MS Explains: When online scams happen in S’pore, who is responsible for the victims’ losses?

And what avenues of recourse do victims have?

20/1/2022 3:40:00 PM

Explainer: When online scams happen in S’pore, who is responsible for the victims’ losses?

And what avenues of recourse do victims have?

First, OCBC was targeted, with over 400 customers affected and losses of over S$8.5 million. Recently, DBS and the Supreme Court have also been targeted by scammers.These scams are known as “phishing”. They are a form of social engineering in which the scammer attempts to trick a victim into disclosing personal information like bank account numbers, passwords or One-Time Passwords (OTPs) which would allow the scammer to do a number of things, such as gaining control of the victim’s bank account. The scammer might even change the account password or associated phone number, locking the victim out of the account.


I’m a S'porean man, 43. I lost S$500,000 of my life savings over 2 hours in the OCBC phishing scam.A victim of the OCBC phishing scam has written to to reveal what happened behind-the-scenes. 🥺🥺🥺 Banks should be allowed to only contact us through the banking app. No need for SMS/Calls/Emails. Look at Grab's app for reference. Eliminate the avenues of exploitation! OCBC needs to stop this NONSENSE asking parents to deposit money into account to keep a child's bank account active if not done so in a while. This is in the same league as access your banking website or your account will be locked BS! People got cheated because of such policies!

OCBC to make 'full goodwill payouts' to all victims of recent SMS phishing scamArrangements with all victims will be made by next week. Full good will is 10k or 500k It's nda so pay a bit still can get Away with the mistake Ocbc did the right thing! Good on you, ocbc!

OCBC announces it will pay all SMS scam victims full sum they lostSINGAPORE - All OCBC customers affected by a recent spate of SMS phishing scams will receive 'full goodwill payouts' covering the amount they lost, OCBC Bank said in a statement on Wednesday (Jan 19). More than 100 victims have already received the payouts and the bank will make arrangements for the payout with all remaining affected customers by next week,...

Audacious new scam on Google claims it's resetting your bank account to fight scamsSINGAPORE - The police have warned of scam advertisements on Google search where fake bank hotlines appear when users search for banks' contact numbers. Since last month, at least 15 victims have fallen for such scams, the police said in a statement on Wednesday (Jan 19). The losses amounted to at least $495,000. In such cases, the victims wanted to...

S’pore banks to end clickable links in SMSes & emailsThe measures are set to kick in within the next two weeks. Safeguard for Paynow transfer too.

Did OCBC set a precedent with its 'goodwill payout' for scam victims? No, lawyers saySINGAPORE: OCBC’s decision to give 'goodwill payouts' to customers hit by an SMS phishing scam was not surprising given the public attention on the incident, lawyers said, but the

is a Lecturer at Singapore University of Social Sciences, School of Law, and practices law as Of Counsel with RHTLaw Asia.Mothership has seen a copy of the police report filed by the victim.OCBC said on Jan.More than 100 victims have already received the payouts.

He was previously a Deputy Public Prosecutor in the Financial and Technology Crime Division of the Attorney-General’s Chambers. By Alexander Woon Singapore has seen a spate of sophisticated online scams lately. 20, 2021. First, OCBC was targeted, with over 400 customers affected and losses of over S$8. OCBC first announced that they would be affected customers on Jan.5 million. It has raised public awareness of the scam, as well as pushed OCBC to improve their weak security system and processes. Recently, DBS and the Supreme Court have also been targeted by scammers. "We apologise for taking more time than expected to resolve the issues with our customers during this time of distress and anxiety," she said.

The question is when scams occur, who is responsible? And who bears the losses? How the scams work These scams are known as “phishing”. I lost S$500,000 in 2 hours I am a 43-year-old public servant. 8, 2022. They are a form of social engineering in which the scammer attempts to trick a victim into disclosing personal information like bank account numbers, passwords or One-Time Passwords (OTPs) which would allow the scammer to do a number of things, such as gaining control of the victim’s bank account. The scammer might even change the account password or associated phone number, locking the victim out of the account. On the date of the scam, I was overseas and using my OCBC credit card for payments. In OCBC’s case, the scam was reportedly very sophisticated." OCBC said that the arrangements will be made with all affected customers by next week for the full goodwill payout. The scammers sent SMSes to the victims using a “spoofed” number to make it appear that the messages were coming from OCBC. The website that the phishing SMS led to looked exactly similar to the OCBC website. Some victims have lost life savings built up over the years for their families.

