SINGAPORE – Mobile phone networks that don’t enforce security protocols will have to reimburse victims of certain phishing scams – a ruling that already applies to financial institutions.
The move will likely make Singapore the first jurisdiction to include telecommunication operators or other infrastructure service providers in a fraud reimbursement framework.
The Monetary Authority of Singapore (MAS) and Infocomm Media Development Authority (IMDA) said in a joint consultation paper out on Wednesday that placing “duties on responsible telcos” aims to reduce the risks of scam SMS being sent to consumers.
The move is part of a proposed “waterfall approach” that will assess responsibility, with retail banks such as Citibank, DBS, UOB and OCBC, and payment service providers like Grab that offer e-wallets first in line.
This is because they are custodians of consumer funds and so play a critical role as gatekeepers against money being misappropriated by scammers. They have the primary responsibility to implement robust controls to safeguard accounts and to effectively respond to suspicious transactions, the regulators said.
If they carry out these duties properly, they will not be required to reimburse phishing victims, particularly those who are duped into revealing their account credentials such as username and passwords to scammers impersonating legitimate entities such as government agencies or banks.
Consumers in such cases will then have to bear the full loss. They can take action by lodging a complaint at the Financial Industry Disputes Resolution Centre.
Telcos stand second in line as they are the infrastructure providers for SMS texts. Scammers have tried to impersonate financial institutions and other businesses using SMS that appear as legitimate ones sent by banks, for example.
Not all phishing scams are covered in the new proposed framework.
Scams that will be covered include those where a fraudster pretends to be from a legitimate entity such as SingPost or DHL and sends emails or SMS claiming account-related issues to trick the victim into clicking a URL link to a fake website where he enters his account credentials.
They also include those where a scammer purports to be from a financial institution offering attractive deals like high interest rates on fixed deposits and free mobile phones to trick victims into clicking a URL link to a fake website to enter account credentials.
Scams where victims authorise payments to a fraudster, such as those arising from investment or love scams, are not covered.
Malware scams are not covered either. These usually involve scammers duping people into downloading and installing malicious Android apps, which give remote access to victims’ devices to obtain their Internet banking credentials or credit card details.
The new proposals would also require banks to impose a 12-hour cooling-off period to prevent large sums being transferred from an account to a third party if a scammer has phished a consumer’s credentials and activated a digital security token. They should also send notification alerts to consumers, and take preventive measures if the activity is unauthorised.