Combating Online Phishing and Spoofing Scams

2.20 pm

The Minister for Communications and Information (Mrs Josephine Teo): Mr Speaker, Sir, scams have been around a long time. However, technology has increasingly enabled scammers to operate at scale across the globe and their tactics have become more sophisticated by the year. Yet, while the tactics have changed, at its heart, scammers use the tried-and-tested formula of exploiting their victims’ fears and hopes.

Scammers do not respect geographical boundaries, seeking out victims wherever they can. These scams would often have originated abroad.

Minister Lawrence Wong has spoken about the enhanced protections in our banking system. I will focus on the upstream measures – how we can intervene through our communications infrastructure to fight scams. Minister of State Desmond Tan will speak later about enforcement as well as the continuing, crucial efforts in public education.

But, first, let me assure Members that the OCBC scams were not the result of a cyber attack or weaknesses in cybersecurity. This addresses questions by Mr Alex Yam regarding CSA’s assessment and Assoc Prof Jamus Lim on whether financial institutions met cybersecurity standards.

If I could use an analogy in the physical world, the scammers in this case did not manufacture a special key or special keys to break into the bank premises and to steal from the customers’ deposit boxes. Instead, they stood in front of the bank and tricked customers into handing over their identity cards (IC) and keys. They then pretended to the bank teller that they were the real customers, accessed the deposit boxes and cleared them out quickly.

Why did the victims fall prey? Because the scammer looked real by wearing the correct uniform and name tag bearing the bank’s logo. Why did the bank fall prey? Because the scammer was in possession of items that only real customers were expected to have.

In the physical world, the scammer’s pressure tactics to hand over the IC and key might have raised an alarm. Likewise, for the bank, branch managers might have noticed and made gentle enquiries as to the hurried manner in which the deposit boxes were emptied out. But in the digital world, where we have become so used to instant communications and transactions, our guard is down.

The OCBC scam was, therefore, not a result of a cyber attack or a breach of cybersecurity, which, typically, involves hacking or breaking into a system to steal information or assets. Instead, it was a classic case of deception, executed with speed and repeated at scale.

The use of SMS to reach potential victims is, unfortunately, becoming even more common and sophisticated. But it is not the only channel. Scammers have used it together with phone calls and emails to phish for information or spoof legitimate organisations. In other words, scammers are taking advantage of our communications infrastructure to reach even more potential victims, faster.

To combat phishing and spoofing by scammers, we should disrupt as many parts of their modus operandi as possible. Apart from enhanced safeguards in the banking system to prevent scams from easily succeeding, upstream measures are also needed to disrupt scammers’ reach to potential victims. Ms Joan Pereira and Mr Christopher de Souza are, therefore, right to ask how we can strengthen our defences through our telco networks.

It is useful to first step through how a phishing and spoofing scam is usually carried out. Typically, the scammer starts by contacting the victim, through phone calls or SMS. The victim is then tricked into surrendering their credentials or personal information.

In many cases, the act of surrendering credentials and personal information takes place on a scam website, something designed to look like the real website of a legitimate organisation. Compared to asking for such information by phone or SMS, no direct human interactions are required since victims themselves enter their details on a scam website. This allows such scams to be processed with greater scale and speed. And this is why much of our upstream measures have focused on blocking scam websites. It is a key part of disrupting the scammers’ plans.

On any given day, more than 90% of Singaporeans go online for various activities. SPF and IMDA work closely with Internet Service Providers to block scam websites. When consumers are led by scammers to these websites, they will be alerted to be vigilant.

In 2020, we blocked about 500 suspected scam websites. By 2021, the net had been cast much more widely and 12,000 such websites were blocked. Countless more victims would have been otherwise scammed. In fact, we have the capacity to block many more suspicious websites.

However, this does not mean that they will completely disappear from our screens. This is because scammers react quickly and dynamically to such blocks.

In the OCBC case, more than 350 scam websites have been blocked. At the peak, we blocked around 52 sites in a single day or one every 30 minutes. But the scammers were quick to create new websites over the course of their campaign.

This pattern of behaviour will persist. Nonetheless, website blocking remains important. We will continue to strengthen detection and reporting mechanisms to be more responsive.

As mentioned by Minister Wong earlier, the banks will be enhancing their fraud surveillance systems. Government agencies will also explore the use of artificial intelligence to more quickly identify and block scam websites.

In addition, the National Crime Prevention Council will start a WhatsApp channel to crowdsource from the public, information on scam websites and messages. To ensure processes are in place for proper follow-up, this channel will be launched by the third quarter of this year.

Website blocking is part of the suite of upstream measures to disrupt the scammers’ plans. But before they are lured to a scam website, victims may have been contacted by phone or SMS. Sometimes, the scammers get what they want without even leading the victim to a scam website.

Members will be familiar with scam callers impersonating officials from China. These scams started several years ago.

During COVID-19 times, the scam callers switched their masquerades, pretending to be the Police or other trusted organisations, such as MOH. Their messages were adapted to exploit concerns about vaccination or other COVID-19-related measures.

