SINGAPORE — If a new framework proposed by the authorities on Wednesday (Oct 25) is implemented, financial institutions could bear the full losses incurred by victims of digitally-enabled phishing scams, should the institutions be found to have breached anti-scam obligations.
The proposed Shared Responsibility Framework (SRF) for phishing scams was unveiled in a joint consultation paper published by the Monetary Authority of Singapore (MAS) and the Infocomm Media Development Authority (IMDA).
The paper, which outlines a “waterfall approach”, proposes that responsibility for losses cascades from financial institutions, to telephone companies (telcos) if the phishing scam was perpetrated via SMS — and finally to consumers — if these companies fail to meet their obligations as set out in the framework.
In the consultation paper, MAS and IMDA said the proposed framework will only cover digitally-enabled phishing scams with a “clear Singapore nexus” for now.
This means that any entities impersonated in phishing scams should either be Singapore-based, or entities based overseas that offer their services to Singapore residents.
It also has to be a phishing scam — which generally involves consumers being deceived into clicking on a phishing link and entering their credentials on a fake digital platform.
In doing so, they unknowingly reveal their credentials to scammers, who can proceed to perform unauthorised transactions from their accounts.
Still, where there are clearly-outlined conditions for the filing of claims and multiple stakeholders involved in the waterfall framework, consumers may — at the start — find it hard to discern what could be covered by the proposed framework.
TODAY looks at some possible scenarios where phishing scam victims may file reports in hope of recouping their losses, and who should bear responsibility in these different instances.
WHO SHOULD BEAR THE LOSSES?
A scammer impersonates the police and contacts a consumer via a WhatsApp messageThe consumer is directed by a link in the scammer’s WhatsApp message to a fake Immigration and Checkpoints Authority (ICA) website to pay for his purported “outstanding fines”The consumer then enters his banking credentials and one-time password into the fake banking website, as directed from the fake ICA websiteThe scammer then uses the consumer’s banking credentials and one-time password to activate a new digital security token on the scammer’s own phoneThe scammer then makes 10 transactions of S$500 each to another local accountAs the bank’s system is down, notification alerts for the 10 outgoing transactions and activation of a new digital security token are sent to the consumer only two days laterWhen the consumer receives these notification alerts, he immediately tries to report them to the responsible financial institution, but is unable to as the institution is receiving a high volume of callsHe then tries to activate the kill-switch — that allows consumers to quickly suspend their accounts if they fear they have been compromised — but is unable to do so due to a system issue on the institution’s endSubsequently, the scammer makes further unauthorised transactions amounting to S$4,000 on the consumer’s account, as the consumer is unable to suspend his accountA notification alert is sent for this further S$4,000 transaction
Verdict: A full payout will be borne by the responsible financial institution, under the new proposed framework
The case is applicable for assessment under the new proposed framework, as all elements of a phishing scam — as outlined by the framework — have been metThe financial institution has failed in its duty to send real-time notification alerts for the activation of a new digital token, and for the first 10 unauthorised transactionsIt also failed in its duty to make a kill-switch available to the consumer at all timesTelcos would not be involved in this assessment, as the link leading to the fake ICA website was sent through WhatsApp, not SMSAs such, the financial institution would have to bear the full losses incurred by the consumer (that is, for the 10 S$500 transactions and the subsequent S$4,000 transaction)
A scammer impersonates a financial institution and contacts a consumer via a phishing emailThe email informs the consumer that his account is about to be suspendedThe consumer proceeds to click on a website link provided in the email, believing it would take him to an online page where he can prevent his account from being suspendedThe link then brings him to a spoofed “financial institution” website, where he enters his account credentialsThe scammer subsequently uses the credentials and one-time password provided to take over the consumer’s account without his knowledge, and sets up a digital token on the scammer’s own deviceDue to a system error, the responsible financial institution does not impose a 12-hour cooling-off period during which high-risk activities cannot be performedAs a result, the scammer is able to increase the consumer’s online transaction limit from S$5,000 to S$10,000 — which is deemed a high-risk activity — within 12 hours of the new digital token’s activationAlthough the consumer sees the notification alerts informing him of the activation of a new digital token and the increase of his transaction limit, he does not act on itThe scammer then proceeds to make multiple transactions of S$10,000 each, out of the consumer’s account
