Online Threats

Security Alerts

WhatsApp Takeover Scam

17 February 2021

The Singapore Police Force has noted an increase in the number of reports received for WhatsApp Account Takeover Scams involving the 2 variants below:

Variant 1 – Direct Contact with Victim
The scammer would impersonate support staff from WhatsApp and request a 6-digit verification code for account recovery to gain access to the account.

Variant 2 – Indirect Contact using Victim’s Voicemail
The scammer would repeatedly fail the 6-digit verification code on the victim’s phone number. If the victim did not answer the resulting voicemail, the scammer would then use the default PIN used by telco providers to retrieve the 6-digit verification code from the victim’s voicemail and take over the victim’s WhatsApp account.

Note: Upon accessing the victim’s account, the scammer could then enable two-step verification to prevent the victim from regaining control over the WhatsApp account.

 

What can you do to protect yourself?

  • Never share your WhatsApp verification code with anyone regardless of who they claim to be.
  • Be aware of any unusual requests received on WhatsApp, even if they were sent from your WhatsApp contacts.
  • Enable the two-step verification feature on WhatsApp. This can be done by opening WhatsApp and go to ‘Settings’ → ‘Account’ → ‘Two-step verification’ → ‘Enable’.
  • Change your voicemail account’s default PIN. Alternatively, contact your telco to deactivate the feature if you have no need for it.
  • If you suspect that you have been a victim of scams, please call 1800-MAYBANK (1800-629 2265) or (65) 6533 5229 (Overseas).

Scam Advisory

20 January 2021

The Singapore Police Force (SPF) has issued a recent scam advisory on the following:

Phishing Scams – Fake Pizza Hut Advertisements
There are advertisements on social media offering cheap pizza deals with links to external sites where potential victims will be tricked into providing their banking details and One Time Password (OTP) to make payment. Victims only realised that it is a scam when they discovered unauthorised transactions in their bank accounts.

 

Social Media Impersonation Scams – Fake Qoo10 Websites
There are cases where scammers would use compromised or spoofed social media accounts to impersonate the victims' friends or relatives. Fake Qoo10 campaign messages are sent to victims to inform them that they have won lucky draw prizes. Victims would then be led to the fake Qoo10 website where they would be asked to key in their banking details and One Time Password (OTP) as an “administrative procedure” to claim their prize.

 

What can you do to protect yourself?

  • Do not click on unsolicited advertisements or text messages.
  • Verify the authenticity of the information with the official website/sources.
  • Do not share your personal or Internet Banking details and One Time Password(OTP).
  • If you suspect that you have been a victim of scams, please call 1800-MAYBANK (1800-629 2265) or (65) 6533 5229 (Overseas).

 

Launch of ScamShield Mobile Application
On 20 November 2020, National Crime Prevention Council (NCPC) has launched the ScamShield mobile application for iOS users to prevent scam calls and messages from reaching handphone users.

To find out more about the ScamShield App, please visit ncpc.org.sg/scamshield.

Are banks liable for your losses to scams?

11 December 2020

In the first half of this year, SGD102 million was lost to various types of scams.

Being scammed by someone impersonating a staff from a Telecommunications Company? Is the bank liable for your losses? Can banks recover your money if it is reported immediately?

Below are some questions and answers to understand the roles and responsibilities and extent of liabilities of Customers and the bank.

Q1. I received a call from a service provider who informed me that I am facing some issues with my Internet. He requested to access my laptop by downloading a software into my computer. Is the bank able to stop the funds going out if I realised that it was a scam after immediately after the call?

A. It is unlikely as the funds transfers are carried out instantly in most cases. Therefore, it is difficult to stop the transfer. However, the bank will try to assist in recovering the funds on best effort basis as soon as the bank alerted to the transaction. Please lodge a police report for such incidents.

Q2. Why is it necessary to alert the bank immediately if the fraudulent transactions cannot be stopped?

A. The bank will disable your online banking access and cards to prevent any further fraudulent transactions.

Q3. Is the bank able to stop fraudulent transactions that take days to complete?

A. Once an instruction is given, the funds will be deducted from your account. The funds could be transferred to an interim bank before reaching the recipient’s bank account. It would be difficult to intercept the transaction as the interim bank has an obligation to pass the funds to the recipient's bank.

Q4. Can the Singapore police help me to recover my funds, including transfers to overseas banks?

A. Yes, if the funds are transferred to a local bank account and the funds are still in that bank account. The police can issue an order to the bank to freeze the recipient’s account to prevent any further fund transfers. The funds will then be transferred back to the rightful owner after a court order has been issued. For overseas transfers, chances of recovery is low. However, the police will work with their international partners to trace the money.

