SINGAPORE, Jan 19 — Banks in Singapore will be removing clickable links in emails or SMS messages sent to retail customers and set the threshold for funds transfer notifications to customers by default at S$100 (RM311) or lower. These are part of several measures to protect account holders from phishing scams.

The changes, announced by the Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) in a joint statement on Wednesday (Jan 19), will be implemented within the next two weeks.

The new measures came after at least 469 customers were affected by an SMS phishing scam targeting OCBC bank customers, with losses totalling at least S$8.5 million.

The fraudsters had sent out fake bank alerts that spoofed the bank’s official SMS channel, duping many of them into clicking on web links and giving up their personal account information last month.

In the joint statement, MAS and ABS said that these measures will bolster the security of digital banking, given that it will lengthen the time taken for certain online banking transactions and also provide an added layer of security to protect customers’ funds.

Other measures that banks will be putting in place include:

  • Delaying activation of a new soft token on a mobile device by at least 12 hours
  • Sending notification to a customer’s existing mobile number or email registered with the bank whenever there is a request to change a customer’s mobile number or email address
  • Introducing a cooling-off period before executing requests to important account changes such as in a customer’s key contact details
  • Having dedicated and well-resourced customer assistance teams to deal with feedback on potential fraud cases on a priority basis
  • More frequent scam education alerts

“MAS expects all financial institutions to have in place robust measures to prevent and detect scams as well as effective incident handling and customer service in the event of a scam,” the joint statement read.

“The growing threat of online phishing scams calls for immediate steps to strengthen controls, while longer-term preventive measures are being evaluated for implementation in the coming months.”

The banks will continue to work closely with MAS, the police and the Infocomm Media Development Authority to deal with these scams, including coming up with more permanent solutions such as getting all relevant stakeholders to register SMS sender IDs of individuals they wish to protect, MAS and ABS said.

Sender IDs are names that identifies the sender of an SMS message so that a word or phrase (eg. OCBC), instead of a number, is displayed on the recipient’s mobile phone.

“MAS is also intensifying its scrutiny of major financial institutions’ fraud surveillance mechanisms to ensure they are adequately equipped to deal with the growing threat of online scams,” they added. 

MAS and ABS also reminded customers that they should be vigilant and must:

  • Never click on links provided in SMS messages or emails
  • Never reveal their internet banking passwords to anyone
  • Verify SMS messages or emails received by calling the bank directly on the hotline listed on its official website
  • Verify that they are looking at the bank’s official website before making any transactions
  • Transact through the bank’s official mobile application
  • Closely monitor transaction notifications so that any unauthorised payments are reported as soon as possible to increase the chances of recovery

Ravi Menon, managing director of MAS, said that the threat of scams will not go away, but there are ways to reduce vulnerabilities of online banking.

“MAS, together with the police, IMDA and other relevant government agencies, is working closely with the financial industry, the telco industry, consumer groups and other stakeholders to strengthen our collective resilience against scam attacks. We will ensure that digital banking remains secure, efficient, and trusted,” he added.