Commentary: CPF scam victims have limited recourse – that’s why cyber literacy is so crucial
Scammers will keep coming for our CPF savings or bank accounts. Making scams harder and riskier for criminals or developing ways to share losses aren’t a panacea, says Reed Smith lawyer Bryan Tan.
SINGAPORE: One wrong click can end up a costly mistake, as some scam victims in Singapore have learnt. About S$8 million (US$6 million) was lost in more than 700 malware-related scams in the first half of 2023.
Eight cases involved national social security or Central Provident Fund (CPF) savings, with S$124,000 lost so far. One 62-year-old victim had his Ordinary Account and Special Account wiped out of over S$40,000 overnight, after trying to buy seafood online.
Victims were tricked into downloading apps that installed malware on their mobile devices, which allowed scammers to take full control of the phone, logging keystrokes and stealing credentials to make unauthorised transactions. In some cases, CPF savings were withdrawn and paid into a verified bank account, then transferred out using stolen banking credentials.
Considering CPF savings are an integral part of Singaporeans’ retirement nest egg, the scams have raised fresh questions about the recourse victims have to recover their losses.
NO LEGAL RECOURSE
The recent scams tend to bring back memories of the notable OCBC SMS phishing scams in December 2021, with a total of S$13.7 million lost. Several victims reported losing their life savings in a matter of minutes.
Victims had received spoofed SMSes appearing in the same conversation thread as real messages from the bank, which then redirected them to fake bank websites. The bank, out of goodwill, reimbursed the affected customers in full, even though it was arguably not at fault.
From a legal point of view, a user has no recourse to his financial service provider where he and only he was responsible for the chain of events.
Accordingly, scam victims have to bear responsibility for their losses if the perpetrators cannot be found, even as we empathise with the loss of their hard-earned savings. This reasoning applies to recent CPF cases too.
MAKING SCAMS HARDER AND RISKIER
One approach Singapore has taken is to make it more difficult for parties perpetrating cyber scams. To this end, the government passed several measures in the last year.
It passed legislation in May to make it easier to prosecute money mules who allow their bank accounts to be used for cyber scams and to go after those who share Singpass details to facilitate scams.
Earlier in July, the parliament also passed a new law - the Online Criminal Harms Act - to block content, stop communications and remove apps if there is suspicion these are being used to commit crimes.
After the OCBC incidents, banks were required by their regulator, the Monetary Authority of Singapore, to institute a raft of measures to better secure their online services, one of which was to phase out SMS One-Time Passwords as the sole authentication feature.
The CPF Board also moved quickly to require Singpass face verification for the vulnerable using online services.
Law enforcement has also been working with six banks to stop transactions even before a report is made. According to the police, the Anti-Scam Centre has also deployed Robotic Processing Automation technology to alert scam victims early.
SHARING RESPONSIBILITY FOR SCAM LOSSES
Still, there is the question of liability. In the works is a shared responsibility framework that envisages sharing the responsibility for losses arising out of cyber scams between customers, financial institutions and third parties such as telcos and service providers.
Work on this framework has been ongoing since early 2022 but announcement of more concrete details has been repeatedly postponed. This is because the inclusion of third parties as an undefined and ever-expanding class beyond banks and telcos (as the CPF incidents illustrate) is always going to be tricky.
Should it also cover other similar institutions such as the Central Depository, mobile phone technology and social media platforms, dating sites, postal and courier services, or other parties whose shortcomings contribute to the leak of credentials?
Or when it comes to CPF funds and savings accounts, predominantly meant as retirement savings and possibly the last safety net for a segment of society, should there be a case for special treatment?
On Jul 4, the Ministry of Manpower said that insurance schemes were not part of the shared responsibility framework, hours after the Manpower Minister Tan See Leng suggested the government was considering insurance to protect CPF members.
One should note that the framework is expected to promote shared responsibility to avoid the moral hazard of users simply washing their hands off responsibility for their own actions. Internationally, this area is very much a work in progress.
In the United Kingdom, the Contingent Reimbursement Model has operated in the last four years as a voluntary code adopted mainly by the big banks to reimburse scam victims. Historically, it has paid about 50 per cent of the reported losses.
The United States is also studying this model while Australia is believed to be studying one similar to Singapore’s.
CYBER CRIMINALS DON’T STAND STILL
In the meantime, it is clear that cyber criminals are not standing still. They will continue to evolve, looking for new human weaknesses and technological vulnerabilities.
In some reported cases, cyber scams have been linked to human trafficking by deceiving victims to travel to foreign locations; others have deployed deep fake voice and video technology to fool victims.
Where scammers will strike tomorrow is anyone's guess. Therefore, no single measure can be the panacea for this scourge.
Widespread education on the dangers of cyber scams must be one of the measures to foster cyber literacy among the general populace.
This is done with the aim of equipping the man in the street into not just adopting good technical solutions but to also be vigilant and cognisant of emerging and yet to emerge cyber threats.
Technical measures and providing compensation are like giving a man the proverbial fish and feeding him for a day. Teaching him to be cyber ready will protect him for a lifetime.
Bryan Tan is a Technology, Media and Telecom partner at Reed Smith and former president of the Singapore chapter of the Internet Society.