With increasingly sophisticated online scams employing artificial learning, machine learning and deepfake technology, financial institutions are under pressure to ensure they have sufficiently robust processes to detect and combat scams. This article explores Singapore’s response to tackling this issue and where the responsibility lies in today’s world where digital payments are ubiquitous and seamlessly embedded.
What’s the Problem?
On 30 August 2024, the Ministry of Home Affairs (MHA) announced it will be introducing the Protection from Scams Bill (Scam Bill) in the coming months. This will empower the Singapore Police Force (SPF) to issue Restriction Orders (RO) to the seven Domestic Systemically Important Banks (D-SIBs) in Singapore to temporarily restrict the banking transactions of targets of ongoing scams who refuse to believe that they are being scammed1https://www.mha.gov.sg/mediaroom/press-releases/public-consultation-on-protection-from-scams-bill/#:~:text=Proposed%20Protection%20from%20Scams%20Bill&text=The%20proposed%20Bill%20seeks%20to,money%20transfers%20to%20the%20scammer.. This is the latest of several legislative and enforcement efforts in addressing the proliferation of online scams.
When news broke in December 2021 that at least S$8.5 million was lost to phishing scams involving OCBC Bank2https://www.channelnewsasia.com/singapore/ocbc-phishing-sms-scam-do-not-click-bitly-url-link-2407796 (OCBC Phishing Scam), there was intense media scrutiny and over the following few weeks, we saw that amount climb to a total of S$13.7 million with 790 victims3https://www.ocbc.com/group/media/release/2022/media-statement-30-jan-phishing-scam.page. The reported facts were: victims received unsolicited SMSes claiming that there were issues with their bank accounts; they were asked to click on a link to resolve the issue; upon clicking, they would be redirected to fake bank websites and asked to key in their account login details. They later found out that they had been scammed when they received notifications informing them of unauthorised transactions charged to their bank accounts4https://www.channelnewsasia.com/singapore/ocbc-phishing-sms-scam-do-not-click-bitly-url-link-2407796. Even though OCBC found in its investigations that these victims had provided their online banking log-in credentials and one-time PIN to phishing websites which enabled scammers to take over their accounts, OCBC made full “goodwill payouts” to the victims. At the time, there was little to go on in terms of hard law that would hold OCBC liable to the victims for the full amount lost in such circumstance specifically, where the victims had shared their log-in credentials and “authorised” these transactions. Without any specific legislation or regulatory requirements, we would look to the bank’s terms and conditions and these would typically shift the responsibility to customers to ensure that they secure their log-in credentials or access codes. The bank could certainly still be held liable where victims can demonstrate negligence on the bank’s part, e.g. a lapse in security measures of the bank making vulnerability to such phishing attacks. It is not clear whether there were any lapses but victims reported waiting a long time to reach OCBC’s hotline and by the time they got through, the scammer had already siphoned much of their funds5https://www.straitstimes.com/tech/tech-news/how-sms-phishing-scams-have-affected-ocbc-customers-and-put-text-messaging-security-in-focus. OCBC also noted its “customer service and response fell short” of expectations6https://www.ocbc.com/group/media/release/2022/media-statement-30-jan-phishing-scam.page.
Since then, Singapore has rolled out various anti-scam measures but it remains a growing problem. The SPF cited in its Annual Scams and Cybercrime Brief 2023 that “[t]he number of scam and cybercrime cases increased by 49.6% to 50,376 in 2023, compared to 33,669 cases in 2022. Scams (including malware-enabled scams) accounted for 92.4% of the 2023 cases, with the total number of scam cases increasing by 46.8% to 46,563 in 2023, from 31,728 cases in 2022. Job scams, e-commerce scams, fake friend call scams, phishing scams and investment scams also remain the top five scam types of concern in 2023“7https://www.police.gov.sg/Media-Room/Police-Life/2024/02/Three-Things-you-Should-Know-About-the-Annual-Scams-and-Cybercrime-Brief-2023#:~:text=The%20number%20of%20scam%20and,from%2031%2C728%20cases%20in%202022. Further, around 13% of scams analysed by the Cyber Security Agency of Singapore (CSA) in 2023 contained AI-assisted/generated content8 and there is increasing use of deepfake messaging using AI to mimic public figures or people personally known to scam targets. The US FBI announced in early October 2024 that losses from cryptocurrency-related frauds and scams increased 45% in 2023 from 2022, totalling more than $5.6 billion, as scammers increasingly took advantage of the speed and irreversibility of digital asset transactions8https://www.channelnewsasia.com/business/losses-crypto-scams-grew-45-2023-fbi-says-4596876. With advancing technologies and evolving scam typologies, we discuss Singapore’s approach to where the responsibilities lies in these online scam cases.
