The Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) are introducing a new set of measures to improve the security of digital banking, in light of recent SMS phishing scams, such as the December OCBC scams that saw 469 victims lose a collective S$8.5 million.
Among the new measures, banks will no longer be allowed to send clickable links in emails or SMSes to retail customers and must have a mandatory cooling-off period whenever key account changes are made.
MAS said in its statement on Jan. 19 that it expects all financial institutions to have in place "robust measures" to prevent and detect scams, and specified "effective incident handling and customer service in the event of a scam".
MAS said the recent spate of phishing scams necessitates "immediate steps" to strengthen controls.
They are also evaluating "longer-term preventative measures" in the coming months.
No more clickable links, 12-hour delay for soft token activation
MAS will work with banks in Singapore to put in place the following measures within the next two weeks:
- Removal of clickable links in emails or SMSes sent to retail customers
- Threshold for funds transfer transaction notifications to customers to be set by default at S$100 or lower
- Delay of at least 12 hours before activation of a new soft token on a mobile device
- Notification to existing mobile number or email registered with the bank whenever there is a request to change a customer’s mobile number or email address
- Additional safeguards, such as a cooling-off period before implementation for requests to key account changes such as in a customer’s key contact details
- Dedicated and well-resourced customer assistance teams to deal with feedback on potential fraud cases on a priority basis
- More frequent scam education alerts
MAS acknowledged that these more stringent measures will lengthen the time taken for certain online banking transactions, but "will provide an additional layer of security to protect customers’ funds".
Working on "permanent solutions" to combat SMS spoofing
Banks will also work closely with MAS, the Singapore Police Force, and the Infocomm Media Development Authority (IMDA) to "deal with this scourge of scams".
This entails finding "more permanent solutions" to combat SMS spoofing, including the adoption of the SMS Sender ID registry by all relevant stakeholders.
"MAS is also intensifying its scrutiny of major financial institutions’ fraud surveillance mechanisms to ensure they are adequately equipped to deal with the growing threat of online scams," it added.
The managing director of MAS, Ravi Menon said:
"MAS is deeply concerned about the recent spate of scams and the financial losses suffered by victims. The threat of scams will not go away, but we can reduce our vulnerabilities. This requires a multi-pronged response across the ecosystem. MAS, together with the Police, IMDA and other relevant government agencies, is working closely with the financial industry, the telco industry, consumer groups, and other stakeholders to strengthen our collective resilience against scam attacks. We will ensure that digital banking remains secure, efficient, and trusted.”
Customer vigilance "paramount"
MAS said that customer vigilance "remains of paramount importance", and added that scammers are quick to adapt in targeting unsuspecting consumers.
MAS wishes to remind the public of the following:
- Never click on links provided in SMSes or emails
- Never divulge internet banking credentials or passwords to anyone
- Verify SMSes or emails received by calling the bank directly on the hotline listed on its official website
- Verify that you are at the bank’s official website before making any transactions, or transact through the bank’s official mobile application
- Closely monitor transaction notifications so that any unauthorised payments are reported as soon as possible to increase the chances of recovery
Follow and listen to our podcast here
Top photo via Teck Tong Teo/Google Maps