Banks to tighten security, remove clickable links in SMSes after OCBC phishing scam

Banks in Singapore will have to put in place more stringent measures to bolster the security of digital banking, such as removing clickable links in SMSes or e-mails sent to retail customers, within the next two weeks.

These additional measures were introduced in view of the recent spate of SMS phishing scams targeting bank customers, the Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) said in a joint statement on Wednesday (Jan 19).

They include a delay of at least 12 hours before activation of a new soft token on a mobile device, notification to existing mobile number or registered e-mail whenever there is a request to change a customer's contact details, and dedicated customer assistance teams to deal with feedback on potential fraud cases on a priority basis.

In the statement, MAS and ABS said that the growing threat of online phishing scams calls for immediate steps to strengthen controls, while longer-term preventive measures are being evaluated for implementation in the coming months.

The more stringent measures which banks will work to put in place in the next fortnight will lengthen the time taken for certain online banking transactions but also provide an additional layer of security to protect customers' funds, they added.

Last month, nearly 470 OCBC Bank customers lost at least $8.5 million to SMS phishing scams.

Victims received unsolicited SMS messages that appeared to be from OCBC, claiming there were issues with their banking accounts and asking users to click on the link given in the message.

The link led to fake bank websites and victims were asked to key in their Internet banking account login details.

OCBC Bank said in a statement on Wednesday that all affected customers will receive "full goodwill payouts" covering the amount they lost by next week. More than 100 victims have received their payouts so far.

DBS Bank on Wednesday also warned its customers about a fake SMS being sent to users claiming to be from the bank.

It urged customers not to click on links sent through SMS messages and said that it would never ask for account details or OTP (one-time password) over the phone, e-mail or SMS. DBS is actively taking down such phishing sites, it added.

In the joint statement, MAS and ABS said banks will continue to work closely with MAS, the police and the Infocomm Media Development Authority to deal with the phishing scams.

This includes working on more permanent solutions to combat SMS spoofing, including adoption of the SMS Sender ID registry by all relevant stakeholders.

The central bank is also intensifying its scrutiny of major financial institutions' fraud surveillance mechanisms to ensure they are adequately equipped to deal with the growing threat of online scams.

The MAS and ABS stressed that customer vigilance remains key and outlined several measures customers must take to avoid falling for online banking scams:

- Never click on links provided in SMSes or e-mails;

- Never divulge Internet banking credentials or passwords to anyone;

- Verify SMSes or e-mails received by calling the bank directly on the hotline listed on its official website;

- Verify that you are at the bank's official website before making any transactions, or transact through the bank's official mobile application; and

- Closely monitor transaction notifications so that any unauthorised payments are reported as soon as possible to increase the chances of recovery.

MAS managing director Ravi Menon said that the central bank is deeply concerned about the recent scams and the financial losses suffered by victims.

"The threat of scams will not go away, but we can reduce our vulnerabilities. This requires a multi-pronged response across the ecosystem," he said, adding that the MAS along with other agencies will work closely with the financial industry, telecoms industry, consumer groups and other stakeholders to strengthen collective resilience against scam attacks.

ABS chairman Wee Ee Cheong said that the banking industry, along with the MAS and ecosystem players, will continue to strengthen consumer protection measures.

"We also ask that the public stay vigilant given that scams continue to evolve and are executed quickly.

"We remain committed to upholding the confidence with which customers can transact online safely, while still maintaining a high level of service," said Mr Wee.