Big phish: How Asia's cyber scammers stay one step ahead of the banks

In Singapore, regulators and financial institutions have in recent days come up with new ways to shield residents from phishing attacks.

But the move came only after a series of high-level scams involving OCBC Bank users. In December alone, more than 450 of them fell prey to the attacks, amounting to at least $8.5 million in losses.

John Paul Tan was one of them. His wife, with whom he shares a joint bank account, had received a “strange message” from a number purporting to be the bank last month, informing her that someone was attempting to access her account.

She clicked on a link in the message and within hours, the couple had lost their life savings in five overseas transactions.

“I was distraught,” Tan wrote in a widely-shared Facebook post. “I sat down in the middle of the kitchen with my head in hands, going through various stages of grief.”

Tan and his wife’s experience was strikingly similar to those of other scam victims.

Typically, they would receive an SMS stating there was an issue requiring them to log in to their accounts. A link would take them to a website with the same interface as the bank’s landing page. When they keyed in their details, their savings would be wiped out.

Siti Raudhah Mohd Ali, another victim, said the SMS looked “very much like the other ones” that OCBC Bank had sent her, and the site was “authentic-looking”. She added, in a forum letter to Singapore broadsheet The Straits Times , that she had lost almost $100,000 in the space of a few minutes.

But she also raised one other problem: the bank was not prepared to deal with scams that were still unfolding. Other victims said they had been put on hold by bank operators and could only watch helplessly as their balances depleted.

“How can the blame be pinned entirely on me when OCBC’s scam prevention measures are poorly equipped to deal urgently with a case as it is happening?” Siti asked.

From Malaysia to India, via ‘Macau’

Phishing scams are not new in Singapore but they are getting more sophisticated and fake messages purporting to come from official institutions are getting ever harder to distinguish from the real thing.

The problem is occurring across Asia. In Hong Kong , scammers have laundered nearly HK$29 billion from over 10,000 victims through bank accounts and cryptocurrency wallets over the past 4.5 years.


Online banking, electronic payment services and cryptocurrency wallets have offered fraudsters more avenues to launder illegal funds, according to the police.

In Malaysia, the most common swindles are known as “Macau scams” in which fraudsters make threatening phone calls posing as police officers, tax agents, or central bank workers claiming that the victim is implicated in a criminal offence and is being investigated.

Malaysian police Commercial Crime Investigation Department chief Mohd Kamarudin Md Din said victims would be told to submit their online banking username or password and move their money into a new account controlled by the syndicate.

“Victims will be asked to open a new bank account and activate online banking facilities by registering the telephone number provided by the syndicate, before finding that the money in their account is depleted,” he said.

On New Year’s Eve, Malaysian news agency Bernama reported that a retired civil servant in Sarawak had lost more than 1.63 million ringgit (S$524,000) after receiving a call claiming she had a pending accident insurance claim.

“The victim was then transferred to an individual claiming to be a Sergeant Razif, who told her she was involved in money laundering from 2020 to 2021 and that an arrest warrant had been issued against her,” according to the report.

The “sergeant” offered to help the woman settle the case and instructed her to open two bank accounts to “facilitate” an investigation by the central bank. She was also instructed her to give her username and password

It was only two weeks later, after telling her brother about her experience, that she realised she had been scammed. By then, 1.63 million ringgit had been syphoned out of her account in 52 separate withdrawals.

It is not only senior citizens who fall victims to these scams.

On Dec 30, the Malaysian newspaper The Star reported that a 47-year-old bank officer had been scammed out of 105,000 ringgit by someone claiming to be from the central bank investigating fraudulent transactions on her credit card to purchase Bitcoins.

In 2021, 1,585 “Macau scams” – named after the Chinese SAR where the practice is reputed to have originated – were recorded involving losses amounting to more than 560 million ringgit. While 9,646 arrests were made that year, the scam is still common.

In India, “Krishnan”, a 74-year-old retired school principal, received an SMS last November saying his bank account would be closed unless he completed a “know-your-customer” document to verify his identity.