Thus, the SMSes appeared in the same chat thread along with legitimate messages from the bank. Victims were then asked to click on a link in the SMS, which brought them to a webpage that was set up to look like OCBC’s website. I did not have a OneToken login as it is incompatible with my mobile device. "We apologise for taking more time than expected to resolve the issues with our customers during this time of distress and anxiety,” she added. The webpage asked for personal information, which once keyed in, was made available to the scammer who could then take control of and drain the victim’s bank account of money. The DBS scam appears to be similar, with SMSes supposedly from DBS Bank being sent to customers with links for them to click. The next morning when I woke up, I saw a chain of SMSes showing that my payment transfer limit had increased to S$300,000, new payees were added, and multiple transactions of up to S$50,000 had been transferred to new payee accounts, including PayNow. The Supreme Court scam is slightly different – emails are sent to victims from what appears to be a legitimate web domain “judiciary. In a separate statement on Monday, the Monetary Authority of Singapore said it would consider supervisory actions against OCBC and that it expected all customers to be treated fairly.

gov. These were transfers to new payees, including PayNow to phone number, PayNow to NRIC and bank”. The victims are then invited to submit personal information to the “judiciary”, which once in the possession of the scammers might allow them to go on to commit identity theft or, perhaps with other necessary information obtained through other methods, to access the victim’s bank accounts. It appeared that the scammers were able to set up the OneToken two-factor authentication feature easily on their own device without any verification. These scams are all similar in that they attempt to create the illusion of legitimacy to trick victims into disclosing sensitive information. Different types of liability The issue of responsibility for scams is complicated. Unfortunately, due to the time zone difference, this had taken place while I was asleep and I was only notified of it in the morning when I woke up.

There are several types of liability that might arise and different parties are involved. First, criminal responsibility is placed on the scammers themselves. Worked for 20 years, scrimped and saved I have spent 20 years of my working life to save up for the S$500,000. Scams are a form of cheating, which is an offence under the Penal Code. The Police can investigate if the scammers are found, they can be brought to court and prosecuted. This was my retirement fund, and now without it, I will most probably have to work till I die - literally. If found guilty, they can be sent to jail or fined.

A compensation order can also be imposed on the scammers to force them to compensate the victims for any loss. Since the scam, my wife and I have been severely affected mentally and emotionally, and have both lapsed into depression. Second, victims might be able to sue under civil law – this is part of the law of tort, which means civil wrongs. They can sue the scammers, assuming that the scammers can be found, for losses suffered. Thinking about the scam brings tears to my eyes, and media coverage of the scam and mentions of OCBC induce trauma. They might also be able to sue the bank if the bank somehow contributed to the loss – this might be the case if the bank’s security system was weak or if the bank did not take any action to stop a fraudulent transfer, for example. Third, there might be regulatory action taken against the banks. Communication with OCBC non-existent Correspondence with OCBC has been extremely disappointing and almost non-existent.

MAS said on Jan. 17 that they will consider “supervisory actions” following OCBC’s internal review to identify deficiencies in their processes. 20, the customer service officer who fielded the call was not empathetic despite the traumatic situation, which came across as tonedeaf. In a separate statement on Jan. 19, MAS also announced that they will work with banks in Singapore to put in place safeguarding measures within the next two weeks. Hence, I would like to ask OCBC to show evidence on how they have been proactive on the security alert since early December, and if internal staff were also not aware? Any large organisation with a marketing department would know that burying an update in the depths of their website does not count, as compared to more proactive paid and earned communications efforts, which it seems like OCBC only started to undertake from Dec. These measures include removing clickable links in emails or SMSes sent to retail customers and for the threshold for funds transfer transaction notifications to be set at a default of S$100 or under.

Possible remedies for victims These types of liability also map neatly onto the avenues of recourse that victims might have. 8. First, a victim can make a police report that they have been scammed. This allows a criminal investigation to be started. When I did so, the standard response is that the case is still under investigation. However, in many cases, the scammers are located overseas and therefore beyond the jurisdiction of Singapore’s enforcement agencies. Further, the money drained from the victim’s account is often quickly moved out of jurisdiction and laundered through money mules, making it untraceable. OCBC introduced my relationship manager's manager on Jan.

Or it might be spent. Therefore, in many cases, criminal investigations hit a dead end. The RM's manager was to provide an additional contact point. Second, a victim can try to pursue civil action. If the scammers can be found and identified, they can be sued in Singapore. I messaged him after reading about the “goodwill payment” news in the media on Jan. But in most cases, the scammers are anonymous and probably overseas, so this is often also a dead end.