Q5. When can I expect the bank to give me a reply after I have reported a fraudulent transaction?

A. The bank will conduct an investigation of your claim and give you a reply within 21 business days for straightforward cases, and up to 45 business days for complex cases.

Q6. I have been scammed by someone impersonating a bank employee and asked me to make a transfer to another bank account. Is the bank liable?

A. The bank’s liability will depend on whether the transfer occurred as a result of the customer’s negligence. Customers are generally liable for losses from transactions that they have authorised, even if they subsequently realised that they had been scammed.

Q7. What is the bank's duty of care to me?

A. The bank's duty of care is contractual in nature and most of the duty is imposed on the customer.

The MAS has issued the E-Payment Guidelines to protect users of electronic payments.

The guidelines set out the responsibilities of banks. For instance, banks are expected to provide real-time transaction notifications and a reporting channel so that you may be alerted to unauthorised transactions and report them should they happen.

Customers would also need to take reasonable steps to protect their own interests. These include adopting good security practices such as protecting your device, login credentials and one-time passwords.

If you suspect that you have been a victim of scams , please call 1800-MAYBANK (1800-629 2265) or (65) 6533 5229 (Overseas).

 

Source:
The Straits Times (27 November 2020) - Is the customer or bank responsible for fraudulent transactions in Singapore?

Re-emergence of scams targeting bank customers with spoofed SMSes

16 November 2020

The Singapore Police Force would like to alert the public about the re-emergence of scams spoofing as banks and targeting bank customers.  Victims would receive SMSes from “banks” informing them that their ATM cards have been blocked.  When the victims click on the link, they will be led to a phishing website which resembles the official bank’s website requesting for their personal particulars, internet banking details and one-time passwords (“OTP”).  Thereafter, the scammers will make unauthorised withdrawals from the victim’s bank account(s).

How to protect yourself from being a victim of scams

  • Do not click on URL links provided in unsolicited text messages;
  • Always verify the authenticity of the information with the official website or sources;
  • Never disclose your personal or internet banking details and OTP to anyone; and
  • Report any fraudulent credit/debit card charges to your bank and cancel your card immediately.

 

If you suspect that you have been a victim, please call 1800-MAYBANK (1800-629 2265) or (65) 6533 5229 (Overseas) to report it.

Sample Phishing SMSes

Spot the signs. Stop the crimes.

13 October 2020

The Singapore Police Force and the National Crime Prevention Council (“NCPC”) have rolled out the sixth edition of their annual anti-scam campaign: "Spot the signs. Stop the crimes." The campaign runs from August 2020 to March 2021, with a focus on sharing real scam examples with the public to educate people on how to spot the various telltale signs of scams.

E-commerce scams, social media impersonation ruses, loan scams and banking-related scams topped the list of common scams, with surges in the number of cases in each of these categories. The amount lost in the 10 most common types of scams doubled to S$82 million, up from the $41.6 million that scammers made off with in the first six months of 2019. A sharp 139 per cent year-on-year rise in cases in the 10 main categories of scams for the first six months of this year.

Mr Gerald Singham, Chairman of NCPC encouraged members of the public to not only stop and think before revealing personal details or handing over one-time passwords, but to also take the extra step of verifying information with a third party or the authorities.

"If someone approaches you for personal information or asks for banking details, it must raise suspicion. The onus must be on us - the potential victim - to stop the crimes from happening and cut off communication before any important information can be divulged."

Learn to spot the signs and stop the crimes - https://www.scamalert.sg/

Source:
The Straits Times (26 August 2020) - $82 million lost through top 10 scams in first half of 2020, double the amount from a year ago
The Straits Times (27 August 2020) - New education campaign launched to address rising scam numbers

Impersonation Scams

2 October 2020

We received reports of ongoing SMS scams impersonating Maybank to offer loans. If the victim contacts the number in the SMS, the scammer may attempt to impersonate Maybank staff to place a “deposit” before the loan is disbursed.

Sample of the SMS – September 2020

How to protect yourself from scams

  • Be alert and always verify the details in the messages from Maybank. Always check that the message reflects your intended actions and do not proceed or authorise suspicious transactions.
  • Contact us at 1800-MAYBANK (1800-629 2265) or (65) 6533 5229 (Overseas) to verify the contents of the SMS.
  • Never reply to unsolicited SMS or emails. Responding to such SMSes or emails may be used by scammers for social engineering or trick the victims into divulging confidential account and internet banking information.

