Singapore authorities are urging banks to impose stronger security measures to prevent more phishing scams after one of the city-state’s biggest lenders was hit by a serious case of fraud.
Banks need to expand their fraud surveillance capabilities, Lawrence Wong, the finance minister and deputy chairman of the Monetary Authority of Singapore, said in parliament on Tuesday. They must also increase their ability to immediately block suspicious activity and reach out to customers to verify transactions before they’re processed, he said.
Beyond the existing measures, MAS will expect banks to develop more versatile algorithms using artificial intelligence and machine learning to detect suspicious transactions, Wong said. Authorities are also exploring whether to let customers freeze their own account without having to contact their bank if they suspect it has been compromised.
Currently, lenders are exploring expanding the use of biometric technology and accelerating the use of mobile banking apps for customer authentication, authorization and the delivery of bank notifications, which could make it harder for scammers, said Wong, who was speaking in his capacity as MAS’s deputy chairman.
Wong’s comments come after a December incident at Oversea-Chinese Banking Corp. when about 790 customers of Singapore’s second-largest bank lost a total of S$13.7 million ($10.2 million) in scams. An investigation by OCBC revealed that the victims had provided their online banking log-in credentials and one-time passwords to phishing websites, enabling the scammers to take over their accounts.
Many customers shared stories with local media about their life savings being completely wiped out and expressed frustration over the bank’s slow response when they tried to call its hotline. The event also raised questions about safeguards amid Singapore’s push to position itself as a tech and digital banking hub.
“This is by far the most serious phishing scam we have seen involving spoofed SMSes impersonating banks,” Wong said to lawmakers who put forward 39 questions about the incident. “I should add that this was not a cyber attack on OCBC, but a phishing scam on OCBC’s customers who were deceived into providing their banking credentials and OTPs at scam websites set up by the scammers. At no time was the bank’s own systems breached.”
OCBC has since made full goodwill payouts to all affected customers and tightened its security measures such as initiating transaction notifications for fund transfers through PayNow and inter-bank payments for amounts as low as one cent.
OCBC’s phishing scam is the second technical incident to hit a Singapore bank in recent months. In November, DBS Group Holdings Ltd. suffered one of its worst digital disruptions in the past decade when thousands of customers were unable to log onto its online and mobile platforms. Earlier this month, MAS said DBS Bank Ltd. needed to boost its regulatory capital by about S$930 million following the glitches.
MAS is now intensifying scrutiny of major financial institutions’ fraud surveillance mechanisms and working with the industry to create a framework to clarify how losses arising from scams can be shared among consumers and financial institutions. It plans to publish its findings for consultation within the next three months.
“Financial institutions should bear an appropriate share of losses arising from scams, but care must be taken to ensure that any compensation paid to customers does not weaken their incentive to be vigilant,” Wong said.