The link took him to a phishing website where the details he entered were used to cheat him out of 60,000 rupees (S$1,080).

“It looked so genuine and seemed so plausible that I had mistakenly left some information out earlier and they were just asking me to finish the process,” Krishnan said.

Krishnan’s story is all too common among the growing number of elderly people falling prey to phishing scams, but at least he personally is wiser now.

Last August, an email arrived from his best friend, who had flown to London to see his first grandchild in August. It asked for 200,000 rupees to cover a “dire” emergency.

This time, Krishnan smelled a rat. “I knew his email must have been hacked. He would never ask me for money,” he said.

Preying on the elderly

A survey of 5,000 senior citizens in New Delhi in 2017 by the Agewell Foundation revealed that 85 per cent were not digitally literate. Krishnan said he knew he needed to learn about technology but had no idea where to go, unaware that the foundation runs training courses for senior citizens.

The banking scam he fell prey to is among the most common. If anything, it has become more common since 2016, when the government’s overnight demonetisation drive – when 500 rupee and 1,000 rupee banknotes were withdrawn from circulation – forced many Indians to embrace digital banking.

One of the most popular payment apps is the government’s Unified Payments Interface or UPI. Last December, some US$111 billion surged through UPI in the course of around 4.5 billion transactions.

Police say Indians lose an average of US$25 million each month to cyber criminals.

“Senior citizens are being targeted by scammers primarily because they have been forced to adopt digital payments without being appropriately trained for this shift,” said Pavan Duggal, cybersecurity expert and Supreme Court lawyer.

Another common scam involves the fraudster telling a senior that they have won a contest or the lottery. To collect the money, all they need to do is transfer a “small” amount of money to an account and then their winnings will be transferred to them.

Duggal said the elderly often assumed that since UPI was a government payment system, it must be safe. So when they received messages saying “click to win cash back” or “scan QR code to receive payments”, they fell for it.

When asked how fast phishing is growing, Nandakishore Harikumar, CEO of T-Sanct Technologies in Kerala, laughed, saying it was “always rising, always” and that its growth was directly proportional to that of the digital industry.

He cited a figure from the National Crime Records Bureau showing an 11.8 per cent rise in cybercrime last year but insisted that the real figure was much higher because the statistic was based only on crimes that are reported.

“In India many cyber crimes go unreported due to lack of clarity on what exactly needs to be done once a crime occurs. For example, if someone lost money due to a banking fraud it’s not clear what action needs to be taken other than reporting to the bank,” Harikumar said.

Cyber criminals are always one step ahead. All banks can do is try to catch up. By the time they have detected one scam, the scammers have long since moved on to another one.

“Every time systems are built to protect against a particular scam, another pops up. Every time a phone number or bank account is identified as dubious, scammers quickly move on to another,” said Arundhati Ramanathan, staff writer at The Ken , a business website.

In Malaysia, the number of reported cases of online scams has been rising from 2,512 cases involving loses of 30 million ringgit in 2019 to 8,992 cases involving losses of 58 million ringgit in 2021.

A report by security company Sophos last year found a correlation between the move to working from home during the pandemic and a rise in phishing attempts.

“One of the reasons for [phishing’s] success is its ability to continuously evolve and diversify, tailoring attacks to topical issues or concerns, such as the pandemic, and playing on human emotions and trust,” explained Sophos’ principal research scientist, Chester Wisniewski.

The report said phishing emails had increased by 65 per cent in 2020 amid the worldwide Covid-19 pandemic. Many of these emails were “falsely claiming to be from a legitimate organisation, usually combined with a threat or request for information.”

Weakest links

Singapore’s OCBC Bank has assured customers that it would make “full goodwill payouts” to those affected but a broader debate is now taking place over whether Singapore regulators are doing enough. Should banks take more responsibility, in a country where more people are going online? Currently banks are not obliged to make any restitution in cases where it is not their IT system that has been compromised.

