BT Explains: What you need to know about SMS phishing
'%3e%3cpath%20d='M20.7725%2026.9924C20.9555%2026.9924%2021.1297%2026.953%2021.2951%2026.8741C21.4604%2026.7953%2021.6346%2026.6694%2021.8177%2026.4965L27.8373%2020.8125C27.9848%2020.6752%2028.0865%2020.5353%2028.1425%2020.3929C28.1985%2020.2505%2028.2264%2020.1183%2028.2264%2019.9962C28.2264%2019.869%2028.1985%2019.7343%2028.1425%2019.5918C28.0865%2019.4494%2027.9848%2019.3095%2027.8373%2019.1722L21.8177%2013.5417C21.6142%2013.3484%2021.4375%2013.2098%2021.2875%2013.1259C21.1374%2013.042%2020.9708%2013%2020.7877%2013C20.5181%2013%2020.2981%2013.0916%2020.1278%2013.2747C19.9574%2013.4578%2019.8722%2013.6765%2019.8722%2013.9308V16.8147H19.6509C18.2827%2016.8147%2017.1014%2017.0258%2016.107%2017.448C15.1127%2017.8701%2014.2963%2018.4805%2013.658%2019.279C13.0197%2020.0776%2012.5466%2021.0402%2012.2389%2022.1668C11.9312%2023.2934%2011.7773%2024.5612%2011.7773%2025.9701C11.7773%2026.3006%2011.8575%2026.5537%2012.0177%2026.7291C12.1779%2026.9047%2012.3597%2026.9924%2012.5632%2026.9924C12.7259%2026.9924%2012.89%2026.9593%2013.0553%2026.8932C13.2206%2026.8271%2013.3693%2026.6719%2013.5016%2026.4278C13.9441%2025.5936%2014.4553%2024.9413%2015.0351%2024.4708C15.6149%2024.0004%2016.2838%2023.6685%2017.0417%2023.4752C17.7995%2023.2819%2018.6693%2023.1853%2019.6509%2023.1853H19.8722V26.0998C19.8722%2026.3591%2019.9574%2026.5728%2020.1278%2026.7406C20.2981%2026.9085%2020.513%2026.9924%2020.7725%2026.9924Z'%20fill='black'%20fill-opacity='0.85'/%3e%3c/g%3e%3crect%20x='0.5'%20y='0.5'%20width='39'%20height='39'%20rx='19.5'%20stroke='%23F2F2F2'/%3e%3cdefs%3e%3cclipPath%20id='clip0_715_28555'%3e%3crect%20width='16.4491'%20height='14'%20fill='white'%20transform='translate(11.7773%2013)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
THE sharp rise in phishing scams has cemented SMS as a weak link in online banking as more customers transact through their phones and attackers grow increasingly sophisticated.
Nearly 470 OCBC customers have lost at least S$8.5 million to such scams since last December. The bank has made goodwill payouts to more than 30 victims as at Monday (Jan 17), though it had earlier warned that the possibility of funds recovery is "very low" once money has left the customer's account - leaving many on high alert.
The Business Times breaks down the science behind SMS phishing and how customers can better protect themselves from falling prey.
1) Why does an SMS appear to be from OCBC when it isn't?
Most banks, including OCBC, currently use a service known as number masking. This means an SMS sent by OCBC shows up on a customer's phone as "OCBC", rather than an unfamiliar phone number.
But scammers are able to use this technology to replace any phone number with an alphanumeric "spoofed header" or sender IDs - most commonly the name of the bank.
GET BT IN YOUR INBOX DAILY
Start and end each day with the latest news stories and analyses delivered straight to your inbox.
When a legitimate sender's ID is cloned, this enables the scammer's SMS to appear as if it is originated from a legitimate sender, thus enabling their message to appear in the same thread as legitimate SMSes from the bank.
2) How does phishing work?
In OCBC's case, customers received SMSes that appear to be from the bank, claiming there are issues with their bank accounts or credit cards.
These SMSes contain a link to a fraudulent website disguised as a legitimate bank website, requesting for bank account log-in credentials.
The scammer can then use those details to gain access to the customer's account and transfer monies out of the accounts.
OCBC said scammers often reroute the monies through various accounts, making it difficult to track their movement and even harder to recover the cash.
