Singapore Banks Required To Remove Links in SMSes and Emails To Combat Scams
The Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) said in a joint statement on 19 January 2022 that they are introducing tighter security measures for local banks after the recent string of phishing attacks.
One of the new measures that local banks must follow is the removal of clickable links in SMSes and emails sent to retail customers. This is in direct response to last month’s OCBC Bank scams, wherein victims received legitimate-looking SMSes that asked them to click a link to fix supposed issues with their accounts. The link reportedly led to fake bank websites that required the victims to input their online banking login credentials.
OCBC announced that it will be offering "full goodwill payouts" to cover the losses the victims incurred from the attacks. More than a hundred of the victims have received their payout so far, according to The Straits Times.
Additionally, the threshold for fund transfer will be set to S$100 or lower by default. There will also be a delay of at least 12 hours before a new soft token for mobile devices can be activated. And in case a user wants to change their contact details, a notification will be sent to the existing mobile number or email address registered with the bank. In line with this, there will be a cooling-off period before requests to make key account changes take effect.
What’s more, banks will send out frequent scam education alerts to help customers stay vigilant of potentially fraudulent or illegal activity.
"The threat of scams will not go away, but we can reduce our vulnerabilities. This requires a multi-pronged response across the ecosystem," said MAS Managing Director Ravi Menon. He further noted that the agency will continue to work with the financial and telecom industry, among other stakeholders, to bolster the protection of customers from attacks.
Local banks have the next two weeks to implement the required security measures.
These new measures alone, however, might not be enough to prevent future attacks, as Mr Kevin Reed, Chief Information Security Officer of cyber-security firm Acronis, points out.
“It’s good to have extra measures implemented, but it’s simply not enough – the attacks can still continue at this point,” he commented. “Some of them – like the cooling-off period, more frequent education alerts – can work if implemented correctly, while others may not have the desired effect.”
Mr Reed said that local banks must explain the changes to the customers or else, it will only lead to more confusion, which could then lead to more opportunities for future attacks. He added that banks must closely collaborate with telecom providers to reduce the risks of customer accounts being compromised.