While the December holiday season is usually a time of celebration, December 2021 was not a good time for OCBC scam victims who fell for the SMS phishing scams. Personal stories of those who have been targeted have surfaced since then. These stories of being penniless and hungry on Christmas Day and losing their life savings put a face, life and family behind the numbers of about 470 OCBC customers who were affected by the SMS phishing scams.
In light of these scams, the Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) have introduced a set of additional measures to bolster the security of digital banking.
As internet banking takes over as the dominant way we bank and scams become increasingly sophisticated, the pertinent question is how will this affect us as consumers?
Note: Screenshots presented are meant to illustrate the prevalence of SMS notifications. They are not meant to single out any particular bank or financial institution, nor act as an indication of the strength or weakness of their digital security.
Prevalence Of Banking SMS Notifications
As bank retail customers, we would likely be familiar with the multitude of SMS banking notifications. While some of them are bank transaction-related, others are often marketing-related.
SMS notification of banking transaction with clickable link
SMS marketing notification with clickable link
It is this environment of prevalent SMS notifications that made the SMS phishing scams so effective. As consumers, we have become so used to SMS notifications that we tap on the included links without much thought.
With the new MAS measures, banks will now remove all clickable links in emails or SMSes sent to retail customers. The timeline for implementation is 2 weeks from the announcement on 19 January 2022. This means that future clickable links in SMS notifications should be treated with extreme prejudice. As future legitimate SMS notifications (after 2 February 2022) would not have clickable links, any clickable link is a breach of trust and would likely lead to a phishing scam.
Mobile Numbers Have Become An Extension Of Identity But They Are Easily Spoofed
One less mentioned aspect of the phishing scams is the victims’ trust that the SMS notifications are legitimate because they appear to originate from OCBC. Prior to this unfortunate series of events, most people did not know that SMS numbers can be spoofed or impersonated.
Spoofing happens when scammers disguise an email address, display name, phone number or other identifiers to convince the target that they are the legitimate source. In the case of the OCBC phishing scams, the scammers spoofed the OCBC SMS notification such that the scam messages appeared in the same SMS thread as the legitimate bank messages.
OCBC SMS sender notification thread including scam message
Aside from the lack of awareness of spoofing, we also have an inordinate amount of trust in the legitimacy of our mobile numbers as a form of identity. Our mobile numbers have frequently replaced our NRIC numbers as a form of identification in Singapore. Our PayNow accounts are linked to our mobile numbers.
In a way, we have been accustomed to viewing our mobile numbers (and by extension, SMS), as a legitimate form of identification. However, SMSes are easily spoofed. In fact, experts have commented on the ease of spoofing SMS notifications.
In order to make it more difficult to spoof legitimate SMS sender names, organisations are encouraged to register the SMS sender names they wish to protect. According to Smart Nation and Digital Government Group (SNDGG), all government agencies will sign up to the national anti-spoof registry, the Singapore SMS SenderID protection registry. According to a statement to Today, this registry will be rolled out to “all telcos, SMS aggregators and banks that use SMS services for retail customers”.
More Safeguards Will Be Implemented
The speed of the phishing scams also took many victims by surprise. From the time their banking particulars have been phished, it took a short while, in some cases only minutes, before entire bank accounts and life savings were emptied. Affected victims reported waiting in line at the bank or being put on hold while they helplessly watched their money being transferred away.
In order to strengthen the controls, MAS has required banks to put place more stringent measures including:
Setting the threshold for funds transfer transaction notifications to customers to be $100 or lower by default
Implementing a delay of at least 12 hours before a new soft token on a mobile device can be activated
Notifying the existing mobile number or email registered with the bank whenever there is a request to change a customer’s mobile number or email address
Setting additional safeguards, such as a cooling-off period before key account changes, such as in a customer’s key contact details, can be requested
Along with the removal of clickable links, these measures would be implemented in 2 weeks’ time from 19 January 2022.
These measures are positive for consumers as they would slow down any fraudulent transactions, giving us additional time to react and put a stop to any suspicious activity. However, they can also inconvenience us when we have a legitimate need to change our personal details. For example, it would take much longer to set up a new soft token when we change our mobile phones or change our banking details when we get a new mobile number.
However, if these measures can help delay scammers before they execute their fraudulent transactions, these are minor inconveniences compared to the pain of losing our life savings.
The Weakest Link Is Human
In any security matter, especially cybersecurity, the weakest link is always human. All the safeguards and protocols will not be sufficient if we do not put the effort to educate and protect ourselves.
Just as we remember to lock our doors before leaving home (and not rely on police presence in the neighbourhood to deter burglars), we should not purely rely on the banks to keep us safe from scammers.
While OCBC has extended goodwill payments to all customers affected by the recent phishing scams, we cannot expect the same to happen for future scams. The responsibility of safeguarding our bank account details ultimately falls on us, just as we are responsible for our home security.
Could the banks have done better? Well, so could we. On their part, the banks are improving their protocols to deal with scams, including dedicated customer assistance teams to deal with potential fraud cases and sending out scam education alerts. On our part as the consumer, we need to remain vigilant, monitor our transactions for any unauthorised payments, verify official sources and not divulge any internet banking details to anyone.
While the OCBC phishing scams have severely affected the victims, the silver lining is that it is a wake-up call for Singaporeans and our approach to internet banking. Not only are banks improving how they send out SMS notifications and putting in place better protocols to deal with scams, but we the consumers also received an awakening about our vulnerability to scams. The elderly and uneducated are no longer the only vulnerable groups. All of us are potential targets if we don’t stay alert.
The post Has Personal Internet Banking Changed For The Better After The OCBC Phishing Scams? appeared first on DollarsAndSense.sg.