What Are We Doing About It?
Some of the measures taken to address the issue include:
- Since 2019, Infocomm Media Development Authority (IMDA) implemented various safeguards against scam calls and SMSes, e,g. blocking calls from scam numbers, spoofed local numbers, robo-calls based on pattern recognition and SMSes containing malicious content and links.
- In 2022, SPF established the Anti-Scam Command (ASCom) to consolidate expertise and resources combat scams.
- In May 2022, MHA launched the E-commerce Marketplace Transaction Safety Ratings (TSR) which assigns e-commerce platforms an overall safety rating, indicating the extent to which the platforms have implemented safety features which are critical in combating scams, and the effectiveness of the platforms’ efforts in combating scams.9 The recommended user verification measures are reported to be effective, as the platforms which have implemented all the safety features (i.e. Amazon, Lazada and Qoo10) have received a low number of e-commerce scam rewards, and have been awarded the highest ratings under the TSR.9
- Since 2023, it is mandatory to register all alphanumeric SMS sender IDs with the Singapore SMS Sender ID Registry (SSIR), and messages from unregistered IDs are labelled as “Likely-SCAM”. From April 2024, post-paid SIM cards will be limited to 10 per subscriber.
- Facial recognition is now required for higher risk transactions on Singpass and CPF withdrawals.
- To tackle money mules who allow scammers to use their accounts or sell their bank accounts or disclose Singpass credentials, the Computer Misuse Act 1993 (CMA) and Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act 1992 (CDSA) were amended.
More specifically for FIs that are key in flagging and investigating suspicious transactions and players, as well as restraining the flow of potentially illicit funds, there have been several developments. The Monetary Authority of Singapore (MAS) and Association of Banks in Singapore (ABS) established anti-scam practices for major retail banks in Singapore in 2022, including the following measures:
- the removal of clickable links in emails or SMSes sent to retail customers;
- threshold for funds transfer transaction notifications to customers to be set by default at S$100 or lower;
- delay of at least 12 hours before activation of a new soft token on a mobile device;
- notification to existing mobile number or email registered with the bank whenever there is a request to change a customer’s mobile number or email address;
- cooling-off period before implementation of requests for key account changes such as in a customer’s key contact details;
- default transaction limit for online funds transfers set to S$5,000 or lower;
- emergency self-service “kill switch” for customers to suspend their accounts quickly if they suspect their bank accounts have been compromised; and
- facilitating rapid account freezing and fund recovery operations by co-locating bank staff at the SPF Anti-Scam Centre, and enhancing fraud surveillance systems to take into account a broader range of scam scenarios.9https://abs.org.sg/docs/library/mas-abs-media-release-on-2-june-2022
The MAS proposes to extend these anti-scam measures to all banks, non-bank credit card issuers, finance companies and relevant payment service providers (responsible FIs) who issue protected accounts10”protected account” means any payment account that (a) is held in the name of one or more persons, all of whom are either individuals or sole proprietors; (b) is capable of having a balance of more than S$500 (or equivalent amount expressed in any other currency) at any one time, or is a credit facility; (c) is capable of being used for electronic payment transactions; and (d) where issued by a relevant payment service provider is a payment account that stores specified e-money. and not just major retail banks11MAS Consultation Paper on Proposed Enhancements to the E-Payments User Protection Guidelines (October 2023), at para 3.1. It will do so by amending the E-Payments User Protection Guidelines (EUPG) which sets out the MAS’ expectations of responsible FIs.
So Who is Liable?
For many online scams, funds are routed through several accounts to evade detection and once funds are transferred out of Singapore, recovery is challenging. The question then is what recourse do victims have and who should bear the loss?