These calls deploy what is known as "social engineering" techniques to cause fear and panic in their victims, using topical concerns that scammers know people are worried about. As most of these calls come from overseas, scammers will often seek to appear more credible by spoofing local numbers.

An important set of upstream measures, therefore, involves blocking these suspicious calls. Every month, the telcos block around 15 million, or one in seven of all incoming overseas calls to Singapore.

We expect the number of scam calls to rise, given the changing tactics of scammers to increase their reach. They include, for example, incoming overseas calls that resemble phone numbers of our local Government agencies or emergency services.

Overseas scam callers may also add a prefix "65", without the "+" prefix, to give the impression that they are calling from within Singapore. Since April 2020, telcos have also added the “+” prefix for all incoming overseas calls, to help alert their customers.

Many scam calls were averted through such measures. But more is needed. Our telcos plan to incorporate additional analytics to block more of these suspected scam calls. We estimate that up to 55 million calls will be blocked each month.

Mr Saktiandi Supaat and Assoc Prof Jamus Lim asked about the Do Not Call (DNC) registry.

The DNC registry was not designed to prevent scam messages. Instead, it was created to allow individuals to opt out of receiving unsolicited telemarketing messages or calls. Scammers will, of course, not take the trouble to check this registry before conducting their illegal activities.

Mr Speaker, the extent of call blocking needed shows just how persistent scammers are in reaching potential victims. Even if our telcos can block millions of incoming overseas calls, we must not be lulled into a false sense of security. Moreover, as each avenue becomes harder to break through, scammers turn to other channels. In the case of the OCBC scams, the SMS channel was exploited.

To better understand how it happened, it is useful, firstly, to recognise that SMS is an old technology.

For many Singaporeans, it is more common these days to communicate with each other using messaging platforms, such as WhatsApp and Telegram. Nevertheless, SMS is still being used by many organisations because it is a cheap and convenient way to reach many customers. All handphones, whether smart or not, can receive SMS. But the SMS system was never designed for secure communications. Together with its widespread use, this makes it an attractive channel for scammers to reach potential victims.

For example, legitimate senders can use an alphanumeric ID to make themselves more easily known to customers. Instead of a string of numbers, customers receive an SMS from a sender identified as, say, "ABC company". However, this alphanumeric ID is not automatically protected as part of the SMS protocol. This means, unfortunately, that a scammer can use the same alphanumeric ID "ABC Company" and enter the message thread between the legitimate business sender and its customer. Members know by now this was what happened in the OCBC scams. As a result, the victims did not even realise they were communicating with the scammer, rather than OCBC itself.

Mr Desmond Choo, Mr Yip Hon Weng and Mr Melvin Yong asked how SMS could be made safer.

The gap I described above had, in fact, been identified by MAS and IMDA. Last year, the agencies started a pilot for SMS Sender ID protection. An organisation can register the alphanumeric ID that they use, thus reducing the risk of an illegitimate sender spoofing the same alphanumeric ID and having the message appear within the same message thread. MAS has decided that all major retail banks must sign up to register the alphanumeric IDs they use to communicate with their customers. The Government has also committed that all its agencies will do likewise.

In addition, IMDA will require SMS service providers and telcos to check SMS senders against the registry. SMSes that try to spoof registered IDs will thus not be delivered, as the sender details would not match registry records. All organisations seeking to send SMSes using registered IDs to phone subscribers in Singapore must also have a valid Unique Enterprise Number (UEN). This will help Police with investigations in the event of a scam.

Once these immediate measures are completed, the threat surface will be reduced. However, if an alphanumeric ID is not placed by an organisation into the registry, it cannot be protected. Observers have also pointed out that scammers can still use similar-looking alphanumeric IDs that are not in the registry, to trick potential victims.

To further close these gaps, we will consider requiring all users of alphanumeric IDs to be registered. Scammers will then not be able to send SMS using alphanumeric IDs except by joining the registry. This protects legitimate senders. It will also provide more assurance to receivers of SMS messages that an alphanumeric ID indicates a registered source.

These further measures will take time to implement and come at a cost, including to businesses. Businesses that choose not to register alphanumeric IDs will have their SMS messages appear only with their telephone number. Their customers can then choose to save the number in their own contact list to help them recognise future messages.

Given the implications, IMDA will study this matter carefully before deciding whether or not to mandate the registration of all alphanumeric IDs.

At the same time, organisations should rethink how they use SMS to communicate with their customers. As I have mentioned earlier, SMS was never meant for secure communications. Where the message contains or will lead to the transmission of sensitive, confidential information or high value transactions, there should be more restraint. It is like our postal services. They are generally safe, but we would not send very valuable items even using registered post.

One other area that Dr Shahira Abdullah asked about was clickable links. Although her question was related to its use by MOH, the considerations are applicable to many other agencies and companies.

Members will know that clickable links are everywhere. They appear on websites, in our emails and, of course, our SMS messages. You find them, too, in WhatsApp, Telegram and many other apps. They are used extensively because they are highly effective in getting people to take action. For example, using such links, millions of vaccination appointments were quickly and conveniently booked.

