New anti-phishing measures kick in on Dec 16; banks, telcos to share liability for scam losses

SINGAPORE, Oct 26 – Banks such as DBS Bank, UOB, OCBC Bank and Citibank, and payment services providers that offer e-wallets, such as Grab, YouTrip and

Several banks and payment services providers will be the first to participate in a new framework that will determine who is responsible for covering losses incurred by phishing scams. The framework, which will be fully implemented on December 16, aims to establish clear duties for financial institutions and telcos in preventing and responding to phishing scams.

DBS Bank, UOB, OCBC Bank, Citibank, Grab, YouTrip, and Revolut will be among the first to join the framework, which was finalised on Thursday. The four telcos—Singtel, StarHub, M1, and Simba Telecom—will follow suit, The Straits Times reported.

If the duties outlined by the Monetary Authority of Singapore (MAS) and Infocomm Media Development Authority (IMDA) for financial institutions and telcos are fulfilled, victims will be expected to bear the cost of a scam.

Here's a summary of the duties for financial institutions and telcos that will come into force on December 16.

Financial institutions

12-hour cooling period: Financial institutions and banks are required to implement a 12-hour cooling period when a digital security token is activated – for example, when a user sets up an account on a new device. During the period, no high-risk activities can be performed, such as adding new payees or carrying out high-value transactions, to give customers more time to spot potential unusual activities on their accounts. The 12-hour cooling-off period also applies to logins to an e-wallet such as Grab on a new device.

Alert users to high-risk activities: Users should be immediately notified whenever a digital security token linked to their accounts is activated, and in the event of any high-risk activities like high-value transactions.

Notify users of outgoing transactions: Banks and financial institutions must alert customers to outgoing transactions through real-time notifications so customers can promptly report potential scams.

24-hour reporting channel and ‘kill’ switch: Users should always have access to a reporting channel, allowing them to reach the financial institution to block scammers from making any fraudulent transactions on their accounts. Customers should also have access to a “kill” switch that allows them to freeze their accounts and prevent further unauthorised transactions. The emergency feature was introduced in 2022 following a spate of phishing scams targeting OCBC customers, who lost a total of about S$13.7 million (RM45.03 million)

Set up real-time fraud surveillance: Financial institutions will be required to set up real-time fraud surveillance systems that block unauthorised transactions. Banks must be able to detect when a large sum of money – defined as a transaction involving above half of a balance in an account of at least S$50,000 (RM164,330) – is being transferred from an account, and either block the suspicious transaction until it is able to get the customer’s confirmation, or hold the transaction for at least 24 hours.

Telcos

Flag unauthorised aggregators: Customers should receive text messages displaying the name of the sender only if they come from authorised senders that are registered with IMDA’s SMS Sender ID Registry. Companies frequently send bulk text messages through aggregators, which act on behalf of a business. Texts received by users from unauthorised sources will be flagged as “likely scam”.

Block unauthorised sender IDs: Telcos are required to block messages from all unauthorised aggregators to prevent their customers from receiving sender ID SMSes from external channels, including unknown networks.

Anti-scam filters: Telcos are expected to set up anti-scam filters for all SMS messages that pass through their networks. The filters are designed to scan for messages containing URLs that match a database of malicious links that have been flagged.

The above is the detailed content of New anti-phishing measures kick in on Dec 16; banks, telcos to share liability for scam losses. For more information, please follow other related articles on the PHP Chinese website!