Enhancing Cybersecurity Awareness Given Recent Increase in Phishing Scams

14 Dr Wan Rizal asked the Minister for Home Affairs in light of the recent phishing scams involving at least 237 victims since November 2023 with total losses amounting to at least $606,000 as stated in the Police advisory of 13 November 2023, what specific measures are being taken to enhance cybersecurity awareness among the public, especially regarding the use of popular messaging platforms.

The Minister of State for Home Affairs (Ms Sun Xueling) (for the Minister for Home Affairs): Mr Speaker, Sir, in this recent scam variant, WhatsApp users who were attempting to access their WhatsApp account on their computer had clicked on a fake "WhatsApp Web" phishing website. They had then scanned the QR code in the website via their WhatsApp account on their mobile device and, in doing so, they inadvertently granted the scammers access to their WhatsApp account. The scammers then used the compromised WhatsApp account to impersonate the user and reached out to the user's family and friends and convinced them to transfer monies to the scammers' bank accounts or PayNow numbers.

To combat this scam variant, the Singapore Police Force (SPF) has been working with Meta to stop further abuse of compromised WhatsApp accounts as soon as they are detected. The SPF have also been working with online platforms, including Google, to introduce stronger safeguards to mitigate the risk of fraudulent takeover of online messaging accounts, such as through the preemptive detection and blocking of URLs linked to phishing websites.

The Online Criminal Harms Act which will be progressively operationalised from this quarter, will allow the Government to direct online messaging platforms to disable access to accounts suspected to be involved in scams. The Government can also require designated online service providers to introduce upstream measures to safeguard against the misuse of online accounts.

Ultimately, however, the best defence against scams is a vigilant and discerning public. To this end, the Government has been running campaigns to encourage the public to adopt good cyber practices. For instance, the Cyber Security Agency of Singapore (CSA) recently launched the fifth edition of the National Cybersecurity Campaign, which aims to raise awareness and drive adoption of good cyber practices.

The SPF and CSA also work with other agencies on more targeted campaigns, such as the SG Cyber Safe Students Programme, which supports schools in the conduct of cybersecurity lessons.

In addition, the SPF regularly highlights emerging scam variants and the measures that the public can take to protect themselves. Specific to the recent spike in phishing scams involving compromise of WhatsApp accounts, the SPF had issued several advisories which urged members of the public to adopt the three simple steps of "Add", "Check", "Tell".

First, "Add" security features, such as enabling two-step verification, on your WhatsApp and other online messaging accounts. Turn on your notification settings to be alerted to changes to linked devices.

Second, "Check" that you are on the official WhatsApp website. Check your settings for unauthorised linked devices and be wary of unusual requests from your contacts whose accounts may have been compromised.

Third, "Tell" your friends and family about your scam encounters and report any fraudulent activity to your bank and to the Police immediately.

Mr Speaker: Dr Wan Rizal.

Dr Wan Rizal (Jalan Besar): Mr Speaker, I thank the Minister of State for sharing what has been taken in terms of mitigating this issue. She mentioned earlier about the collaboration between the SPF and Meta in terms of combating these WhatsApp phishing scams. Apparently, many of my colleagues and I, we do use such services because of its ease. Could the Minister of State elaborate on the effectiveness of the measures that have been taken so far to reduce future compromised accounts since its implementation?

For my second supplementary question, the Minister of State mentioned earlier about the collaboration with Google in terms of enhancing pre-emptive detection and blocking of URLs linked to phishing sites. I know this is common, but are there any measurable outcomes of this initiative so far?

Ms Sun Xueling: I thank the Member for his two questions. In my response, I will attempt to take them together.

I mentioned that the Police have been working with Meta to stop further abuse of compromised WhatsApp accounts and the Police have also been working with online platforms, including Google, to introduce safer safeguards, and I had specifically mentioned through the pre-emptive detection and blocking of URLs linked to phishing sites.

First, I would like to share that the platforms have responded with varying degrees of urgency and they had leaned to it to different extents. For example, Meta has, on some occasions, required more time to recover compromised WhatsApp accounts. We intend to work even closer with Meta and to highlight to them that we need them to do more. They need to respond more quickly to our requests, to be more effective and efficient in recovering compromised WhatsApp accounts and disabling the service if it is part of a scam. So, the Government will continue to engage these online platforms since they are key vectors for the propagation of scams.

For Google, as we all know, they run a search engine. So, we are working with them so that they can be more proactive and also more capable at detecting links which are links to phishing websites. And this is something that requires technical work on Google's end. We are highlighting these scam variants to them, so that they can take better care and look at how their search engines can be better optimised to prevent such scam variants from taking place on their platforms.

I mentioned also that the Online Criminal Harms Act will come into force in the first quarter of 2024. We have various levers under the Online Criminal Harms Act which will allow the Ministry of Home Affairs and the Government to better work with these platforms to issue Government directions against scams and to also require designated providers to detect and minimise scams and other malicious cyber activities.

1.29 pm

Mr Speaker: Order. End of Question Time. Introduction of Government Bills.

[Pursuant to Standing Order No 22(3), provided that Members had not asked for questions standing in their names to be postponed to a later Sitting day or withdrawn, written answers to questions not reached by the end of Question Time are reproduced in the Appendix.]