 

24 July 2020

The Singapore Police Force (“SPF”) would like to educate the public regarding the increase in impersonation scams involving bank officials and authorities such as IRAS officers. These scammers will usually ask for the following Internet banking details:

  • Account Usernames
  • Personal Identification Numbers (PIN)
  • One-time Passwords (OTP)

 

These scammers will try to impersonate bank officials or authorities and request the victim to conduct the following actions:

  • provide their Internet banking credentials over the phone or on fraudulent websites
  • provide SMS OTP or security token approval
  • update funds transfer limit
  • perform funds transfers to a new account

 

Scammers would then proceed to transfer money out of their victims’ accounts using the details provided.

How to protect yourself

  • Do not reply or click on URLs in suspicious SMSes or emails.
  • Beware of phishing websites that may look genuine.
  • Do not give out your Internet Banking credentials, SMS OTP or security token approval to other individuals.

 

If you suspect you have provided your internet banking credentials, SMS OTP, or security token approval to unauthorized parties, please contact 1800-MAYBANK (1800-629 2265) or (65) 6533 5229 (Overseas) immediately.

China Officials Impersonation Scam

13 April 2020

The Singapore Police Force (SPF) would like to alert the public to a new variant of the China Officials impersonation scam whereby callers impersonated as staff from the Ministry of Health (MOH) before referring victims to scammers claiming to be China Officials.

MOH will not ask for your banking credentials or to transfer monies to bank accounts.
You are advised to take the following precautions when you receive unsolicited calls from unknown parties:

  • Don’t Panic – Ignore the calls and caller’s instructions. No government agency will request for transfer of money, personal details or bank account login credentials over the phone. Call a trusted friend or talk to a relative before you act as you may be overwhelmed by emotion and err in your judgment.
  • Don’t Believe – Scammers may use caller ID spoofing technology to mask the actual phone number and display a different number. Calls that appear to be from a local number may not actually be made from Singapore. From 15 April 2020, all incoming international calls will be prefixed with a plus (+) sign. Stay vigilant when receiving any unexpected international calls, and reject those which spoof local numbers.
  • Don’t Give – Do not provide your name, identification number, passport details, contact details, bank account or credit card details, and One-Time-Password (OTP). Such information are useful to criminals.

 

read full advisory

Scammers Impersonating Staff From Local Telecommunication Service Providers Or Officers From Government Agencies Offering Technical Support

10 April 2020

The Singapore Police Force (SPF) would like to alert the public about scammers impersonating staff from local telecommunication service providers, or officers from government agencies who are offering technical support.

You are advised to adopt the following preventive measures:

  • Beware of unsolicited calls from persons claiming that they are staff of telecommunication service providers or from a government agency, even if they claim there are issues with your telecommunication devices or allege that you are implicated in a criminal offence. Scammers may use Caller ID spoofing technology to mask their actual phone numbers and display different numbers. Calls that appear to be from a local number may not actually be made from Singapore.
  • Do not panic and do not follow instructions to install applications, type commands into your computer or log onto your online banking accounts. No telecommunication service provider or government agency will request for your personal details or access to your online bank account over the phone or through automated voice machines. When in doubt, always call the official hotline of your telecommunication service provider to verify. It may also be wise to call a trusted friend or talk to a relative before you act on such instructions, in order to get a second opinion which can help counter possible misjudgements on your part.
  • Never provide your name, identification number, passport details, contact details, bank account numbers, credit card details, or One-Time-Passwords (OTPs) over the phone to unfamiliar or unverified persons. Such information can be very useful to criminals.

 

read full advisory

COVID-19 Phishing Calls

6 April 2020

The Singapore Police Force (“SPF”) has alerted the public regarding scams using the COVID-19 outbreak as a bait. These scammers purport to be from Singapore’s Ministry of Health (MOH) and claim to conduct contract tracing to detect potential infected individuals. If an individual falls victim to these claims, the scammer may ask for the following information or request the victim to conduct the following actions:

  • Internet banking credentials
  • SMS OTP or security token approval
  • Update funds transfer limit
  • Perform fund transfers to a new account

 

How to protect yourself

  • MOH will never ask for your financial details during contact tracing calls. Verify these calls with the official MOH hotline if you receive such calls. Do not proceed further if you suspect a caller is asking you to conduct suspicious, unfamiliar actions or transactions.
  • Do not give out your Internet Banking credentials, SMS OTP or security token approval to other individuals. If you suspect you have provided your internet banking credentials, SMS OTPs, or security token approval to unauthorised parties, please contact 1800-MAYBANK (1800-629 2265) or (65) 6533 5229 (Overseas) immediately.