No more clickable links in bank SMSes and emails as authorities respond to recent scams

These measures were introduced following a spate of SMS phishing scams targeting bank customers.
The Straits Times

SINGAPORE - Banks in Singapore will have to put in place more stringent measures to bolster the security of digital banking, such as removing clickable links in SMSes or e-mails sent to retail customers, within the next two weeks.

These additional measures were introduced in view of the recent spate of SMS phishing scams targeting bank customers, the Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) said in a joint statement on Wednesday (Jan 19).

This comes after OCBC Bank said it would cover in full the losses suffered by its customers to SMS phishing scams last month and as other local banks, the Singapore Police Force and the Supreme Court issued warnings about phishing scams targeting their users.

The measures include a delay of at least 12 hours before activation of a new soft token on a mobile device, notification to existing mobile number or registered e-mail whenever there is a request to change a customer's contact details, and dedicated customer assistance teams to deal with feedback on potential fraud cases on a priority basis.

ALSO READ: OCBC announces it will pay all SMS scam victims full sum they lost

The threshold for funds transfer transaction notifications to customers will also be set by default at $100 or lower, more frequent scam education alerts will be sent out, and additional safeguards such as a cooling-off period before implementation of requests for key account changes will also be in place.

In the statement, MAS and ABS said the growing threat of online phishing scams calls for immediate steps to strengthen controls, while longer-term preventive measures are being evaluated for implementation in the coming months.

The more stringent measures which banks will work to put in place in the next fortnight will lengthen the time taken for certain online banking transactions but also provide an additional layer of security to protect customers' funds, they added.

New measures for banks

Last month, nearly 470 OCBC customers lost at least $8.5 million to SMS phishing scams, among them a mother of seven who said she lost almost $100,000 and a couple in their 20s who took five years to save about $120,000 to start a family.

Victims received unsolicited SMSes that appeared to be from OCBC, claiming there were issues with their banking accounts and asking users to click on the link given in the message.

The link led to fake bank websites and victims were asked to key in their Internet banking account login details.

OCBC said in a statement on Wednesday that all affected customers will receive "full goodwill payouts" covering the amount they lost by next week. More than 100 victims have received their payouts so far.

DBS Bank on Wednesday also warned its customers about a fake SMS being sent to users claiming to be from the bank.

It urged customers not to click on links sent through SMSes and said it would never ask for account details or one-time passwords (OTPs) over the phone, e-mail or SMS. DBS is actively taking down such phishing sites, it added.

In a Facebook post on Wednesday, UOB encouraged customers to remain alert to scams, warning users of SMS phishing scams where the bank’s name and images are being used fraudulently. 

[embed]https://www.facebook.com/453961014813944[/embed]

In the joint statement, MAS and ABS said banks will continue to work closely with MAS, the police and the Infocomm Media Development Authority (IMDA) to deal with the phishing scams.

This includes working on more permanent solutions to combat SMS spoofing, including adoption of the SMS sender ID registry by all relevant stakeholders.

The registry pilot was launched by the IMDA last August and enables organisations to register the SMS sender ID headers they wish to protect. When there is unauthorised use of this protected SMS sender ID, the messages will be blocked.

The central bank is also intensifying its scrutiny of major financial institutions' fraud surveillance mechanisms to ensure they are adequately equipped to deal with the growing threat of online scams.

MAS and ABS stressed that customer vigilance remains key and outlined several measures customers must take to avoid falling for online banking scams:

- Never click on links provided in SMSes or e-mails;

- Never divulge Internet banking credentials or passwords to anyone;

- Verify SMSes or e-mails received by calling the bank directly on the hotline listed on its official website;

- Verify that you are at the bank's official website before making any transactions, or transact through the bank's official mobile application; and

- Closely monitor transaction notifications so that any unauthorised payments are reported as soon as possible to increase the chances of recovery.

MAS managing director Ravi Menon said the central bank is deeply concerned about the recent scams and the financial losses suffered by victims.

"The threat of scams will not go away, but we can reduce our vulnerabilities. This requires a multi-pronged response across the ecosystem," he said, adding that MAS along with other agencies will work closely with the financial industry, telecoms industry, consumer groups and other stakeholders to strengthen collective resilience against scam attacks.

ABS chairman Wee Ee Cheong said the banking industry, along with MAS and ecosystem players, will continue to strengthen consumer protection measures.

"We also ask that the public stay vigilant given that scams continue to evolve and are executed quickly.

"We remain committed to upholding the confidence with which customers can transact online safely, while still maintaining a high level of service," said Mr Wee.

[[nid:562728]]

In reply to the announcement on Wednesday, DBS said that in addition to the industry measures, it will stop sending non-essential SMSes from Friday. Only essential SMSes, such as security and trade notifications, and OTP authentication with no clickable links will be sent to retail and wealth customers until further notice, it said.

Cyber-security firm Acronis’ chief information security officer, Mr Kevin Reed, said the steps introduced by MAS and ABS help to minimise risks by removing some weak points, such as links in SMSes, and improve the response time and process of detecting fraudulent activities.

“It’s good to have extra measures implemented, but it’s simply not enough - the attacks can still continue at this point. Some of them - like the cooling-off period, more frequent education alerts - can work if implemented correctly, while others may not have the desired effect,” he noted.

These changes must be well explained to customers. Otherwise, the change can cause confusion and temporarily open up even more new opportunities for attackers, Mr Reed said, adding that close collaboration between telecoms providers and banks is crucial to complicate the work of attackers and reduce the chances of customer accounts being compromised.

Mr Leow Kim Hock, Asia chief executive of cyber-security services provider Wizlynx Group, stressed that while these measures are good to restore public confidence, given the recent spate of the scams, the key is to educate customers, especially since the technology that scammers use is constantly evolving. 

The banks could look at assessing users before they are qualified to use digital banking services, similar to how customers have to undergo a customer knowledge assessment before they wish to invest in specified investment products, he said. 

This article was first published in The Straits TimesPermission required for reproduction.