited to financial institutions, telcos and consumers. Social media companies and mobile phone handset manufacturers should be held accountable for securing their platforms against scams. All handsets sold in Singapore should be required to disable side-loading of apps by default and make it difficult for end users to override critical security features. Social media platforms should be required to have processes in place to remove fraudulent posts soon after being notified.

The Ministry of Communications and Information has revealed that a notable proportion of residents, approximately 37%, do not regularly update their devices. Many of these may be less tech-savvy users. It is not reasonable to expect that everyone will have the technical proficiency to keep their devices updated. Therefore, consumer protection strategies must be designed on the premise that a significant number of users will not know how to keep their devices updated, and should incorporate additional layers of security to safeguard these users.

A central agency should oversee all scam investigations and responses. I am aware of the Anti-Scam Command (ASCom) and the important work their officers are doing. However, given that ASCom is a department under the Commercial Affairs Department of the Singapore Police Force, I don’t think they can be held accountable for whole-of-government efforts to combat scams. Who, therefore, is ultimately accountable for the government’s anti-scam efforts?

To summarise, my recommendations are as follows:

First, banks must significantly increase their responsibility towards customer protection, including by providing physical tokens to customers.

Second, MAS should take a more active role in ascertaining responsibility for scams carried out on banks’ digital platforms and supporting victims.

Third, the Online Criminal Harms Act needs to be fully operationalised without further delay.

Fourth, the government needs to hold technology companies more accountable for the security of their platforms and devices.

And finally, a central anti-scam agency should oversee and be ultimately accountable for the government’s anti-scam efforts.

Mdm Deputy Speaker, we stand at a critical juncture in the battle against scams. Our actions in the face of this scourge will define our commitment to protecting our citizens in the digital age. Let’s act swiftly and decisively to protect our people and, indeed, ourselves. I support the Motion.

Loss of CPF savings through malware scams

The Singapore Police Force reported that Android device users lost at least $99,800 of their Central Provident Fund (CPF) savings in June 2023 alone through malware-related scams. During the 4 July Parliament sitting, Minister for Manpower Tan See Leng said that victims had installed apps which contained malware that “allowed the scammer to take full control of the phone, steal banking and Singpass credentials stored in the phone and perform unauthorised CPF log-ins and withdrawals.”

Ordinarily, Singpass credentials — specifically the six digit passcode — would not be stored on the phone as they would be input from memory by users. Passcodes certainly should not be stored in the Singpass app itself. This prompted me to ask the Minister if there was a vulnerability in the Singpass app, and if so, whether MOM was working with GovTech to patch it.

As it turned out, what the Minister meant was that some victims stored their Singpass credentials in a “notepad” app on their phones and this was what the malware was able to read to login via Singpass and access their CPF accounts.

This is but one way scammers can access your savings if you choose not to install apps from Google Play Store or Apple Store. All users can better protect themselves from such scams by following the advice in the 29 June 2023 joint statement by CPF Board, GovTech and the Police.

This is the Parliament exchange I had with the Minister:

The Minister for Manpower (Dr Tan See Leng): Mdm Deputy Speaker, my response to this Parliamentary Question will also address the Parliamentary Question filed by Mr Zhulkarnain Abdul Rahim as a written Parliamentary Question for yesterday’s Sitting. 

Since January 2023, the Police received more than 700 reports of victims having downloaded malware onto their phones, with more than $8 million worth of savings lost through unauthorised withdrawals from the victims’ bank accounts and so on. Based on the investigations thus far, nine of these cases involved unauthorised Central Provident Fund (CPF) withdrawals, amounting to a net loss of $124,000 in CPF savings. I would like to add that the ninth case did not result in loss of CPF savings. So, even though nine involved unauthorised CPF withdrawals, the ninth case itself did not result in the loss of CPF savings because the Singapore Police Force (SPF) managed to stop the transfer out from the bank account of the CPF member.  

CPF monies were paid from members’ CPF accounts to their own bank accounts and then they were subsequently withdrawn from these bank accounts by the scammers.