In the OCBC Phishing Scam, the police reportedly froze 121 local bank accounts and recovered S$2 million lost by victims but many of the scam websites were hosted by webhosting companies based overseas12https://www.straitstimes.com/singapore/politics/2m-from-ocbc-scams-recovered-121-local-bank-accounts-frozen-desmond-tan. The MAS took supervisory action against OCBC requiring an independent consultant to review anti-scam systems and processes. The review concluded that there was no cyberattack on its IT systems and the MAS required OCBC to maintain additional regulatory capital amounting to approximately S$330 million in regulatory capital at 31 March 202213https://www.ocbc.com/group/media/release/2022/media-statement-mas-response.page. The MAS also declared that this one-off gesture by the bank was not a general precedent for future cases although it announced the development of a framework to provide clarity on how losses arising from scams should be shared among consumers and financial institutions14https://www.todayonline.com/singapore/ocbcs-goodwill-payouts-scammed-victims-were-one-gesture-do-not-set-general-precedent-future-cases-mas-1809656. In February 2024, a man linked to the OCBC Phishing Scam was sentenced to 15 months’ jail for being part of a money laundering operation and a member of an organised crime group. He admitted that he and his accomplices had sourced and provided control of bank accounts to various unknown people who were believed to be linked to overseas syndicates and these accounts were used to receive and dissipate funds from multiple victims.
Under the EUPG (which is currently in force), a responsible FI is liable for and should credit the customer’s protected account with the total loss arising in from an unauthorised transaction as soon as possible once the responsible FI has completed its investigation and assessed the customer is not liable for any loss arising from the unauthorised transaction unless the customer’s recklessness was the primary cause of the loss (e.g. they failed to protect access codes or failed to report the unauthorised transaction). The EUPG also specifically spells out that not only is the responsible FI liable for the loss resulting from fraud or negligence by the responsible FI, its employee, agent or outsourcing service provided by also any non-compliance by the responsible FI or its employees with any of its MAS regulatory requirements or its duties under the EUPG.
Going back to the facts of the OCBC Phishing Scam, the guidance under the EUPG would appear to support full payouts being provided to all affected customers. Notably, under the EUPG, “unauthorised transaction” is defined in relation to any protected account, as “any payment transaction initiated by any person without the actual or imputed knowledge and implied or express consent of an account user of the protected account” which appears broad enough to cover falling prey to a phishing scam and sharing your access code. That said, the customer would also be expected to have taken certain minimum steps to protect access to the protected account, e.g. updating the device’s browser to the latest version, patching the device’s operating system with regular security updates, etc.
Shared Responsibility Framework – FIs and Telcos
While it makes sense to look to the banks or relevant payment service providers, e.g. Grab or other e-wallet providers, as holders of your funds to block digital transfers, the contact by a scammer is not usually made through your bank or Grab. It is often through a telecommunications network provider (Telco), e.g. via SMS or on a social media platform or online marketplace.
Acknowledging the role of Telcos in tackling scams (e.g. delivering unsolicited SMSes as in the OCBC Phishing Scam), in October 2023, MAS and IMDA issued a consultation paper proposing the Shared Responsibility Framework (SRF) setting out a framework for the sharing of responsibility between responsible FIs (major banks and relevant payment services providers), telecommunications providers which are mobile network operators (Telcos) and consumers for losses arising from unauthorised transactions made through phishing scams. The SRF and EUPG are meant to complement each other with SRF drawing duties from the EUPG.
The SRF utilises a “waterfall” approach where the responsible FI is expected to bear full losses if any of its duties under the SRF are breached. Next, if the responsible FI has fulfilled all its duties but the Telco (and its duties are drawn from some of IMDA’s issued directions to telcos under Singapore’s Telecommunications Act15MAS Consultation Paper on Proposed Shared Responsibility Framework (October 2023), at para 5.10) is assessed to have breached its duties under the SRF, then the Telco is expected to bear the full losses. Lastly, if both the responsible FI and Telco have fulfilled their duties under the SRF, then the consumer will bear the full losses.16MAS Consultation Paper on Proposed Shared Responsibility Framework (October 2023), at para 6.1
The SRF has yet to come into force although this is expected by the end of this year. Again, going back to the OCBC Phishing Scam, the SRF certainly addresses learnings from the incident. However, the SRF is designed to cover phishing scams with a digital nexus (where a consumer is deceived into clicking on a phishing link and entering his credentials on a fake digital platform thereby allowing the scammer to steal such credentials) and with a clear Singapore nexus (which means the impersonated entities must either be Singapore-based or based overseas but offer their services to Singapore residents). While phishing scams are one of the top types of scams in 2023, they only account for 12.8% of all scam types reported in 2023,17https://www.police.gov.sg/-/media/C0363F7D6965423B94454A98A6FB67B6.ashx, at para 8 and do not fall under the top five scam types in terms of amount lost in 2023.18https://www.police.gov.sg/-/media/C0363F7D6965423B94454A98A6FB67B6.ashx, at para 9 The SRF explicitly excludes scams where victims authorise payments to the scammer (e.g. investment scams and love scams) (authorised scams), scams where victims were deceived into giving away credentials to the scammer directly through text messages or by non-digital means, and unauthorised transaction scam variants that do not involve phishing (e.g. hacking, identity theft, and malware-enabled variants).19MAS Consultation Paper on Proposed Shared Responsibility Framework (October 2023), at para 4.4 Malware scams are not included either given their evolving nature and the SRF is intended to deal with common and known scam typologies. That said, the MAS noted that Government agencies and banks are working closely to tackle malware scams and banks have announced that they will take more forward-leaning approach towards assessing goodwill payments for customers affected by malware scams.
