/security

News and resources on cyber and physical threats to banks and fintechs worldwide.

Singapore banks act to tackle spate of SMS phishing scams

Banks in Singapore are set to remove clickable links in emails and text messages sent to retail customers after a spate of SMS phishing scams.

3 comments

Singapore banks act to tackle spate of SMS phishing scams

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

The Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) say that the move, along with a host of other measures, will be put in place within the next two weeks.

Earlier this week, OCBC Bank revealed that nearly 470 customers lost at least $8.5 million in December after scammers posed as the lender and sent SMS's with links to phishing sites to victims.

Yesterday, DBS warned its customers about a similar scam in which an SMS claiming to be from the bank told victims' that their account had been suspended and asked them to click on a link.

OCBC has begun making goodwill payouts to victims but the industry is now taking more proactive measures. In addition to removing links, banks will set a threshold for funds transfer transaction notifications to customers to be set by default at $100 or lower.

There will also be a delay of at least 12 hours before activation of a new soft token on a mobile device, while a notification will be sent to existing mobile numbers or emails registered with the bank whenever there is a request to change a number or address.

Sponsored [New Whitepaper] APIs, Automation, and AI: An Arsenal to Defend Against Card Transaction Fraud

Comments: (3)

Ketharaman Swaminathan Founder and CEO at GTM360 Marketing Solutions

Given the increasing sophistication of phishers, can't say this is not a step in the right direction but it will be a big blow for personalization efforts, which rely heavily on clickable links in customer communications.

Arshad Noor CTO at StrongKey

The reason SG is susceptible to these attacks is because they're not moving to FIDO strong authentication, Ketharaman. FIDO completely eliminate password-phishing attacks - there is a Google white-paper that documents their experience on the FIDO Alliance site. And, the FIDO experience can be personalized within mobile apps. See this presentation on https://www.strongkey.com/, and around the 7:00 min mark, you'll  see compliance to PSD2 using FIDO that cannot be phished.

Johannes Kriegbaum Salesmanager at KOBIL

No need to mention that full PSD2 comliance is asured and manytimes tested and field proven with European Banks.

[Webinar] Ensuring Interoperability in the Age of Global, Cross-Border e-InvoicingFinextra Promoted[Webinar] Ensuring Interoperability in the Age of Global, Cross-Border e-Invoicing