The modus operandi of these malware-related scams has been extensively covered in an earlier joint advisory from the Police, Government Technology Agency (GovTech) and CPF Board on 29 June 2023. In gist, the victims downloaded malware-infected Android Package Kits, or APK, from unauthorised sites and they subsequently turned on accessibility services when told by the scammer to purportedly facilitate the purchase of items at a steep discount. Doing so allowed the scammer to take full control of the phone, steal banking and Singpass credentials stored in the phone and perform unauthorised CPF log-ins and withdrawals.

I urge all Singaporeans to stay vigilant. We should update our phones regularly with the latest security patches and we should only download apps from official app stores and exercise the greatest of caution when we are prompted to turn on accessibility services. These accessibility services are mainly meant to assist users with disabilities to use their devices, such as by allowing apps to read and control your screen.

As a further precaution, CPF Board and GovTech have introduced additional authentication measures since 22 June 2023 to increase the protection for CPF members. Members may be asked to perform Singpass Face Verification (SFV) or other checks when accessing CPF e-services. This provides additional security in addition to the existing two-factor Singpass authentication required for accessing CPF e-services. Members who require assistance on CPF services and the SFV can visit the CPF service centres and Singpass counters respectively. They may also call the Singpass helpdesk.

These additional safeguards may make it slightly less convenient for members to perform certain CPF e-services but I think members would agree that it is better to be safe than sorry. This is especially so in light of new threats. The Government will continue to review and monitor these threats closely and work closely alongside the banks to introduce more precautionary measures where necessary.

The Police will spare no effort in tracking down those responsible for such malware incidents and will take tough action against them. I urge anyone with information on such crimes to contact the Police immediately.

Mr Gerald Giam Yean Song (Aljunied): Madam, just now I heard the Minister say that the scammers were able to obtain the victims’ Singpass credentials from their phones after they managed to install the app on their phone. Is MOM working with GovTech to patch this vulnerability if it, indeed, is a vulnerability? 

Dr Tan See Leng: I thank Mr Gerald Giam for his question. Perhaps, Mr Giam may not have an appreciation of the different steps that these scammers sort of would navigate to actually get the CPF members to download these apps. Today, the vulnerability appears to be in the Android phones and generally our members may have just gone online, whether it is on Facebook or some other form of social media, and come across some particular app which purportedly gives him a steep discount; a very, very good deal, in which they have to download that particular app. And once they download the app, they will, more often than not, get phone calls from someone helping them to navigate and to use the app.

And they then hand over some of the navigational options to this and turn on the accessibility services on their Android phone itself. That then exposes themselves to all these scammers to then undertake and take over their information.

So, the added precautionary measure that we have put up is that for vulnerable members, they would need an additional step of using the Singpass Face Verification. We have these identities stored, because the NRICs, the passports, we have that. Based on our records, we can then ensure that the person who is logging in and making these withdrawals actually corresponds to the actual member and not through some scam account.

So, we believe that, today, that added step, which to some members cause a lot of inconvenience, is sufficient as a precautionary measure. I hope that addresses your concern. 

Mdm Deputy Speaker: Mr Gerald Giam.

Mr Gerald Giam Yean Song: To clarify, I understand the process in which the scammers use to access the phone. But just now the Minister said that once the accessibility is enabled, the scammers are able to read the passwords that are stored in Singpass. Typically, these passwords should not be stored at all inside the phone. So, I just want to understand whether or not this is something that is being looked into, as to why is it that passwords are stored inside the phone for that reason? 

Dr Tan See Leng: I think there are a myriad of reasons why people store their passwords on their phones, in their notepads and so on. There are also members who write it down somewhere in a booklet and they put it at home.

I cannot tell you how members will want to store their passwords to remind themselves. But I think the added measure today, first of constantly educating our public to not download any form of innocuous-looking apps from unauthorised stores, unauthorised sites and also to not just switch on the accessibility services; and at the same time, not release details to someone who is unknown over the phone and at the same time adding on the additional security verification through the Singpass Face Verification step, I think it is sufficient for us to prevent, today, unauthorised withdrawals from the CPF account. Of course, I said that there are also parallel initiatives to deal with what happens after the money goes into the banking account.

So, there are all these measures that we are doing. 