Verdict: A full payout will be borne by the responsible financial institution
The case is applicable for assessment under the new proposed framework, as all elements of a phishing scam — as outlined by the framework — have been metThe responsible financial institution has failed in its duty to impose a minimum 12-hour cooling-off periodThis allowed the scammer to increase the consumer’s transaction limit within what should have been the 12-hour cooling-off periodAs such, the financial institution would have to bear the full losses incurred by the consumer This is in spite of the fact that the consumer has failed to take due care by clicking on the link in the phishing SMS, and also choosing to ignore the notification alerts sent to him
A scammer impersonates a financial institution and sends a phishing email to a consumer, informing him of an attractive financial productThe consumer clicks on the link within the phishing SMS, which leads him to a spoofed financial institution websiteHe enters his account credentials and one-time password on the fake website to purchase the productThe scammer uses these account credentials to initiate three monetary transactions — of S$1,000, S$2,000, and S$3,000 — to another local accountAs the consumer has previously adjusted his transaction notification threshold to S$1,500, the notifications are only sent by the responsible financial institution for the transactions of S$2,000 and S$3,000
Verdict: No payout will be made under the proposed framework; consumer to bear full losses
The case is applicable for assessment under the new proposed framework, as all elements of a phishing scam — as outlined by the framework — have been metWhile the responsible financial institution did not send out notification alerts for the S$1,000 transaction, this does not constitute a breach of duty, as the consumer had previously opted to raise his transaction notification threshold to S$1,500Given that the link leading to the spoofed “financial institution” website was sent to the consumer via email and not SMS, the telcos would not be liable in this assessmentThe full losses will therefore be borne by the consumer, though he may approach existing avenues of dispute resolution if he wishes to seek further recourse
A consumer receives a WhatsApp message containing a clickable link from a scammer purporting to be a foreign seller of furnitureWhile the foreign “furniture seller” is an unknown one and its brand is not recognisable, the consumer feels that the prices offered are very attractive and decides to make a purchaseUpon clicking on the link in the WhatsApp message, the consumer is redirected to a fake digital platform where he keys in his bank account credentials and one-time password to make the fraudulent purchaseThis allows the scammer to obtain his credentials and one-time passwordThe scammer then uses these details to enter the consumer’s bank account and make unauthorised transactions
Verdict: No payout will be made under the proposed framework; consumer to bear full losses
Although the case involved a phishing scam, it does not fall within the framework’s scope, as it does not have a Singapore nexusThe foreign furniture seller that had been impersonated was neither a legitimate Singapore-based entity nor a legitimate overseas-based entity that is known to offer services to Singapore residentsIn this case, the full losses will be borne by the consumerNevertheless, the consumer may approach existing avenues of dispute resolution, if he wishes to seek further recourse
As a rule of thumb, financial institutions, followed by telcos, will be expected to bear the full losses incurred from such digitally enabled phishing scams, should they fail to discharge their respective prescribed duties, said MAS and IMDA in a joint press statement on Wednesday.
“Financial institutions stand first in line, given that they hold greater responsibility as custodians of consumers’ money.
“Telcos stand second in line, as they play a secondary role in fostering security of digital payments by facilitating SMS delivery.”
Still, while the proposed framework is intended to strengthen financial institutions’ and telcos’ accountability to consumers, it will not absolve customers of their own duty to be vigilant.
“If financial institutions and telcos have fulfilled their duties, the Shared Responsibility Framework will not require payouts to be made to consumers,” said MAS and IMDA.
“A discerning and vigilant public remains the first line of defence against scams.
“Individuals have a responsibility to mitigate the occurrence of scams by practising proper cyber hygiene and not giving away their credentials to a third party under any circumstance,” the authorities added.