As the recent OCBC phishing scam has shown, it only takes a careless click on a spoof Web link for a victim to risk losing his life savings.
Even as the bank has paid out victims out of “goodwill” – well, more under public pressure – new scams have since emerged. Yesterday, the taxman in Singapore warned of SMS scams targeted at folks here as the tax season kicks off.
As with OCBC, a bank or any organisation you transact with has a responsibility to put up strong anti-fraud measures. At the same time, consumers have a shared role in keeping out scammers.
For starters, never give your login details and SMS one-time passwords (OTPs) to anyone. With that in mind, here are five more things you can do to avoid being an easy victim:
1. Don’t click on unsolicited links
Don’t automatically trust any SMS, WhatsApp message or e-mail that comes in, even if it appears to be using your bank’s handle or name. That can easily spoofed.
Avoid clicking on any link that is in these messages. If you do click on it, be very suspicious if it leads you to a site that requires you to key in your username and password, even if the site looks legit.
The exception, of course, is if you have asked to reset your password yourself. If you didn’t do that, please do not click on a link that comes through unsolicited. Yes, even those that say you have to log in because your account is about to be cancelled or if there has been a fraudulent transaction.
To be sure, always go to your Web browser and manually type in the website (like ocbc.com) and then key in your credentials. On the phone, you can use the app, which may require your fingerprint or face ID to log in.
2. Minimise the use of SMS as a 2FA token
If you’re still using SMS messages as your two-factor authentication (2FA) token, it’s time to switch to a mobile app. It is more secure because it is not as easily intercepted like SMSes, which have been diverted by scammers to overcome the security measures.
The mobile app can be used to authenticate transactions, for example, ones that involve large sums of money or transfers to new accounts that are set up recently. It is also easier to use because there is no password to be keyed in.
To be sure, you still need SMS sometimes, for example, with some merchants that still rely on an SMS one-time password (OTP) to approve a transaction. You may also need it to set up the mobile app itself, but once that’s done, you can still reduce the use of SMS OTPs as a way to approve transactions.
3. Keep your mobile phone secure
Since so much depends on your mobile app, it makes sense to ensure that it’s secure. It’s the root of trust, so you need to check that it’s updated all the time on your phone. Plus, download the app from an approved app store like Google Play or Apple App Store – not a third-party app store – to be safe.
Keeping your phone secure and updated is critical too. After all, what’s the use of all the security if you’re downloading unsafe apps or visiting malware-laden websites that open up a backdoor to your phone, enabling hackers to take over your mobile app and make transactions with it?
Of course, you can go back to using physical tokens, which Singapore banks now say they won’t phase out just yet, after previously forcing users to switch to a mobile app or SMS OTP as 2FA tokens. With a physical token, however, you need the key fob with you to make transactions.
4. Do not reuse passwords
This should be standard by now, but as cyber crimes of late have shown, many users still use weak passwords that include their birthdays, for example. Avoid these passwords that a cyber attacker can easily guess.
Just as importantly, don’t reuse passwords for multiple sites. Passwords are stolen all the time from online service providers, from Yahoo to Redmart, and you can bet that hackers have scripts to automatically try using these same passwords on all of today’s popular services until they get lucky with some.
A trusted password manager, such as the one that comes with Google Chrome, can help with the headache of remembering so many different passwords. Of course, if you’re using that, make sure your Google account is secure! The analogue alternative is to jot the passwords all down on a notebook, and pray the ink doesn’t fade!
5. Be aware of ongoing threats
It’s safe to assume that some of your personal particulars are probably out there in the Dark Web, if you’ve ever used an e-mail service or social media network.
Given the vast amounts of personal data leaked all the time, hackers can create a profile of the victims they are targeting so the phishing or spam messages they send are more believable, for example.
This means consumers or users cannot simply say “my data is not worth stealing”, like what many did after 1.5 million people in Singapore had their personal data stolen in the SingHealth hack of 2018.
If you don’t want to be an easy victim of fraud, then it pays to pay attention to the alerts that the authorities regularly put out to warn of scams.
At the same time, learn the spam tactics that evolve all the time so you won’t be caught unawares or panic and make a mistake. This was what many OCBC scam victims did, even though some of them were considerably IT-savvy.
After the awareness generated by that incident, which will cost OCBC S$13 million in “goodwill” payments, the expectation is for consumers to be more careful. Future victims may not get the same goodwill.