3) Why do banks use SMS if they are unsecure?
Banks commonly use SMS to notify customers of card transactions, fund transfers, ATM withdrawals, overdue charges and credit card activation, among other things. These messages sometimes include clickable links to product promotions. SMS is also used as a channel for 2-factor authentication where customers receive one-time passwords (OTPs).
In today's mobile-first era, SMS increases the speed of communication to customers and provides convenience for banks, since many processes can be automated.
SMS also ensures that customers still receive important alerts in the event that cellular data is unavailable, and is a format accessible to nearly all customers.
While it remains unclear if banks will scrap SMS use, the Monetary Authority of Singapore is working with the industry to explore additional measures such as lowering notification thresholds and enhancing fraud surveillance systems.
4) What should I do if I receive an SMS from a bank?
Never click on links provided in suspicious e-mails and SMSes. Always type the bank's URL directly into the address bar of a web browser or use its official mobile banking app.
When in doubt over the authenticity of any SMSes received, call your bank directly for verification. Even if the bank cannot be reached immediately, you do not need to respond to the SMS.
OCBC said it would never send customers an SMS to inform them of an account closure or that they have been locked out of their accounts temporarily.
The bank has also said it will no longer send SMSes with clickable links, so as to help customers identify fraudulent ones more easily.
5) What else can I do to ensure the security of my bank account?
iOS phone users can download the ScamShield app that blocks unsolicited messages and calls.
Cease the use of SMS OTP for log-in authentication and transactions where possible. BT understands this service varies from bank to bank. Switch to digital tokens as they are more secure.
More importantly, do not divulge your banking log-in credentials or OTPs to anyone, or key such confidential information into unverified webpages. Do not transfer money to strangers. When in doubt, get advice from a family member or friend.
KEYWORDS IN THIS ARTICLE
'/%3e%3cpath%20d='M35.1847%2014.0422L9.37867%2024.1703C8.88772%2024.363%208.86989%2025.051%209.35015%2025.2688L15.0551%2027.8567C15.2097%2027.9269%2015.327%2028.0594%2015.3778%2028.2212L17.8255%2036.0078C17.9491%2036.4009%2018.4247%2036.5534%2018.7539%2036.3054L23.0143%2033.0968C23.2178%2032.9435%2023.4961%2032.9364%2023.7072%2033.0787L30.8526%2037.8975C31.2091%2038.1378%2031.6951%2037.9339%2031.7732%2037.5114L35.9896%2014.7059C36.0747%2014.2456%2035.6206%2013.8712%2035.1847%2014.0422Z'%20fill='%23FDFEFF'/%3e%3cpath%20d='M15.3125%2027.9998L30.4162%2018.627L19.3691%2029.3628L19.548%2033.3966L18.9531%2036.1248C18.3783%2036.7236%2017.9297%2036.2772%2017.8477%2036.0662L15.3681%2028.178L15.2734%2028.0233L15.3125%2027.9998Z'%20fill='%23C8DAEA'/%3e%3cpath%20d='M18.3594%2036.4259L19.3511%2029.3447L23.519%2032.9856C23.303%2032.9612%2023.1588%2032.9863%2023.0268%2033.0859L19.0712%2036.0718C18.6289%2036.4572%2018.4297%2036.4455%2018.3594%2036.4259Z'%20fill='%23A9C9DD'/%3e%3cdefs%3e%3clinearGradient%20id='paint0_linear'%20x1='33'%20y1='7.5'%20x2='19'%20y2='36.5'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20stop-color='%231E96C8'/%3e%3cstop%20offset='1'%20stop-color='%2337AEE2'%20stop-opacity='0'/%3e%3c/linearGradient%3e%3c/defs%3e%3c/svg%3e)
BT is now on Telegram!
For daily updates on weekdays and specially selected content for the weekend. Subscribe to t.me/BizTimes
Banking & Finance
Japanese yen slides back towards 34-year low after brief spike
China’s Bank of Communications Q1 profit rises 1.44%
HSBC’s private bank shuts independent asset management business in HK, Singapore
Nomura Q4 net profit jumps almost eight-fold on retail income surge
Rescue pup to meme star: the real-life ‘Dogecoin’ dog
Money laundering accused Zhang Ruijin slapped with 5 more charges days before scheduled guilty plea