For scams not in scope, existing avenues for recourse remain open and these include requesting their FIs to assess their case for goodwill payments or filing a dispute with the Financial Industry Disputes Resolution Centre (FIDREC)20MAS Consultation Paper on Proposed Shared Responsibility Framework (October 2023), at para 4.6.
Social Media Platforms
But does the SRF do enough to address the evolving nature of scams facing Singapore?
For authorised scams, where the victims wish to or in some cases, insist on, authorising transfers to scammers even after concern having been raised by their banks, the powers under the proposed Scams Bill for ROs to be issued to stop payments are welcomed. In such cases, we agree FIs and Telcos should not be made to bear the losses of victims – rather the focus should be on education of the public and individual vigilance.
However, with the proliferation of fake videos on social media platforms, e.g. the deepfake video of Senior Minister Lee Hsien Loong promoting investment products, one wonders whether we are missing a vital player in the whole scam chain – the social media platforms and online market places. SPF expressed concern relating to three Meta products – Facebook, WhatsApp and Instagram – which continue to be over-represented amongst the platforms exploited by scammers to contact potential victims and conduct their scams.21 Of the scam cases where scammers contacted victims through social media, the cases that involved Facebook and Instagram constitute about 90.2% of all such cases.21
Various legislative measures affecting social media platforms and online marketplaces include:
- A new Online Criminal Harms Act (OCHA) was passed on July 2023 setting out requirements that online platforms must adopt. Effective 1 February 2024, the authorities are empowered to order swift blocking of fraudulent accounts or content on direct online services to prevent suspected scam accounts from interacting with or reaching Singapore users.21https://www.mddi.gov.sg/media-centre/press-releases/measures-to-protect-singaporeans-against-online-scams/ New measures to criminalise abuse of SIM cards are also expected.
- Two new Code of Practices (COP) have been issued under OCHA. From 26 June 2024, failure to comply with these requirements may lead to issuance of a rectification notice. Failing to comply with a rectification notice is a criminal offence which can result in fines of up to S$1 million.22https://www.straitstimes.com/singapore/new-codes-of-practice-require-carousell-facebook-to-verify-risky-sellers-advertisers-to-curb-scams
- Under the COP for Online Communication Services, platforms like Facebook, WhatsApp, Instagram, Telegram and WeChat are required to proactively detect and fake action against suspected scam and malicious cyberactivities by creating a fast-track channel to receive and act on reports from authorities. By end of 2024, they must implement reasonable verification safeguards to root-out fake accounts by scammers or bots for malicious activities and they must submit an annual report to the authorities.
- Under the COP for eCommerce Services, Carousell and Facebook Marketplace will need to verify “risky” sellers for a start and if the number of scams reported on Carousell, Facebook Marketplace and Facebook advertisements do not drop significantly, MHA will require the two companies to verify the identities of all sellers and advertisers by early 2025.
However, to date, we are not aware of requirement for these players to compensate victims should their scam detection and prevention measures fall short.