The country’s central bank, the Monetary Authority of Singapore (MAS), announced last week a set of added measures to strengthen digital banking security while reminding people that “customer vigilance is paramount”.

For example, banks will have to remove clickable links in SMSes or emails sent to retail customers within the next two weeks. Other measures include a delay of at least 12 hours before the activation of a new soft token on a mobile device as well as having dedicated teams to deal with feedback on potential fraud cases.

These measures, the central bank said in a joint statement with the Association of Banks in Singapore, would lengthen the time taken for certain online banking transactions and provide an added layer of security to protect customers’ funds.

“The growing threat of online phishing scams calls for immediate steps to strengthen controls, while longer-term preventive measures are being evaluated for implementation in the coming months,” it said.

While customers should bear some responsibility, banks should reduce the risk of customers being exploited by scammers, suggested Lawrence Loh, professor of business at the National University of Singapore.

He said relying on SMS to perform authentication was the “weakest link” in online banking transactions, and it was the root of the recent spate of OCBC scams.

“Customers are now so used to receiving a bank SMS that they will trust any of them, including fake ones with spoofed headers that appear genuine,” he said. “Using SMS in banking is probably the elephant in the room that could have been dealt with earlier.”

Banks could explore using more secured means of authentication such as authenticator apps that have better security features and are used for cryptocurrencies.

Beyond financial institutions and regulators, firms in the technology and communications sector should also take a frontline role, said Loh, who is also director of the business school’s Centre for Governance and Sustainability.

Some observers have called for closer scrutiny of telecommunication companies to prevent scammers from masking their numbers to make it look as if they are calling from an official entity.

Foong Cheng Leong from Malaysia’s Bar Council Cyberlaw Committee said banks could establish a direct and dedicated hotline for victims to reverse, hold transfers or assist them to trace the identities of the perpetrators.

However, it is often too late by the time victims realise they have been scammed.

“Money transferred to a local bank account is usually quickly sent on to other bank accounts. Even a slight delay results in the transferred money becoming untraceable,” Foong said.

He said there were local laws to deal with these type of scams but the problem was enforcement.


“The scams are generally done by way of social engineering, mostly by way of impersonation. Victims usually part with their money voluntarily, thinking that they are transferring it to the right person or for the right purpose,” he said.

Some bank customers argue that the banks have a duty not to execute their orders if there are reasonable grounds to suspect fraudulent activity. Banks argue it is up to the customer to verify the details of who they are transferring money to.

And while some banks are becoming more proactive in sending alerts and warnings about phishing activity, cybercriminals are also finding new ways to dupe their victims.

Cybersecurity expert Duggal said some elderly people were so thrilled at being vaccinated, they shared their certificate with friends and family online. Criminals could make use of this information over a phone call to help them sound genuine.

In an article in The Ken , Ramanathan said scammers posing as health officials had called senior citizens to “book” their booster shot. The “official” would ask for the details of their first vaccinations, along with their address, mobile number and other details. Usually, they already had the person’s bank details.

“If they don’t, they may ask for the bank details and OTP [one-time password] to make the payment and book the slot for the booster shot online. The OTP is used to transfer money from the victim’s bank accounts either via UPI or internet banking,” wrote Ramanathan.

Apar Gupta, a lawyer and the executive director of Internet Freedom Foundation, said banks could do more to protect the elderly. For example, even in cases where victims volunteered their OTP the scammers would have needed to have got other details about their accounts through a data breach at the bank.

“Banks need to conduct regular cyber audits to assess how their technical systems for authentication are working. We also need more transparency because banks are loathe to publicise their data breaches for fear of negative publicity and that means information is not being shared,” Gupta said.

After recovering from the shock of his loss, Krishnan has asked his son to find someone to train him to be safe. But he remains anxious.

Said Krishnan: “Even if I learn a few tools, as I get older, my vision and hearing might deteriorate and I might be even more likely to misunderstand.”

This article was first published in South China Morning Post.


This website uses cookies. By continuing to use this site, you accept our use of cookies.