I would not want to be in a position of hubris where we say that we have got it all figured out. Because today, cybersecurity constantly evolves – scammers and hackers are getting more and more creative. So, we have to constantly work at nudging our people, working with one another to keep reminding all of our members, all of our citizens, to always be vigilant. At the same time, the Government will also constantly find new ways to step up our precaution to protect our members. I hope that gives you the reassurance. 

Mdm Deputy Speaker: Senior Minister of State Janil. 

The Senior Minister of State for Communications and Information and Health (Dr Janil Puthucheary): Thank you, Mdm Deputy Speaker. I raised my hand, but I think Minister Tan had already made the point. The information is being taken from other parts of the phone, not as Mr Giam had asked about. But the point has been made by Dr Tan already.

Source: Singapore Parliament Reports (Hansard)

Photo by Markus Spiske on Unsplash

Proactively preventing scams

The Online Criminal Harms Bill (“the Bill”) was introduced for the purpose of empowering the authorities to combat online crimes more effectively, and safeguard the public in Singapore from various online harms. It is also supposed to enable swift government action against online criminal activities, proactively preventing scams and malicious cyber activities to protect potential victims. 

Scams are the online criminal activities that loom largest against Singaporeans these days. While I support the Bill, I would like to seek clarification on how the Bill will be able to empower the authorities to deal with scams in ways that existing legislation does not.

According to data from the Singapore Police Force (SPF), the victims of some 31,700 scam cases were cheated of almost $661 million in 2022 — $29 million more than the year before. This works out to an average of almost $21,000 cheated per case. These are staggering amounts of hard earned savings of Singaporeans lost to scammers. Quite a few victims are my residents who approached me for help to recover their lost savings. Sadly, in most cases, the money had been spirited overseas and could not be recovered.

The Infocomm Media Development Authority (IMDA) and police currently work with Internet service providers to block scam websites. In 2021, 12,000 suspected scam websites were blocked, many with the help of artificial intelligence (AI) algorithms that can quickly detect and block scam websites. This means that if a new phishing website was set up to collect usernames and passwords of bank customers, the Government is already empowered to immediately order that website to be blocked, so that no more users in Singapore can access it. What difficulties have the authorities faced in expeditiously blocking actual scam websites, that necessitates the introduction of this Bill?

I note the Minister’s explanation in her speech just a moment ago that this Bill will enable the authorities to block websites if there is reasonable suspicion that they are being prepared in advance of a scam. Can I confirm that this means if someone were to register a domain name that is a variant of, say dbs.com, it will get proactively blocked, even if the website does not contain any content yet and even if that domain is registered overseas? 

Similarly, if a telephone number is reported to have been used to carry out scams, is the Government already empowered to direct telcos to immediately block such numbers? Are there any encumbrances to doing so now that require this Bill?

The Minister previously said that scam calls made over the Internet, such as through messaging apps like WhatsApp, are currently not blocked. With this Bill, would scam calls made over the internet now be blocked through an Account Restriction Direction that can be issued to Online Service Providers?

Will SMS redirection attacks, which redirect text messages containing OTPs sent from banks to hackers, be more effectively blocked under this Bill, and if so how will it be more effectively prevented than under the current regime?

The National Crime Prevention Council (NCPC) and Open Government Products has developed ScamShield, an anti-scam app which automatically blocks scam calls, detects scam messages and allows users to report scam messages and calls. I’m glad to note that a version of ScamShield for Android devices has finally been released. However, in order for SMSes from known scam numbers to be blocked, a user will need to install the ScamShield app and give the app permissions to read their SMS and contacts. This is a multi-step process, which some non-technical users may struggle with. Indeed, even technical users may be reluctant to grant such intrusive access on their phones.

The NCPC says that more than 600,000 people have downloaded the ScamShield app. This means more than 5 million residents in Singapore still do not have ScamShield installed, and presumably more do not have the app setup to block scam messages. To better protect potential victims of scams who are unaware of ScamShield or choose not to install the app on their phones, the Government should direct telcos to block all verified scam messages and calls, without depending on end users to install ScamShield. These should include those scam phone numbers reported by end users through ScamShield and verified by the NCPC and the police. Time is of the essence, since it only takes seconds for an unwitting victim to click on a phishing link and enter their username, password and OTP, and for the scammers to clear out their bank account or CPF accounts.