Individual Vigilance and Collective Responsibility
What the EUPG and SRF also make clear is the role and duties of the customer in scam prevention and detection. There is an emphasis on individual vigilance and responsibility to practice proper cyber hygiene as the view is that full restitution without due consideration of culpability is neither fair nor desirable, as it can erode vigilance and personal responsibility, and lull consumers into complacency.23
Notwithstanding its limited scope, the SRF is a crucial first step in implementing a reimbursement framework which forms one part of the broader scheme of anti-scam efforts across the board. At the time the SRF was proposed, it was the first to include Telcos in the scam reimbursement frameworks. As Australia has recently announced its proposals to include not just Telcos but also social media platforms in its scam reimbursement framework, it would be interesting to see whether Singapore revisits the scope of the SRF given how rapidly scam typologies and anti-scam practices are evolving. We can certainly see benefits with placing responsibility with whole-of-the-scam chain.
“Cooperation is the thorough conviction that nobody can get there unless everybody gets there.” – Virginia Burden Tower.
Tackling online scams is not simply your problem, my problem but our problem.
Endnotes
↑1 | https://www.mha.gov.sg/mediaroom/press-releases/public-consultation-on-protection-from-scams-bill/#:~:text=Proposed%20Protection%20from%20Scams%20Bill&text=The%20proposed%20Bill%20seeks%20to,money%20transfers%20to%20the%20scammer. |
---|---|
↑2 | https://www.channelnewsasia.com/singapore/ocbc-phishing-sms-scam-do-not-click-bitly-url-link-2407796 |
↑3 | https://www.ocbc.com/group/media/release/2022/media-statement-30-jan-phishing-scam.page |
↑4 | https://www.channelnewsasia.com/singapore/ocbc-phishing-sms-scam-do-not-click-bitly-url-link-2407796 |
↑5 | https://www.straitstimes.com/tech/tech-news/how-sms-phishing-scams-have-affected-ocbc-customers-and-put-text-messaging-security-in-focus |
↑6 | https://www.ocbc.com/group/media/release/2022/media-statement-30-jan-phishing-scam.page |
↑7 | https://www.police.gov.sg/Media-Room/Police-Life/2024/02/Three-Things-you-Should-Know-About-the-Annual-Scams-and-Cybercrime-Brief-2023#:~:text=The%20number%20of%20scam%20and,from%2031%2C728%20cases%20in%202022 |
↑8 | https://www.channelnewsasia.com/business/losses-crypto-scams-grew-45-2023-fbi-says-4596876 |
↑9 | https://abs.org.sg/docs/library/mas-abs-media-release-on-2-june-2022 |
↑10 | ”protected account” means any payment account that (a) is held in the name of one or more persons, all of whom are either individuals or sole proprietors; (b) is capable of having a balance of more than S$500 (or equivalent amount expressed in any other currency) at any one time, or is a credit facility; (c) is capable of being used for electronic payment transactions; and (d) where issued by a relevant payment service provider is a payment account that stores specified e-money. |
↑11 | MAS Consultation Paper on Proposed Enhancements to the E-Payments User Protection Guidelines (October 2023), at para 3.1 |
↑12 | https://www.straitstimes.com/singapore/politics/2m-from-ocbc-scams-recovered-121-local-bank-accounts-frozen-desmond-tan |
↑13 | https://www.ocbc.com/group/media/release/2022/media-statement-mas-response.page |
↑14 | https://www.todayonline.com/singapore/ocbcs-goodwill-payouts-scammed-victims-were-one-gesture-do-not-set-general-precedent-future-cases-mas-1809656 |
↑15 | MAS Consultation Paper on Proposed Shared Responsibility Framework (October 2023), at para 5.10 |
↑16 | MAS Consultation Paper on Proposed Shared Responsibility Framework (October 2023), at para 6.1 |
↑17 | https://www.police.gov.sg/-/media/C0363F7D6965423B94454A98A6FB67B6.ashx, at para 8 |
↑18 | https://www.police.gov.sg/-/media/C0363F7D6965423B94454A98A6FB67B6.ashx, at para 9 |
↑19 | MAS Consultation Paper on Proposed Shared Responsibility Framework (October 2023), at para 4.4 |
↑20 | MAS Consultation Paper on Proposed Shared Responsibility Framework (October 2023), at para 4.6 |
↑21 | https://www.mddi.gov.sg/media-centre/press-releases/measures-to-protect-singaporeans-against-online-scams/ |
↑22 | https://www.straitstimes.com/singapore/new-codes-of-practice-require-carousell-facebook-to-verify-risky-sellers-advertisers-to-curb-scams |
The post Tackling Online Scams – Your Problem or Mine? appeared first on The Singapore Law Gazette.