Singapore – The main responsibility for preventing phishing scams still lies with banks and financial institutions, said a cybersecurity specialist   with CrowdStrike, an international cybersecurity technology company based in California.

Immediate measures are needed to strengthen digital banking  controls while longer-term  moves are being weighed, said Mr Mark Goudie, CrowdStrike’s Asia Pacific and Japan services director, echoing the Monetary Authority of Singapore’s recent response to the recent surge of phishing scams

To bank customers, especially those hit hard by sms-phishing scams, who were asking “How immediate is immediate?”, MAS gave this answer: “Two weeks”.

With the right security measures in place, such scams  can be easily spotted and can be readily reported,  Mr Goudie told The Independent Singapore. 

“MAS expects all financial institutions to have in place robust measures to prevent and detect scams as well as effective incident handling and customer service in the event of a scam,”  it said  in its statement on Jan 19, responding to news and social media reports that such crooked schemes had already siphoned off millions of dollars from accounts in Singapore.

E-banking and increasing digitalisation of financial services in  Singapore have facilitated a ballooning in phishing scams. A growing number of bank customers report that their bank accounts were cleaned out and sometimes their life savings vanished within minutes.

See also  DBS & BOS are creditors to alleged money launderers’ Singapore firms

All because they made the mistake of clicking on a link in credible-looking SMS text messages purporting to be from reputable banks such as OCBC and DBS.

Mr Goudie said that phishing attempts are often easy to spot and can be readily reported.

“While the latest measures from MAS (Monetary Authority of Singapore) are expected to provide an additional layer of protection for consumers, the onus is still on financial institutions to ensure that their operational processes and security measures are robust enough to prevent, detect and respond to cyberattacks in the first place,” he noted.

MAS announced on Jan 19 that additional measures would be implemented to bolster the security of digital banking services given the recent spate of SMS-phishing scams targeting bank customers.

The authority also said: “The growing threat of online phishing scams calls for immediate steps to strengthen controls, while longer-term preventive measures are being evaluated for implementation in the coming months.”

So, two weeks from Jan 19 will be Feb 2, the second day of Chinese New Year when many people might be expecting to be banking in their hongbao.

That is the date by which banks must ensure they have removed clickable links in emails or SMS messages they send to retail customers. By then, there will also be a default threshold of S$100 or less for fund transfer transaction notifications, and a delay of at least 12 hours before a new soft token can be activated on a mobile device.

See also  Cooperation among cybersecurity experts is vital to combat emerging threats

Clients will also receive notifications to existing mobile numbers or registered email addresses whenever there is a request to change a customer’s mobile number or email.

There will be “additional safeguards, such as a cooling-off period before implementation of requests for key account changes such as in a customer’s key contact details,” said MAS.

Mr Goudie noted that incident detection and remediation time plays a vital part in the containment and prevention of similar incidents.

According to CrowdStrike’s Global Security Attitudes Survey, 51 per cent of organisations in Singapore cite lack of resources, disparate solutions (49 per cent), legacy infrastructure (46 per cent), and poorly performing existing solutions (41 per cent) as the reasons behind not managing cybersecurity incursions and incidents faster.

“It also takes organisations in Singapore nearly double the time of their regional counterparts to contain and remediate a security incident (30 hours vs 19 hours),” Mr Goudie explained.

“With adversaries rapidly advancing their tradecraft to bypass legacy security solutions; the combination of world-class technology, combined with expert threat hunters, is absolutely mandatory to detect and stop the most sophisticated threats, including phishing.”

“We would advise companies to always remain proactive and adopt a robust cybersecurity posture at the backend to ensure existing frameworks remain secure,” he added.

CrowdStrike uses cloud-based platform to help its customers stop security breaches. It is supposed to be able to prevent and respond to all types of security attacks, including malware and malware-free attempts.

See also  SPF awards Kaspersky for partnership in tackling cybercrime

Since the phishing scams began to make major headlines, banks have been sending out more alerts and are putting in place new anti-phishing measures, including reminders to never click on links provided in SMS or email messages.

MAS advises users never to divulge Internet banking credentials or passwords to anyone, and to verify the information received by telephoning the hotline on the bank’s official website.

It also recommends  monitoring transaction notifications and reporting any unauthorised payments as soon as possible, to improve chances of recovering the money lost./TISG

Read related: Another family loses life savings, this time to DBS’ S’pore Bicentennial Commemorative S$20 note phishing scam

Another family loses life savings, this time to DBS’ S’pore Bicentennial Commemorative S$20 note phishing scam

ByHana O