Unfortunately, clickable links have also been used for criminal purposes. MAS has ensured that banks discontinue their use in SMS communications with customers. However, the removal of clickable links in many other settings will only erode convenience. More importantly, the loss of effective outreach in cases like vaccination registration could be detrimental to our people. A blanket removal must, therefore, be very carefully considered.

Mr Speaker, please allow me to briefly summarise in Mandarin.

(In Mandarin): [Please refer to Vernacular Speech.] Mr Speaker, some Members asked if the OCBC scam was a result of a cyber attack, or a breach of the bank's IT system which had enabled the criminals to carry out their crimes.

This is not the case. In the series of scams, the criminals did not hack into the bank's IT system to steal money. What they did were classic acts of deception by misleading the victims into believing that they were communicating with the bank and, therefore, tricking the victims into providing their account details. With these stolen account details, scammers then logged into the victims’ bank accounts and stole the victims’ hard-earned monies via electronic transfers.

Once again, the communication system has become the channel for scammers to get into contact with victims at scale and quickly. However, compared to the past, the scammers’ acts of deception were far more realistic this time.

MAS has since stepped-up countermeasures. Meanwhile, IMDA has enhanced preventive measures in the communication infrastructure, and MHA has also strengthened public education efforts. In combination, these multi-layered measures are aimed at disrupting scam syndicates' modus operandi.

However, we all know that every move that we make to derail the syndicates will be countered by more sophisticated moves by them. When carrying out their crimes, the scammers have no regard for borders nor the law; whenever we come up with new countermeasures, they will certainly also be cooking up new ways to continue with their operations.

Even with new measures in place, everyone in the ecosystem must work together and raise our defences in all areas to prevent these criminals from succeeding easily.

(In English): Mr Speaker, our additional safeguards underscore the importance of telcos in combating phishing and spoofing scams.

As part of our efforts to continuously strengthen our defences, we will require telcos to put in place enhanced safeguards in our networks. This includes blocking scam calls, SMSes and websites. We also expect them to do more to help their customers avoid becoming victims. Scammers change methods and tactics to evade detection and our capabilities will need to, likewise, adapt. IMDA will work with the telcos to continuously strengthen their anti-scam capabilities.

We should recognise that, even with best efforts, the network defences alone cannot block all scams. At every part of the chain, upstream and downstream, we are taking steps to reduce the risk. The measures in our communications infrastructure, for example, reduce the available avenues for scammers to reach victims. As mentioned by Minister Lawrence Wong, MCI is also working with MAS to consider the shared responsibilities of all the key stakeholders in the ecosystem. Taken together, we should be able to significantly reduce the risk of consumers falling victim to scams.

Mr Speaker, I believe Mr Christopher de Souza has correctly characterised the problem of scams as one needing a multi-pronged response. Indeed, I would add that our approach is an ecosystem approach — what was described by Minister Lawrence Wong. This has multiple layers of defence – no single layer providing a complete answer, but all layers reinforcing each other to disrupt the scammers' plans.

To Mr Sitoh Yih Pin's question, this will prevent some types of scams from recurring. But our best defence against new types of scams is a vigilant public. Ultimately, they determine the extent to which we can prevent scams.

The public should, therefore, also arm themselves with knowledge on scams and how to protect themselves and their loved ones who might be less tech-savvy. There are tools, such as ScamShield, that can help to prevent some scam calls and SMSes. Minister of State Desmond Tan will say more on these later.

At the same time, for our own long-term success as a nation, digital transformation must continue. Mr Alex Yam is rightly concerned about the impact of these scams on digital adoption.

We will strengthen public confidence in online transactions, raise awareness on good cyber-hygiene habits and bolster the digital resilience of our citizens, a call also made by Miss Cheng Li Hui. This is part of a whole-of-nation approach to safeguard Singaporeans against online threats, especially for the more vulnerable groups.

As part of these efforts, IMDA launched the Digital for Life (DfL) Movement to galvanise the people, private and public sectors to provide Singaporeans with skills, tools and habits to navigate the digital domain safely and confidently.

Many partners have kickstarted projects related to digital literacy and wellness. For example, the Lions Befrienders led a project, "Say No to Scams", where staff and volunteers teach seniors about staying safe from online scams and harms. This included measures, such as changing settings and installing apps, to increase security on smartphones. They are also working on a scam simulation app to help seniors identify scams.

The DfL Movement will do its part to complement efforts by SPF, the National Crime Prevention Council and CSA.

For example, the curriculum for seniors offered by the SG Digital Office has been updated to provide cybersecurity tips on topics, such as Digital Government services, e-payments and digital transactions. The Media Literacy Council (MLC) has also produced tip sheets on e-commerce scams, online impersonation scams and loan scams. These are available and translated into the vernacular languages for different audiences.

All of us – banking institutions, telco operators, Government, businesses, individuals – have a role to play in the fight against scams.

Across the ecosystem, making these changes may result in additional cost and some loss of convenience. But they are necessary to better safeguard our people from scams. Equally importantly, they will help to uphold confidence in our digital journey.

Mr Speaker: Minister of State Desmond Tan.