Alternatively, if there were lapses on the part of the bank that contributed to the success of the scam, the victims might be able to sue the bank, which is known and present in Singapore. His response was that my case is still undergoing investigation. However, they will need evidence to prove that the bank is liable, which might not be easy to obtain. Legal proceedings are also costly and risky – there is no guarantee that the court will find the bank liable. I hope that all victims will be treated fairly as guided by MAS. Even if the case is successful, the amount recovered might be less than the legal fees paid, or it might be impossible to enforce the court’s judgement against the scammers if their assets are located overseas. Third, a victim can complain to the regulator, in this case, MAS. 3 issued multiple alerts and warnings to its customers using multiple channels, including security alerts and advisories on its website, Internet and mobile banking log-in pages, customers e-mails, as well as social media channels.

The regulator might then take action against the bank. However, this does not necessarily mean that the victim will be compensated, as the issue is between the bank and the regulator. 20, there was no such alert on the mobile app and nothing on this scam on their social media feeds. The focus of the regulator’s investigations will be on the bank’s failure to comply with regulations, and the bank may be sanctioned if any lapses are found. Fourth, the banks may offer voluntarily compensation but this is not a legal requirement. 20, he responded over WhatsApp, “wa this one really never see before”. This is what OCBC appears to be doing, as it has now promised to fully reimburse all victims of the recent SMS scam.

The bank does this out of goodwill and to save its reputation, and this does not necessarily mean that the bank is admitting fault. 23, OCBC got a narrative published in an article in The Straits Times : “OCBC cautions public about SMS scams after customers lose $140,000 in 10 days”. Practical steps for scam victims Frankly, there is often little that can be done once a scam is successful. The scammers are usually unknown and the money is often moved overseas and dissipated almost immediately. 8 to 17 with a clear time lag for such a grave matter. Unless the bank is willing to voluntarily compensate the victims, there is often little chance of successfully recovering the money. Since prevention is better than cure, it is important to take steps to protect yourself against scams. 30 when a police statement mentioned that S$8.

This includes educating yourself on the latest scams – pay attention to advisories from banks and also from the Police and National Crime Prevention Council. The Open Government Products team, part of GovTech, has also developed an app called ScamShield that helps to block unsolicited calls and SMSes. Clearly, OCBC did not act fast enough and were not proactive enough to embark on more widespread paid and earned media communications that could have prevented scams that happened after early December -- until their reputation was affected. The website also contains information on current scams. 30 and Jan. Once a scam has been detected, the victim can take steps to block their account to prevent outward transfers.

This depends on the bank being responsive and having a working fraud prevention processes. The OneToken failure It is notable that OCBC has stopped the compulsory rollout of their clearly flawed digital token OneTaken since the scam. Once the scam has been completed and money drained from the account, the victim must act quickly if any remedy is to be successful. A Police report can be made – if made in time, the Police might be able to trace the transfer and freeze the money in the receiving account, pending further investigations. As my mobile device was not compatible with the OneToken, OCBC had issued me a new physical token even though it was to be phased out as they knew I couldn’t activate the OneToken. This will prevent the money from being spent and, if all goes well, it might be returned at the end of the criminal case. The victim might also want to consult a lawyer and take legal advice. OCBC should have better processes (e.

A lawyer may be able to advise the victim on available options and their relative chances of success. It is impossible to say in the abstract what the best course of action would be – it depends greatly on the facts and circumstances of each case, which is why a properly qualified lawyer is needed to assess the situation. a physical one-to-one meeting, phone call) with the client to activate such significant changes to account access. It may be useful to hire a lawyer if the victim is considering pursuing civil action against either the scammers or the bank. For those who cannot afford a lawyer, it might be possible to seek help pro bono, that is for free, from various sources like the Law Society Pro Bono Services office or the Community Justice Centre. For my case, the bank has shared that as it is “complex”, and it will need “more time to investigate”. Ultimately though, a victim of a scam must recognise that despite best efforts, the money may never be recovered.

There are no mandatory compensation laws in Singapore that would oblige a bank to compensate the victims where it cannot be proved that the bank was at fault. While I am encouraged by the cases of the fellow 30 victims, I wonder how much these payments will be for large amount of losses like my case. Whether there should be such victim protection laws is likely to be a key policy issue going forward, as online scams continue to be the fastest-growing segment of crime in Singapore. Top photo via Mothership reader, Unsplash/Eduardo Soares If you like what you read, follow us on . 17.