While the ScamShield app, ScamShield bot and website do provide forms for people to report suspected scams, how many people are aware of these reporting channels and actually use them? How does the Government intend to promote its use? How will they encourage their use and explain it to those who find it challenging with adopting such technology?

The ScamShield bot is able to take in reports of scam messages in non-English languages, but can only reply to users in English. Are there plans to enable it to reply in Chinese, Malay and Tamil, so that more non-English speakers can interact with the bot?

More should be done to leverage the knowledge of the entire population to more quickly and comprehensively identify scams, and block scam numbers before more people fall victim to them. This can be done through better publicity of these reporting channels, giving updates to users when their reports were used for police investigations or when the number is blocked, and making it easier for users to report scams.

The scam epidemic is a gargantuan problem which needs to be tackled more effectively by the Government, telcos and financial institutions. I hope that this Bill will give these agencies and organisations more levers to do so, to prevent more Singaporeans from falling victim and losing their hard earned savings to these criminals.

This is a speech I delivered during the debate on the Online Criminal Harms Bill on 5 July 2023 in Parliament.

Photo by Andras Vas on Unsplash

Safeguards against scams involving CPF monies

Scams against senior citizens have become worryingly common these days. With many seniors able to withdraw large amounts of money from the CPF accounts once they reach 55, this group may be a prime target for scammers. I therefore asked a Parliamentary question on 9 May 2022 whether CPF Board imposes any daily withdrawal limits or enhanced scrutiny for extraordinarily large withdrawals of CPF funds to safeguard against scams. The Minister’s answer is below:

DAILY WITHDRAWAL LIMITS FOR CPF FUNDS AND SAFEGUARDS IN PLACE AGAINST SCAMS INVOLVING EXTRAORDINARILY LARGE SUMS

Mr Gerald Giam Yean Song asked the Minister for Manpower whether the CPF Board imposes any daily withdrawal limits for CPF funds that members are eligible to withdraw; and (b) whether the CPF Board has a threshold beyond which extraordinarily large withdrawal sums are subject to enhanced scrutiny to safeguard against scams.

Dr Tan See Leng: CPF Board takes a serious view towards safeguarding members against scams. At the same time, the CPF Board recognises that we should not unnecessarily inconvenience members for the vast majority of transactions that are legitimate. This is why we do not impose any daily withdrawal limits or thresholds. However, CPF Board will only pay to a member’s bank account after verification that the bank account belongs to the member.

CPF Board has put in place several measures to give members a greater peace of mind against illegitimate transactions. First, before any CPF withdrawals are authorised, CPF Board authenticates the identity of the person making the withdrawal request to ensure he or she is the owner of the CPF accounts involved. This is done by verifying against the member’s identification card for face-to-face requests or through the use of Singpass two-factor authentication for online requests.

Second, CPF members receive a notification via email or SMS for any withdrawal of CPF monies from their accounts. Members are encouraged to update their latest mobile number or email address via the CPF website by logging in with their Singpass so they do not miss out on such notifications. 

Third, CPF Board verifies that a bank account indeed belongs to the member before making any payment.  

CPF Board’s safeguards are in line with existing practices in the financial industry such that banks do not impose limits for transactions between verified accounts held by the same person within the same bank. As outlined in Minister Lawrence’s Ministerial Statement in February 2022, Monetary Authority of Singapore (MAS) and the banks are looking to introduce further measures for significant changes to their accounts such as fund transfers that are large relative to their overall balances. CPF Board will review these safeguards regularly to ensure that they are effective and align with industry practices, where applicable.

Citizen vigilance is imperative in the fight against scams. Members should take necessary precautions to guard against potential scams when they receive unsolicited calls and refrain from giving away their Singpass or internet banking credentials. CPF Board staff are also trained to assist members to respond to scam cases. When in doubt, always verify the authenticity of the information with CPF Board through multiple online and offline channels. 

Source: Parliament Hansard